Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO#50124.exe

Overview

General Information

Sample name:PO#50124.exe
Analysis ID:1432053
MD5:b4306234a3b45c69df6a6a7cecd6070c
SHA1:323197c988bc794e3a6314fce81dc20c48d234ee
SHA256:13129eaaaee8200a17214e947f0e984d10050e79c2cd5a963d7ada54ce3aa0a8
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO#50124.exe (PID: 7072 cmdline: "C:\Users\user\Desktop\PO#50124.exe" MD5: B4306234A3B45C69DF6A6A7CECD6070C)
    • PO#50124.exe (PID: 7252 cmdline: "C:\Users\user\Desktop\PO#50124.exe" MD5: B4306234A3B45C69DF6A6A7CECD6070C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.alkuwaiti.com", "Username": "electronics@alkuwaiti.com", "Password": "Ele@1804"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2591871064.0000000002D1C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.2591871064.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.2591871064.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.2589430439.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000002.2589430439.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PO#50124.exe.3fc3688.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.PO#50124.exe.3fc3688.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.PO#50124.exe.3fc3688.3.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316bd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3172f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317b9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x3184b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318b5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31927:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319bd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a4d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                3.2.PO#50124.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  3.2.PO#50124.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 50.87.219.149, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\PO#50124.exe, Initiated: true, ProcessId: 7252, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49707

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: PO#50124.exeAvira: detected
                    Found malware configuration
                    Source: 0.2.PO#50124.exe.3ffe0a8.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.alkuwaiti.com", "Username": "electronics@alkuwaiti.com", "Password": "Ele@1804"}
                    Multi AV Scanner detection for submitted file
                    Source: PO#50124.exeReversingLabs: Detection: 83%
                    Source: PO#50124.exeVirustotal: Detection: 72%Perma Link
                    Machine Learning detection for sample
                    Source: PO#50124.exeJoe Sandbox ML: detected
                    Source: PO#50124.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.7:49706 version: TLS 1.2
                    Source: PO#50124.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 4x nop then jmp 07690113h0_2_07690588
                    Source: global trafficTCP traffic: 192.168.2.7:49707 -> 50.87.219.149:587
                    Source: Joe Sandbox ViewIP Address: 50.87.219.149 50.87.219.149
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.7:49707 -> 50.87.219.149:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: mail.alkuwaiti.com
                    Source: PO#50124.exe, 00000003.00000002.2591871064.0000000002D1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.alkuwaiti.com
                    Source: PO#50124.exe, 00000003.00000002.2590375532.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, PO#50124.exe, 00000003.00000002.2591871064.0000000002D24000.00000004.00000800.00020000.00000000.sdmp, PO#50124.exe, 00000003.00000002.2589940978.0000000000F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                    Source: PO#50124.exe, 00000003.00000002.2590375532.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, PO#50124.exe, 00000003.00000002.2591871064.0000000002D24000.00000004.00000800.00020000.00000000.sdmp, PO#50124.exe, 00000003.00000002.2589940978.0000000000F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                    Source: PO#50124.exe, 00000003.00000002.2591871064.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: PO#50124.exe, 00000003.00000002.2590375532.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, PO#50124.exe, 00000003.00000002.2591871064.0000000002D24000.00000004.00000800.00020000.00000000.sdmp, PO#50124.exe, 00000003.00000002.2590375532.0000000000F99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: PO#50124.exe, 00000003.00000002.2590375532.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, PO#50124.exe, 00000003.00000002.2591871064.0000000002D24000.00000004.00000800.00020000.00000000.sdmp, PO#50124.exe, 00000003.00000002.2590375532.0000000000F99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: PO#50124.exe, 00000000.00000002.1386811526.0000000003FC3000.00000004.00000800.00020000.00000000.sdmp, PO#50124.exe, 00000003.00000002.2589430439.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: PO#50124.exe, 00000000.00000002.1386811526.0000000003FC3000.00000004.00000800.00020000.00000000.sdmp, PO#50124.exe, 00000003.00000002.2591871064.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, PO#50124.exe, 00000003.00000002.2589430439.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: PO#50124.exe, 00000003.00000002.2591871064.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: PO#50124.exe, 00000003.00000002.2591871064.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.7:49706 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.PO#50124.exe.3ffe0a8.1.raw.unpack, oAKy.cs.Net Code: CHgRvKS
                    Source: 0.2.PO#50124.exe.3fc3688.3.raw.unpack, oAKy.cs.Net Code: CHgRvKS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.PO#50124.exe.3fc3688.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 3.2.PO#50124.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO#50124.exe.3ffe0a8.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO#50124.exe.3ffe0a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO#50124.exe.3fc3688.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 0.2.PO#50124.exe.2f9e330.0.raw.unpack, SQL.csLarge array initialization: : array initializer size 33608
                    Source: 0.2.PO#50124.exe.5840000.5.raw.unpack, SQL.csLarge array initialization: : array initializer size 33608
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: PO#50124.exe
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 0_2_076934500_2_07693450
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 3_2_0114A1A03_2_0114A1A0
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 3_2_0114E6B83_2_0114E6B8
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 3_2_0114A9683_2_0114A968
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 3_2_01144AA03_2_01144AA0
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 3_2_0114DCC03_2_0114DCC0
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 3_2_01143E883_2_01143E88
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 3_2_011441D03_2_011441D0
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 3_2_068F55983_2_068F5598
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 3_2_068F65E83_2_068F65E8
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 3_2_068F7D783_2_068F7D78
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 3_2_068FB2403_2_068FB240
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 3_2_068F23603_2_068F2360
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 3_2_068FC1983_2_068FC198
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 3_2_068F76983_2_068F7698
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 3_2_068F5CE83_2_068F5CE8
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 3_2_068FE3B03_2_068FE3B0
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 3_2_068F01673_2_068F0167
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 3_2_068F00073_2_068F0007
                    Source: PO#50124.exe, 00000000.00000002.1386311517.0000000002F51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs PO#50124.exe
                    Source: PO#50124.exe, 00000000.00000002.1386811526.0000000003FC3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename4548b61d-822f-464b-a714-a9778dc216a9.exe4 vs PO#50124.exe
                    Source: PO#50124.exe, 00000000.00000000.1332123937.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOXxu.exe< vs PO#50124.exe
                    Source: PO#50124.exe, 00000000.00000002.1386311517.000000000305E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename4548b61d-822f-464b-a714-a9778dc216a9.exe4 vs PO#50124.exe
                    Source: PO#50124.exe, 00000000.00000002.1385640207.00000000011AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO#50124.exe
                    Source: PO#50124.exe, 00000000.00000002.1389708327.0000000005840000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs PO#50124.exe
                    Source: PO#50124.exe, 00000000.00000002.1386811526.0000000004936000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PO#50124.exe
                    Source: PO#50124.exe, 00000000.00000002.1391217894.000000000B090000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PO#50124.exe
                    Source: PO#50124.exe, 00000003.00000002.2589693632.0000000000CF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PO#50124.exe
                    Source: PO#50124.exe, 00000003.00000002.2589430439.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename4548b61d-822f-464b-a714-a9778dc216a9.exe4 vs PO#50124.exe
                    Source: PO#50124.exeBinary or memory string: OriginalFilenameOXxu.exe< vs PO#50124.exe
                    Source: PO#50124.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.PO#50124.exe.3fc3688.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 3.2.PO#50124.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO#50124.exe.3ffe0a8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO#50124.exe.3ffe0a8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO#50124.exe.3fc3688.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: PO#50124.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.PO#50124.exe.3ffe0a8.1.raw.unpack, ekKu0.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO#50124.exe.3ffe0a8.1.raw.unpack, vKf1z6NvS.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO#50124.exe.3ffe0a8.1.raw.unpack, ZNAvlD7qmXc.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.PO#50124.exe.3ffe0a8.1.raw.unpack, U2doU2.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO#50124.exe.3ffe0a8.1.raw.unpack, BgffYko.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO#50124.exe.3ffe0a8.1.raw.unpack, HrTdA63.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.PO#50124.exe.3ffe0a8.1.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO#50124.exe.3ffe0a8.1.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO#50124.exe.3ffe0a8.1.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO#50124.exe.3ffe0a8.1.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO#50124.exe.4bb8d40.4.raw.unpack, VCS7wWF7FG29jK2qtE.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.PO#50124.exe.4bb8d40.4.raw.unpack, VCS7wWF7FG29jK2qtE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO#50124.exe.4bb8d40.4.raw.unpack, VCS7wWF7FG29jK2qtE.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.PO#50124.exe.4bb8d40.4.raw.unpack, MK1NMKAGNl9pwlKagZ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO#50124.exe.4b3cb20.2.raw.unpack, VCS7wWF7FG29jK2qtE.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.PO#50124.exe.4b3cb20.2.raw.unpack, VCS7wWF7FG29jK2qtE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO#50124.exe.4b3cb20.2.raw.unpack, VCS7wWF7FG29jK2qtE.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.PO#50124.exe.b090000.8.raw.unpack, MK1NMKAGNl9pwlKagZ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO#50124.exe.4b3cb20.2.raw.unpack, MK1NMKAGNl9pwlKagZ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO#50124.exe.b090000.8.raw.unpack, VCS7wWF7FG29jK2qtE.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.PO#50124.exe.b090000.8.raw.unpack, VCS7wWF7FG29jK2qtE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO#50124.exe.b090000.8.raw.unpack, VCS7wWF7FG29jK2qtE.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                    Source: C:\Users\user\Desktop\PO#50124.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#50124.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\PO#50124.exeMutant created: \Sessions\1\BaseNamedObjects\bsRSckSPTjZsUAV
                    Source: PO#50124.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: PO#50124.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\PO#50124.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\PO#50124.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\PO#50124.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: PO#50124.exeReversingLabs: Detection: 83%
                    Source: PO#50124.exeVirustotal: Detection: 72%
                    Source: C:\Users\user\Desktop\PO#50124.exeFile read: C:\Users\user\Desktop\PO#50124.exe:Zone.IdentifierJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\PO#50124.exe "C:\Users\user\Desktop\PO#50124.exe"
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess created: C:\Users\user\Desktop\PO#50124.exe "C:\Users\user\Desktop\PO#50124.exe"
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess created: C:\Users\user\Desktop\PO#50124.exe "C:\Users\user\Desktop\PO#50124.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: PO#50124.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: PO#50124.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: PO#50124.exe, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.PO#50124.exe.4bb8d40.4.raw.unpack, VCS7wWF7FG29jK2qtE.cs.Net Code: URjwyBgt09 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.PO#50124.exe.4b3cb20.2.raw.unpack, VCS7wWF7FG29jK2qtE.cs.Net Code: URjwyBgt09 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.PO#50124.exe.2f9e330.0.raw.unpack, SQL.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.PO#50124.exe.5840000.5.raw.unpack, SQL.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.PO#50124.exe.b090000.8.raw.unpack, VCS7wWF7FG29jK2qtE.cs.Net Code: URjwyBgt09 System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 0_2_013A0DBB pushfd ; iretd 0_2_013A0DE9
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 0_2_013A0DEB pushfd ; iretd 0_2_013A0DE9
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 3_2_01140C95 push edi; retf 3_2_01140C3A
                    Source: C:\Users\user\Desktop\PO#50124.exeCode function: 3_2_01140CB5 push edi; ret 3_2_01140CC2
                    Source: PO#50124.exeStatic PE information: section name: .text entropy: 7.96596968808791
                    Source: 0.2.PO#50124.exe.4bb8d40.4.raw.unpack, MK1NMKAGNl9pwlKagZ.csHigh entropy of concatenated method names: 'asWQKYqjBU', 'L1iQ2Ctfpp', 'qhyQtFWF68', 'tOeQJSwt24', 'vM1QfQlbc9', 'Q7QQU7VBWa', 'GuSQHmAsEH', 'xolQumJseL', 'Eh2Q4yAafr', 'GUrQmCOdOg'
                    Source: 0.2.PO#50124.exe.4bb8d40.4.raw.unpack, dUaCTtl9IEdle8IdlH.csHigh entropy of concatenated method names: 'IAIpEb2YGK', 'jdyp5ekB1W', 'DPypAEToxQ', 'lxtplsG3WQ', 'zfnp0AwfKJ', 'noCpRAx88x', 'ScBpjrg1Hu', 'x5NpBlRXTH', 'AVPpnvOKRj', 'os7pv3qihK'
                    Source: 0.2.PO#50124.exe.4bb8d40.4.raw.unpack, qfJ6lFtPkHUWK2Yy8d.csHigh entropy of concatenated method names: 'ToString', 'Xs4RgJUxWX', 'mWARrPZkYP', 'MavRkYGrEI', 'PpARLcSHpv', 'OPtRX6DHmi', 'ldkR8dfoZQ', 'KrRRxAfpHw', 'fvpRdAFuAu', 'RtZR9jADra'
                    Source: 0.2.PO#50124.exe.4bb8d40.4.raw.unpack, DSMMmsmWahJCyHGHY6.csHigh entropy of concatenated method names: 'FS7nWpdK7Q', 'M0jn7wHhZZ', 'XKenw2gGTw', 'NB6n3iExaI', 'oqTnQsnuCi', 'MmtnoWJFSF', 'JCWnYq4QbY', 'EsUBH5ALbG', 'XY5BumUVIS', 'TtCB4QsJWl'
                    Source: 0.2.PO#50124.exe.4bb8d40.4.raw.unpack, nPXBYBQq0I78xUWaQl.csHigh entropy of concatenated method names: 'Dispose', 'eSkW4Jt665', 'KPKDrRoXrn', 'JDBVVAyBfO', 'i25WmcagEt', 'uQoWzvhH6V', 'ProcessDialogKey', 'lnRDPpnmYt', 'tlhDW6wNwN', 'pN4DDASMMm'
                    Source: 0.2.PO#50124.exe.4bb8d40.4.raw.unpack, UYH9ZJzGujToqdEPB4.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WglnC6m30K', 'dDtn0iDR2W', 'S8ZnRYmbSr', 'zYFnjXEGpe', 'sRlnBHkVtI', 'ANCnnMClBP', 'RNCnv4wsY5'
                    Source: 0.2.PO#50124.exe.4bb8d40.4.raw.unpack, Q73CAQW7OaD9TYA61PB.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LEYvK6IBSq', 'ux3v28fMiK', 'HO4vtA2Syf', 'KygvJBefum', 'J3uvf0PPgR', 'BW8vUQPM1V', 'z9wvHAh2BM'
                    Source: 0.2.PO#50124.exe.4bb8d40.4.raw.unpack, ppnmYt4Glh6wNwNRN4.csHigh entropy of concatenated method names: 'nCyBSg0ZRf', 'cmUBr6ou32', 'qpZBk2xbEn', 'QZIBL9YqWO', 'yorBKvryNO', 'MjsBXsj6Ma', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.PO#50124.exe.4bb8d40.4.raw.unpack, bI6ysyiUVXuKRuriOs.csHigh entropy of concatenated method names: 'HHJocu7ESs', 'ncxoqWO6un', 'EuOpksxvlE', 'uO1pLqfyK9', 'L5bpXDVsoa', 'OQTp8bRwqF', 'LyrpxlKC12', 'O3npdsjRdD', 'crJp9fqqWs', 'bZDpOU3PFe'
                    Source: 0.2.PO#50124.exe.4bb8d40.4.raw.unpack, alPQQUwB4FteeuoGrn.csHigh entropy of concatenated method names: 'Qu9WhK1NMK', 'tNlWF9pwlK', 'T9IWbEdle8', 'PdlWZHWI6y', 'XriW0OsAsR', 'YJ3WRkeAe2', 'rKfySWPQPvsdib5SiM', 'Yv92PxjuCY2OR49H3x', 'wR9WW0PLdy', 'SLwW7EwKnM'
                    Source: 0.2.PO#50124.exe.4bb8d40.4.raw.unpack, DsRmJ3SkeAe2VEDheA.csHigh entropy of concatenated method names: 'bwgYs11tOp', 'Hj5YQwDbdt', 'dVQYo2VnGw', 'vE2Yhmyedo', 'OmSYFbxqZB', 'I1Lofvo4QZ', 'RafoUbl5KG', 'hhboHtw2EI', 'kTNou8ZJCi', 'h4Ho4T8QHx'
                    Source: 0.2.PO#50124.exe.4bb8d40.4.raw.unpack, WW06WiWPoas24VvQ4nC.csHigh entropy of concatenated method names: 'wdBnNqU6Bj', 'ajUnTuV2qd', 'oSGnyOB5Cb', 'HeGnEIG7e1', 'mqanc79kTD', 'abcn50baOl', 'WYynqGMDoF', 'TvqnAtSgnV', 'GR9nlevw9C', 'brOniD8IYX'
                    Source: 0.2.PO#50124.exe.4bb8d40.4.raw.unpack, S5cagEut1QovhH6Ven.csHigh entropy of concatenated method names: 'cFcB3yjCP2', 'xv7BQdqx9h', 'kJFBpl6Gu6', 'FWjBokuE6E', 'OvCBYrkPDK', 'tcZBhsQ2Ga', 'O1qBFqcRlA', 'db8BePSvXB', 'LPXBb95hON', 'lTjBZlKoYT'
                    Source: 0.2.PO#50124.exe.4bb8d40.4.raw.unpack, PUlYy19abffV21uSgs.csHigh entropy of concatenated method names: 'zQIhNg61HW', 'LYUhTYvlpe', 'WAAhyMaYa3', 'yRihEvY4yk', 'YZUhcZ7exu', 'fV2h5DJWiA', 'QfRhqh0VKB', 'Fv7hA2XksP', 'X2JhltMyrP', 'TdEhiiudeG'
                    Source: 0.2.PO#50124.exe.4bb8d40.4.raw.unpack, mDdL3pDf3G7VcFOu0c.csHigh entropy of concatenated method names: 'sVDyAo1dT', 'zx5E3qJd4', 'VfW5vKXAw', 'U6UqvlmW6', 'VZRltA2yT', 'o6LiHbfta', 'mkpdoNI2yU51DqOvuy', 'Swex7BkQXQSgm8Y0ye', 'eOqB4Hlyc', 'rPqv2fPtj'
                    Source: 0.2.PO#50124.exe.4bb8d40.4.raw.unpack, VCS7wWF7FG29jK2qtE.csHigh entropy of concatenated method names: 'J3A7swe7NR', 'QaX73JDXRh', 'DlX7QRJXHj', 'Q937pj3BcD', 'LCY7oa0g8t', 'JR87YRUW25', 'nik7hJTEOr', 'csB7Fn9rLW', 'Oeb7e7xWPW', 'VPg7bC4EyE'
                    Source: 0.2.PO#50124.exe.4bb8d40.4.raw.unpack, cyiT3gUbZ9FoLA7vcZ.csHigh entropy of concatenated method names: 'M1Lju1VTj7', 'd6Fjm2hxK2', 'SbaBPaIQ6x', 'lZDBWM9GAV', 'CP3jgbetKR', 'KwijILnoMc', 'lK8jMOtJTG', 'z1vjKOMkFP', 'XT7j2shXxK', 'Sb8jth4KWU'
                    Source: 0.2.PO#50124.exe.4bb8d40.4.raw.unpack, F4ZVrRM1moHK5ZDjGD.csHigh entropy of concatenated method names: 'XrwCAm1y5L', 'OLvCl6vxHq', 'p3aCS04PBi', 'QesCrTQqMk', 'gOaCLEJdCi', 'zcHCX8b1eb', 'bA9CxyiQI4', 'mMgCddMm9a', 'OGOCOIFW2t', 'oJfCgukbtG'
                    Source: 0.2.PO#50124.exe.4b3cb20.2.raw.unpack, MK1NMKAGNl9pwlKagZ.csHigh entropy of concatenated method names: 'asWQKYqjBU', 'L1iQ2Ctfpp', 'qhyQtFWF68', 'tOeQJSwt24', 'vM1QfQlbc9', 'Q7QQU7VBWa', 'GuSQHmAsEH', 'xolQumJseL', 'Eh2Q4yAafr', 'GUrQmCOdOg'
                    Source: 0.2.PO#50124.exe.4b3cb20.2.raw.unpack, dUaCTtl9IEdle8IdlH.csHigh entropy of concatenated method names: 'IAIpEb2YGK', 'jdyp5ekB1W', 'DPypAEToxQ', 'lxtplsG3WQ', 'zfnp0AwfKJ', 'noCpRAx88x', 'ScBpjrg1Hu', 'x5NpBlRXTH', 'AVPpnvOKRj', 'os7pv3qihK'
                    Source: 0.2.PO#50124.exe.4b3cb20.2.raw.unpack, qfJ6lFtPkHUWK2Yy8d.csHigh entropy of concatenated method names: 'ToString', 'Xs4RgJUxWX', 'mWARrPZkYP', 'MavRkYGrEI', 'PpARLcSHpv', 'OPtRX6DHmi', 'ldkR8dfoZQ', 'KrRRxAfpHw', 'fvpRdAFuAu', 'RtZR9jADra'
                    Source: 0.2.PO#50124.exe.4b3cb20.2.raw.unpack, DSMMmsmWahJCyHGHY6.csHigh entropy of concatenated method names: 'FS7nWpdK7Q', 'M0jn7wHhZZ', 'XKenw2gGTw', 'NB6n3iExaI', 'oqTnQsnuCi', 'MmtnoWJFSF', 'JCWnYq4QbY', 'EsUBH5ALbG', 'XY5BumUVIS', 'TtCB4QsJWl'
                    Source: 0.2.PO#50124.exe.4b3cb20.2.raw.unpack, nPXBYBQq0I78xUWaQl.csHigh entropy of concatenated method names: 'Dispose', 'eSkW4Jt665', 'KPKDrRoXrn', 'JDBVVAyBfO', 'i25WmcagEt', 'uQoWzvhH6V', 'ProcessDialogKey', 'lnRDPpnmYt', 'tlhDW6wNwN', 'pN4DDASMMm'
                    Source: 0.2.PO#50124.exe.4b3cb20.2.raw.unpack, UYH9ZJzGujToqdEPB4.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WglnC6m30K', 'dDtn0iDR2W', 'S8ZnRYmbSr', 'zYFnjXEGpe', 'sRlnBHkVtI', 'ANCnnMClBP', 'RNCnv4wsY5'
                    Source: 0.2.PO#50124.exe.4b3cb20.2.raw.unpack, Q73CAQW7OaD9TYA61PB.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LEYvK6IBSq', 'ux3v28fMiK', 'HO4vtA2Syf', 'KygvJBefum', 'J3uvf0PPgR', 'BW8vUQPM1V', 'z9wvHAh2BM'
                    Source: 0.2.PO#50124.exe.4b3cb20.2.raw.unpack, ppnmYt4Glh6wNwNRN4.csHigh entropy of concatenated method names: 'nCyBSg0ZRf', 'cmUBr6ou32', 'qpZBk2xbEn', 'QZIBL9YqWO', 'yorBKvryNO', 'MjsBXsj6Ma', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.PO#50124.exe.4b3cb20.2.raw.unpack, bI6ysyiUVXuKRuriOs.csHigh entropy of concatenated method names: 'HHJocu7ESs', 'ncxoqWO6un', 'EuOpksxvlE', 'uO1pLqfyK9', 'L5bpXDVsoa', 'OQTp8bRwqF', 'LyrpxlKC12', 'O3npdsjRdD', 'crJp9fqqWs', 'bZDpOU3PFe'
                    Source: 0.2.PO#50124.exe.4b3cb20.2.raw.unpack, alPQQUwB4FteeuoGrn.csHigh entropy of concatenated method names: 'Qu9WhK1NMK', 'tNlWF9pwlK', 'T9IWbEdle8', 'PdlWZHWI6y', 'XriW0OsAsR', 'YJ3WRkeAe2', 'rKfySWPQPvsdib5SiM', 'Yv92PxjuCY2OR49H3x', 'wR9WW0PLdy', 'SLwW7EwKnM'
                    Source: 0.2.PO#50124.exe.4b3cb20.2.raw.unpack, DsRmJ3SkeAe2VEDheA.csHigh entropy of concatenated method names: 'bwgYs11tOp', 'Hj5YQwDbdt', 'dVQYo2VnGw', 'vE2Yhmyedo', 'OmSYFbxqZB', 'I1Lofvo4QZ', 'RafoUbl5KG', 'hhboHtw2EI', 'kTNou8ZJCi', 'h4Ho4T8QHx'
                    Source: 0.2.PO#50124.exe.4b3cb20.2.raw.unpack, WW06WiWPoas24VvQ4nC.csHigh entropy of concatenated method names: 'wdBnNqU6Bj', 'ajUnTuV2qd', 'oSGnyOB5Cb', 'HeGnEIG7e1', 'mqanc79kTD', 'abcn50baOl', 'WYynqGMDoF', 'TvqnAtSgnV', 'GR9nlevw9C', 'brOniD8IYX'
                    Source: 0.2.PO#50124.exe.4b3cb20.2.raw.unpack, S5cagEut1QovhH6Ven.csHigh entropy of concatenated method names: 'cFcB3yjCP2', 'xv7BQdqx9h', 'kJFBpl6Gu6', 'FWjBokuE6E', 'OvCBYrkPDK', 'tcZBhsQ2Ga', 'O1qBFqcRlA', 'db8BePSvXB', 'LPXBb95hON', 'lTjBZlKoYT'
                    Source: 0.2.PO#50124.exe.4b3cb20.2.raw.unpack, PUlYy19abffV21uSgs.csHigh entropy of concatenated method names: 'zQIhNg61HW', 'LYUhTYvlpe', 'WAAhyMaYa3', 'yRihEvY4yk', 'YZUhcZ7exu', 'fV2h5DJWiA', 'QfRhqh0VKB', 'Fv7hA2XksP', 'X2JhltMyrP', 'TdEhiiudeG'
                    Source: 0.2.PO#50124.exe.4b3cb20.2.raw.unpack, mDdL3pDf3G7VcFOu0c.csHigh entropy of concatenated method names: 'sVDyAo1dT', 'zx5E3qJd4', 'VfW5vKXAw', 'U6UqvlmW6', 'VZRltA2yT', 'o6LiHbfta', 'mkpdoNI2yU51DqOvuy', 'Swex7BkQXQSgm8Y0ye', 'eOqB4Hlyc', 'rPqv2fPtj'
                    Source: 0.2.PO#50124.exe.4b3cb20.2.raw.unpack, VCS7wWF7FG29jK2qtE.csHigh entropy of concatenated method names: 'J3A7swe7NR', 'QaX73JDXRh', 'DlX7QRJXHj', 'Q937pj3BcD', 'LCY7oa0g8t', 'JR87YRUW25', 'nik7hJTEOr', 'csB7Fn9rLW', 'Oeb7e7xWPW', 'VPg7bC4EyE'
                    Source: 0.2.PO#50124.exe.4b3cb20.2.raw.unpack, cyiT3gUbZ9FoLA7vcZ.csHigh entropy of concatenated method names: 'M1Lju1VTj7', 'd6Fjm2hxK2', 'SbaBPaIQ6x', 'lZDBWM9GAV', 'CP3jgbetKR', 'KwijILnoMc', 'lK8jMOtJTG', 'z1vjKOMkFP', 'XT7j2shXxK', 'Sb8jth4KWU'
                    Source: 0.2.PO#50124.exe.4b3cb20.2.raw.unpack, F4ZVrRM1moHK5ZDjGD.csHigh entropy of concatenated method names: 'XrwCAm1y5L', 'OLvCl6vxHq', 'p3aCS04PBi', 'QesCrTQqMk', 'gOaCLEJdCi', 'zcHCX8b1eb', 'bA9CxyiQI4', 'mMgCddMm9a', 'OGOCOIFW2t', 'oJfCgukbtG'
                    Source: 0.2.PO#50124.exe.b090000.8.raw.unpack, MK1NMKAGNl9pwlKagZ.csHigh entropy of concatenated method names: 'asWQKYqjBU', 'L1iQ2Ctfpp', 'qhyQtFWF68', 'tOeQJSwt24', 'vM1QfQlbc9', 'Q7QQU7VBWa', 'GuSQHmAsEH', 'xolQumJseL', 'Eh2Q4yAafr', 'GUrQmCOdOg'
                    Source: 0.2.PO#50124.exe.b090000.8.raw.unpack, dUaCTtl9IEdle8IdlH.csHigh entropy of concatenated method names: 'IAIpEb2YGK', 'jdyp5ekB1W', 'DPypAEToxQ', 'lxtplsG3WQ', 'zfnp0AwfKJ', 'noCpRAx88x', 'ScBpjrg1Hu', 'x5NpBlRXTH', 'AVPpnvOKRj', 'os7pv3qihK'
                    Source: 0.2.PO#50124.exe.b090000.8.raw.unpack, qfJ6lFtPkHUWK2Yy8d.csHigh entropy of concatenated method names: 'ToString', 'Xs4RgJUxWX', 'mWARrPZkYP', 'MavRkYGrEI', 'PpARLcSHpv', 'OPtRX6DHmi', 'ldkR8dfoZQ', 'KrRRxAfpHw', 'fvpRdAFuAu', 'RtZR9jADra'
                    Source: 0.2.PO#50124.exe.b090000.8.raw.unpack, DSMMmsmWahJCyHGHY6.csHigh entropy of concatenated method names: 'FS7nWpdK7Q', 'M0jn7wHhZZ', 'XKenw2gGTw', 'NB6n3iExaI', 'oqTnQsnuCi', 'MmtnoWJFSF', 'JCWnYq4QbY', 'EsUBH5ALbG', 'XY5BumUVIS', 'TtCB4QsJWl'
                    Source: 0.2.PO#50124.exe.b090000.8.raw.unpack, nPXBYBQq0I78xUWaQl.csHigh entropy of concatenated method names: 'Dispose', 'eSkW4Jt665', 'KPKDrRoXrn', 'JDBVVAyBfO', 'i25WmcagEt', 'uQoWzvhH6V', 'ProcessDialogKey', 'lnRDPpnmYt', 'tlhDW6wNwN', 'pN4DDASMMm'
                    Source: 0.2.PO#50124.exe.b090000.8.raw.unpack, UYH9ZJzGujToqdEPB4.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WglnC6m30K', 'dDtn0iDR2W', 'S8ZnRYmbSr', 'zYFnjXEGpe', 'sRlnBHkVtI', 'ANCnnMClBP', 'RNCnv4wsY5'
                    Source: 0.2.PO#50124.exe.b090000.8.raw.unpack, Q73CAQW7OaD9TYA61PB.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LEYvK6IBSq', 'ux3v28fMiK', 'HO4vtA2Syf', 'KygvJBefum', 'J3uvf0PPgR', 'BW8vUQPM1V', 'z9wvHAh2BM'
                    Source: 0.2.PO#50124.exe.b090000.8.raw.unpack, ppnmYt4Glh6wNwNRN4.csHigh entropy of concatenated method names: 'nCyBSg0ZRf', 'cmUBr6ou32', 'qpZBk2xbEn', 'QZIBL9YqWO', 'yorBKvryNO', 'MjsBXsj6Ma', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.PO#50124.exe.b090000.8.raw.unpack, bI6ysyiUVXuKRuriOs.csHigh entropy of concatenated method names: 'HHJocu7ESs', 'ncxoqWO6un', 'EuOpksxvlE', 'uO1pLqfyK9', 'L5bpXDVsoa', 'OQTp8bRwqF', 'LyrpxlKC12', 'O3npdsjRdD', 'crJp9fqqWs', 'bZDpOU3PFe'
                    Source: 0.2.PO#50124.exe.b090000.8.raw.unpack, alPQQUwB4FteeuoGrn.csHigh entropy of concatenated method names: 'Qu9WhK1NMK', 'tNlWF9pwlK', 'T9IWbEdle8', 'PdlWZHWI6y', 'XriW0OsAsR', 'YJ3WRkeAe2', 'rKfySWPQPvsdib5SiM', 'Yv92PxjuCY2OR49H3x', 'wR9WW0PLdy', 'SLwW7EwKnM'
                    Source: 0.2.PO#50124.exe.b090000.8.raw.unpack, DsRmJ3SkeAe2VEDheA.csHigh entropy of concatenated method names: 'bwgYs11tOp', 'Hj5YQwDbdt', 'dVQYo2VnGw', 'vE2Yhmyedo', 'OmSYFbxqZB', 'I1Lofvo4QZ', 'RafoUbl5KG', 'hhboHtw2EI', 'kTNou8ZJCi', 'h4Ho4T8QHx'
                    Source: 0.2.PO#50124.exe.b090000.8.raw.unpack, WW06WiWPoas24VvQ4nC.csHigh entropy of concatenated method names: 'wdBnNqU6Bj', 'ajUnTuV2qd', 'oSGnyOB5Cb', 'HeGnEIG7e1', 'mqanc79kTD', 'abcn50baOl', 'WYynqGMDoF', 'TvqnAtSgnV', 'GR9nlevw9C', 'brOniD8IYX'
                    Source: 0.2.PO#50124.exe.b090000.8.raw.unpack, S5cagEut1QovhH6Ven.csHigh entropy of concatenated method names: 'cFcB3yjCP2', 'xv7BQdqx9h', 'kJFBpl6Gu6', 'FWjBokuE6E', 'OvCBYrkPDK', 'tcZBhsQ2Ga', 'O1qBFqcRlA', 'db8BePSvXB', 'LPXBb95hON', 'lTjBZlKoYT'
                    Source: 0.2.PO#50124.exe.b090000.8.raw.unpack, PUlYy19abffV21uSgs.csHigh entropy of concatenated method names: 'zQIhNg61HW', 'LYUhTYvlpe', 'WAAhyMaYa3', 'yRihEvY4yk', 'YZUhcZ7exu', 'fV2h5DJWiA', 'QfRhqh0VKB', 'Fv7hA2XksP', 'X2JhltMyrP', 'TdEhiiudeG'
                    Source: 0.2.PO#50124.exe.b090000.8.raw.unpack, mDdL3pDf3G7VcFOu0c.csHigh entropy of concatenated method names: 'sVDyAo1dT', 'zx5E3qJd4', 'VfW5vKXAw', 'U6UqvlmW6', 'VZRltA2yT', 'o6LiHbfta', 'mkpdoNI2yU51DqOvuy', 'Swex7BkQXQSgm8Y0ye', 'eOqB4Hlyc', 'rPqv2fPtj'
                    Source: 0.2.PO#50124.exe.b090000.8.raw.unpack, VCS7wWF7FG29jK2qtE.csHigh entropy of concatenated method names: 'J3A7swe7NR', 'QaX73JDXRh', 'DlX7QRJXHj', 'Q937pj3BcD', 'LCY7oa0g8t', 'JR87YRUW25', 'nik7hJTEOr', 'csB7Fn9rLW', 'Oeb7e7xWPW', 'VPg7bC4EyE'
                    Source: 0.2.PO#50124.exe.b090000.8.raw.unpack, cyiT3gUbZ9FoLA7vcZ.csHigh entropy of concatenated method names: 'M1Lju1VTj7', 'd6Fjm2hxK2', 'SbaBPaIQ6x', 'lZDBWM9GAV', 'CP3jgbetKR', 'KwijILnoMc', 'lK8jMOtJTG', 'z1vjKOMkFP', 'XT7j2shXxK', 'Sb8jth4KWU'
                    Source: 0.2.PO#50124.exe.b090000.8.raw.unpack, F4ZVrRM1moHK5ZDjGD.csHigh entropy of concatenated method names: 'XrwCAm1y5L', 'OLvCl6vxHq', 'p3aCS04PBi', 'QesCrTQqMk', 'gOaCLEJdCi', 'zcHCX8b1eb', 'bA9CxyiQI4', 'mMgCddMm9a', 'OGOCOIFW2t', 'oJfCgukbtG'
                    Source: C:\Users\user\Desktop\PO#50124.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\PO#50124.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\PO#50124.exeMemory allocated: 1160000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeMemory allocated: 2F50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeMemory allocated: 14D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeMemory allocated: 8C30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeMemory allocated: 7310000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeMemory allocated: 9C30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeMemory allocated: AC30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeMemory allocated: B110000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeMemory allocated: 8C30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeMemory allocated: 1140000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeMemory allocated: 2CA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeMemory allocated: 4CA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeWindow / User API: threadDelayed 8248Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeWindow / User API: threadDelayed 1574Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 4636Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7416Thread sleep count: 8248 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -99891s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7416Thread sleep count: 1574 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -99781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -99672s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -99563s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -99452s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -99344s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -99235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep count: 35 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -99110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -98985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -98860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -98735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -98610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -98485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -98360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -98235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -98110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -97985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -97860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -97735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -97610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -97485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -97360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -97235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -97110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -96985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -96860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -96735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -96610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -96485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -96360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -96235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -96110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -95985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -95860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -95735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -95610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -95485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -95360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -95235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -95110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -94985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -94860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -94735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -94610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -94485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -94360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -94235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -94110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exe TID: 7400Thread sleep time: -93985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\PO#50124.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\PO#50124.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 99891Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 99781Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 99672Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 99563Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 99452Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 99344Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 99235Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 99110Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 98985Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 98860Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 98735Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 98610Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 98485Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 98360Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 98235Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 98110Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 97985Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 97860Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 97735Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 97610Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 97485Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 97360Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 97235Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 97110Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 96985Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 96860Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 96735Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 96610Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 96485Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 96360Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 96235Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 96110Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 95985Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 95860Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 95735Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 95610Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 95485Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 95360Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 95235Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 95110Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 94985Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 94860Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 94735Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 94610Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 94485Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 94360Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 94235Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 94110Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeThread delayed: delay time: 93985Jump to behavior
                    Source: PO#50124.exe, 00000003.00000002.2590375532.0000000000F99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeProcess created: C:\Users\user\Desktop\PO#50124.exe "C:\Users\user\Desktop\PO#50124.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeQueries volume information: C:\Users\user\Desktop\PO#50124.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeQueries volume information: C:\Users\user\Desktop\PO#50124.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.PO#50124.exe.3fc3688.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.PO#50124.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO#50124.exe.3ffe0a8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO#50124.exe.3ffe0a8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO#50124.exe.3fc3688.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.2591871064.0000000002D1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2591871064.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2589430439.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1386811526.0000000003FC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO#50124.exe PID: 7072, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PO#50124.exe PID: 7252, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\PO#50124.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\PO#50124.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\PO#50124.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\PO#50124.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\PO#50124.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.PO#50124.exe.3fc3688.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.PO#50124.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO#50124.exe.3ffe0a8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO#50124.exe.3ffe0a8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO#50124.exe.3fc3688.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.2591871064.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2589430439.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1386811526.0000000003FC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO#50124.exe PID: 7072, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PO#50124.exe PID: 7252, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.PO#50124.exe.3fc3688.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.PO#50124.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO#50124.exe.3ffe0a8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO#50124.exe.3ffe0a8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO#50124.exe.3fc3688.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.2591871064.0000000002D1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2591871064.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2589430439.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1386811526.0000000003FC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO#50124.exe PID: 7072, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PO#50124.exe PID: 7252, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS111
                    Security Software Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    Process Discovery                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                    Process Injection                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    PO#50124.exe83%ReversingLabsWin32.Trojan.Leonem
                    PO#50124.exe72%VirustotalBrowse
                    PO#50124.exe100%AviraHEUR/AGEN.1309974
                    PO#50124.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    mail.alkuwaiti.com0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://r3.o.lencr.org00%URL Reputationsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://r3.i.lencr.org/00%URL Reputationsafe
                    http://mail.alkuwaiti.com0%Avira URL Cloudsafe
                    http://mail.alkuwaiti.com0%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.alkuwaiti.com
                    		50.87.219.149
                    		truetrueunknown
                    api.ipify.org
                    		104.26.13.205
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://mail.alkuwaiti.comPO#50124.exe, 00000003.00000002.2591871064.0000000002D1C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://r3.o.lencr.org0PO#50124.exe, 00000003.00000002.2590375532.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, PO#50124.exe, 00000003.00000002.2591871064.0000000002D24000.00000004.00000800.00020000.00000000.sdmp, PO#50124.exe, 00000003.00000002.2589940978.0000000000F4B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.ipify.orgPO#50124.exe, 00000000.00000002.1386811526.0000000003FC3000.00000004.00000800.00020000.00000000.sdmp, PO#50124.exe, 00000003.00000002.2591871064.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, PO#50124.exe, 00000003.00000002.2589430439.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          		high
                          https://account.dyn.com/PO#50124.exe, 00000000.00000002.1386811526.0000000003FC3000.00000004.00000800.00020000.00000000.sdmp, PO#50124.exe, 00000003.00000002.2589430439.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            https://api.ipify.org/tPO#50124.exe, 00000003.00000002.2591871064.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO#50124.exe, 00000003.00000002.2591871064.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://x1.c.lencr.org/0PO#50124.exe, 00000003.00000002.2590375532.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, PO#50124.exe, 00000003.00000002.2591871064.0000000002D24000.00000004.00000800.00020000.00000000.sdmp, PO#50124.exe, 00000003.00000002.2590375532.0000000000F99000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://x1.i.lencr.org/0PO#50124.exe, 00000003.00000002.2590375532.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, PO#50124.exe, 00000003.00000002.2591871064.0000000002D24000.00000004.00000800.00020000.00000000.sdmp, PO#50124.exe, 00000003.00000002.2590375532.0000000000F99000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://r3.i.lencr.org/0PO#50124.exe, 00000003.00000002.2590375532.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, PO#50124.exe, 00000003.00000002.2591871064.0000000002D24000.00000004.00000800.00020000.00000000.sdmp, PO#50124.exe, 00000003.00000002.2589940978.0000000000F4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                50.87.219.149
                                		mail.alkuwaiti.comUnited States
                                		46606UNIFIEDLAYER-AS-1UStrue
                                104.26.13.205
                                		api.ipify.orgUnited States
                                		13335CLOUDFLARENETUSfalse

                                General Information

                                Joe Sandbox version:40.0.0 Tourmaline
                                Analysis ID:1432053
                                Start date and time:2024-04-26 11:08:10 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 6m 47s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:10
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:PO#50124.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@3/1@2/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 98%
                                • Number of executed functions: 84
                                • Number of non-executed functions: 7
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                11:09:18API Interceptor65x Sleep call for process: PO#50124.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                50.87.219.149Ziraat Swift Bildirimi.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                • www.hyperfocusmasterclass.com/gg58/?f0=BXeHzp&3f=5Ix8alVOa82T/DZIfBhrjeSKtZ641IDQQHgZKH1ZvtSurMdm0kyXcXMOnWQHCxpuENZh
                                Ziraat Swift Bildirimi.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                • www.hyperfocusmasterclass.com/gg58/?RZwp=5Ix8alVOa82T/DZIfBhrjeSKtZ641IDQQHgZKH1ZvtSurMdm0kyXcXMOnWQHCxpuENZh&2d6tXz=j8vX
                                104.26.13.205SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                • api.ipify.org/
                                Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                • api.ipify.org/?format=json
                                ArenaWarSetup.exeGet hashmaliciousStealitBrowse
                                • api.ipify.org/?format=json
                                Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/?format=json
                                E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                SecuriteInfo.com.Win64.RATX-gen.31127.4101.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                • api.ipify.org/

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                mail.alkuwaiti.comSecuriteInfo.com.Win32.MalwareX-gen.3610.30636.exeGet hashmaliciousAgentTeslaBrowse
                                • 50.87.219.149
                                Bank slip.exeGet hashmaliciousAgentTeslaBrowse
                                • 50.87.219.149
                                PO#240.exeGet hashmaliciousAgentTeslaBrowse
                                • 50.87.219.149
                                Shipping Docs.exeGet hashmaliciousAgentTeslaBrowse
                                • 50.87.219.149
                                SecuriteInfo.com.W32.MSIL_Kryptik.DWR.gen.Eldorado.6551.17723.exeGet hashmaliciousAgentTeslaBrowse
                                • 50.87.219.149
                                api.ipify.orgStatement of Account PDF.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 104.26.12.205
                                CHEMICAL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.13.205
                                Payment.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.12.205
                                SOA FOR APR 2024 PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 104.26.12.205
                                Payment Swift.docGet hashmaliciousAgentTeslaBrowse
                                • 172.67.74.152
                                https://lide.alosalca.fun/highbox#joeblow@xyz.comGet hashmaliciousHTMLPhisherBrowse
                                • 104.26.13.205
                                http://asana.wfGet hashmaliciousUnknownBrowse
                                • 172.67.74.152
                                o3KyzpE7F4.ps1Get hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 172.67.74.152
                                http://wsj.pmGet hashmaliciousNetSupport RATBrowse
                                • 104.26.12.205
                                16770075581.zipGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 104.26.12.205

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                UNIFIEDLAYER-AS-1UShttp://www.tbmuae.com/Get hashmaliciousGRQ ScamBrowse
                                • 198.57.149.230
                                Statement of Account PDF.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 50.87.195.61
                                Quotation Order.exeGet hashmaliciousAgentTeslaBrowse
                                • 192.254.225.166
                                DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 50.87.253.239
                                CHEMICAL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                • 192.254.225.136
                                SOA FOR APR 2024 PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 50.87.195.61
                                INQ No. HDPE-16-GM-00- PI-INQ-3001.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                • 162.240.81.18
                                DOC-Zcns1G_.htmlGet hashmaliciousHTMLPhisherBrowse
                                • 192.232.216.145
                                DOC-Zcns1G_.htmlGet hashmaliciousHTMLPhisherBrowse
                                • 192.232.216.145
                                DOC-Zcns1G_.htmlGet hashmaliciousHTMLPhisherBrowse
                                • 192.232.216.145
                                CLOUDFLARENETUSfile.exeGet hashmaliciousRisePro StealerBrowse
                                • 104.26.4.15
                                https://deebmpapst.ordineproposal.top/Get hashmaliciousUnknownBrowse
                                • 104.17.2.184
                                Statement of Account PDF.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 104.26.12.205
                                https://powerpointmicrosoftoffice.top/Get hashmaliciousUnknownBrowse
                                • 104.17.3.184
                                https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:d35aec95-f365-414c-8371-68e6d7d2ec41Get hashmaliciousUnknownBrowse
                                • 104.17.28.92
                                150-425-2024.exeGet hashmaliciousFormBookBrowse
                                • 23.227.38.74
                                CHEMICAL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.13.205
                                Payment.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.12.205
                                https://usigroups-my.sharepoint.com/:o:/p/js/Es3HdUJZlbVJngCJE-Z7JCYBUTZvd1ZCMQwZhhlQoy_hDw?e=mT2aQmGet hashmaliciousHTMLPhisherBrowse
                                • 172.67.144.70
                                SOA FOR APR 2024 PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 104.26.12.205

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                3b5074b1b5d032e5620f69f9f700ff0eStatement of Account PDF.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 104.26.13.205
                                CHEMICAL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.13.205
                                Payment.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.13.205
                                SOA FOR APR 2024 PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 104.26.13.205
                                DHL_ES567436735845755676678877988975877.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                • 104.26.13.205
                                PO-inv-CQV20(92315).exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.13.205
                                a.cmdGet hashmaliciousUnknownBrowse
                                • 104.26.13.205
                                http://papajoeschicago.comGet hashmaliciousUnknownBrowse
                                • 104.26.13.205
                                https://www.bing.com/ck/a?!&&p=8c604c2d3901cb1eJmltdHM9MTcxMjc5MzYwMCZpZ3VpZD0wODdjNjgyYy00N2ZlLTYyOGQtMzA1ZC03YmVmNDY5NTYzNjUmaW5zaWQ9NTE2MQ&ptn=3&ver=2&hsh=3&fclid=087c682c-47fe-628d-305d-7bef46956365&u=a1aHR0cHM6Ly9rZWljb3NlY3VyaXR5LmNvbS5teC8&ntb=1Get hashmaliciousUnknownBrowse
                                • 104.26.13.205
                                o3KyzpE7F4.ps1Get hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 104.26.13.205

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#50124.exe.log

                                Download File
                                Process:C:\Users\user\Desktop\PO#50124.exe
                                File Type:CSV text
                                Category:dropped
                                Size (bytes):2056
                                Entropy (8bit):5.342567089024067
                                Encrypted:false
                                SSDEEP:48:MxHKlYHKh3ouHgJHreylEHMHKo/tHo6hAHKzeRHKx1qHKHxvj:iqlYqh3ou0aymsqwtI6eqzqqxwqRb
                                MD5:83A6E29FD802325CCCB720870B60C618
                                SHA1:4CD8AC6CA2659E4E32D1B27A8A4E77ABF980EE43
                                SHA-256:A81A5B984180553C06E7C9CAE0BAF7E195950801F493996F48FA59F1ACC135B2
                                SHA-512:69CC81145ACCA3D5C154D3A11396C2AFAEC4135662A82124EA249817BE7066D782DE2C79FE985E23F32F9709C144E2C513C727CFD1A88D677F34EB25E868B560
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\4d760e3e4675c4a4c66b64205fb0d001\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\17470ef0c7a174f38bdcadacc3e310ad\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.928711808007621
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                File name:PO#50124.exe
                                File size:684'032 bytes
                                MD5:b4306234a3b45c69df6a6a7cecd6070c
                                SHA1:323197c988bc794e3a6314fce81dc20c48d234ee
                                SHA256:13129eaaaee8200a17214e947f0e984d10050e79c2cd5a963d7ada54ce3aa0a8
                                SHA512:a30bd4b6365ced8bf53fd6f57c0e30896bdea733305c2c51bd4e63f7c3451a12b64e85cd16c292a02cae6ae2083532ec72ff5151dfed7aa708279aa259cefe16
                                SSDEEP:12288:cHgnFyHgP/NbIyeSPqBFAbCS2m+2hTMRZuEAFgzknK7N8VJqaW:c+yHs/Nt8BUCmZhTGZuBFKR8V
                                TLSH:15E423B5323D8127C92C9BB91160D8E203F6D1492A82E3DC2D6765FD3BDB7028F12697
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0..0...0......v@... ...`....@.. ....................................@................................

                                File Icon

                                Icon Hash:0f235999b9792317

                                Static PE Info

                                General

                                Entrypoint:0x4a4076
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0x661FE895 [Wed Apr 17 15:19:49 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                aaa
                                dec eax
                                inc edi
                                inc edx
                                inc esi
                                inc ebx
                                add byte ptr [eax], al
                                cmp byte ptr [eax], dh
                                cmp byte ptr [48383441h], dh
                                dec eax
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax+34h], dl
                                push edi
                                push ebx
                                push edx
                                inc esi
                                xor eax, 0012C000h
                                add byte ptr [eax+00000025h], al
                                dec ebx
                                add byte ptr [eax], al
                                add byte ptr [esi-1F000000h], dl
                                add byte ptr [eax], al
                                add dl, al
                                add dword ptr [eax], eax
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa40240x4f.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xa60000x1eb8.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xa80000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000xa20b40xa3000bcb5223f8b89915134d542b5f61b354cFalse0.9603189105636503data7.96596968808791IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rsrc0xa60000x1eb80x2000ceead6708bb187bb17ad3545be7a554dFalse0.85107421875data7.304829849514365IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0xa80000xc0x100055651858f4e62ebeb23c3eaacb01c3fcFalse0.0087890625data0.016408464515625623IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0xa61000x1834PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9917688831504197
                                RT_GROUP_ICON0xa79440x14data1.05
                                RT_VERSION0xa79680x350data0.44221698113207547
                                RT_MANIFEST0xa7cc80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Apr 26, 2024 11:09:21.727916002 CEST49706443192.168.2.7104.26.13.205
                                Apr 26, 2024 11:09:21.727952003 CEST44349706104.26.13.205192.168.2.7
                                Apr 26, 2024 11:09:21.728034973 CEST49706443192.168.2.7104.26.13.205
                                Apr 26, 2024 11:09:21.734937906 CEST49706443192.168.2.7104.26.13.205
                                Apr 26, 2024 11:09:21.734956980 CEST44349706104.26.13.205192.168.2.7
                                Apr 26, 2024 11:09:21.997566938 CEST44349706104.26.13.205192.168.2.7
                                Apr 26, 2024 11:09:21.997647047 CEST49706443192.168.2.7104.26.13.205
                                Apr 26, 2024 11:09:22.000809908 CEST49706443192.168.2.7104.26.13.205
                                Apr 26, 2024 11:09:22.000821114 CEST44349706104.26.13.205192.168.2.7
                                Apr 26, 2024 11:09:22.001096964 CEST44349706104.26.13.205192.168.2.7
                                Apr 26, 2024 11:09:22.053286076 CEST49706443192.168.2.7104.26.13.205
                                Apr 26, 2024 11:09:22.100111008 CEST44349706104.26.13.205192.168.2.7
                                Apr 26, 2024 11:09:22.322062969 CEST44349706104.26.13.205192.168.2.7
                                Apr 26, 2024 11:09:22.322122097 CEST44349706104.26.13.205192.168.2.7
                                Apr 26, 2024 11:09:22.322180033 CEST49706443192.168.2.7104.26.13.205
                                Apr 26, 2024 11:09:22.329534054 CEST49706443192.168.2.7104.26.13.205
                                Apr 26, 2024 11:09:23.114649057 CEST49707587192.168.2.750.87.219.149
                                Apr 26, 2024 11:09:23.311001062 CEST5874970750.87.219.149192.168.2.7
                                Apr 26, 2024 11:09:23.311104059 CEST49707587192.168.2.750.87.219.149
                                Apr 26, 2024 11:09:23.580672979 CEST5874970750.87.219.149192.168.2.7
                                Apr 26, 2024 11:09:23.580873966 CEST49707587192.168.2.750.87.219.149
                                Apr 26, 2024 11:09:23.777550936 CEST5874970750.87.219.149192.168.2.7
                                Apr 26, 2024 11:09:23.778237104 CEST49707587192.168.2.750.87.219.149
                                Apr 26, 2024 11:09:23.976628065 CEST5874970750.87.219.149192.168.2.7
                                Apr 26, 2024 11:09:23.977077961 CEST49707587192.168.2.750.87.219.149
                                Apr 26, 2024 11:09:24.187994003 CEST5874970750.87.219.149192.168.2.7
                                Apr 26, 2024 11:09:24.188236952 CEST5874970750.87.219.149192.168.2.7
                                Apr 26, 2024 11:09:24.188302994 CEST5874970750.87.219.149192.168.2.7
                                Apr 26, 2024 11:09:24.188321114 CEST49707587192.168.2.750.87.219.149
                                Apr 26, 2024 11:09:24.234986067 CEST49707587192.168.2.750.87.219.149
                                Apr 26, 2024 11:09:24.431734085 CEST5874970750.87.219.149192.168.2.7
                                Apr 26, 2024 11:09:24.434525967 CEST49707587192.168.2.750.87.219.149
                                Apr 26, 2024 11:09:24.631253004 CEST5874970750.87.219.149192.168.2.7
                                Apr 26, 2024 11:09:24.632227898 CEST49707587192.168.2.750.87.219.149
                                Apr 26, 2024 11:09:24.869391918 CEST5874970750.87.219.149192.168.2.7
                                Apr 26, 2024 11:09:28.831072092 CEST5874970750.87.219.149192.168.2.7
                                Apr 26, 2024 11:09:28.832226038 CEST49707587192.168.2.750.87.219.149
                                Apr 26, 2024 11:09:29.028562069 CEST5874970750.87.219.149192.168.2.7
                                Apr 26, 2024 11:09:30.516271114 CEST5874970750.87.219.149192.168.2.7
                                Apr 26, 2024 11:09:30.516583920 CEST49707587192.168.2.750.87.219.149
                                Apr 26, 2024 11:09:30.713332891 CEST5874970750.87.219.149192.168.2.7
                                Apr 26, 2024 11:09:30.713393927 CEST5874970750.87.219.149192.168.2.7
                                Apr 26, 2024 11:09:30.714318991 CEST5874970750.87.219.149192.168.2.7
                                Apr 26, 2024 11:09:30.714421988 CEST49707587192.168.2.750.87.219.149
                                Apr 26, 2024 11:09:30.719206095 CEST49707587192.168.2.750.87.219.149
                                Apr 26, 2024 11:09:30.915602922 CEST5874970750.87.219.149192.168.2.7

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Apr 26, 2024 11:09:21.595833063 CEST5778953192.168.2.71.1.1.1
                                Apr 26, 2024 11:09:21.720652103 CEST53577891.1.1.1192.168.2.7
                                Apr 26, 2024 11:09:22.954212904 CEST5283253192.168.2.71.1.1.1
                                Apr 26, 2024 11:09:23.113743067 CEST53528321.1.1.1192.168.2.7

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Apr 26, 2024 11:09:21.595833063 CEST192.168.2.71.1.1.10x6f3dStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                Apr 26, 2024 11:09:22.954212904 CEST192.168.2.71.1.1.10xbbb7Standard query (0)mail.alkuwaiti.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Apr 26, 2024 11:09:21.720652103 CEST1.1.1.1192.168.2.70x6f3dNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                Apr 26, 2024 11:09:21.720652103 CEST1.1.1.1192.168.2.70x6f3dNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                Apr 26, 2024 11:09:21.720652103 CEST1.1.1.1192.168.2.70x6f3dNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                Apr 26, 2024 11:09:23.113743067 CEST1.1.1.1192.168.2.70xbbb7No error (0)mail.alkuwaiti.com50.87.219.149A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • api.ipify.org

                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.749706104.26.13.2054437252C:\Users\user\Desktop\PO#50124.exe
                                TimestampBytes transferredDirectionData
                                2024-04-26 09:09:22 UTC155OUTGET / HTTP/1.1
                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                Host: api.ipify.org
                                Connection: Keep-Alive
                                2024-04-26 09:09:22 UTC211INHTTP/1.1 200 OK
                                Date: Fri, 26 Apr 2024 09:09:22 GMT
                                Content-Type: text/plain
                                Content-Length: 15
                                Connection: close
                                Vary: Origin
                                CF-Cache-Status: DYNAMIC
                                Server: cloudflare
                                CF-RAY: 87a56efdda2931e6-MIA
                                2024-04-26 09:09:22 UTC15INData Raw: 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 32 30
                                Data Ascii: 102.129.152.220


                                SMTP Packets

                                TimestampSource PortDest PortSource IPDest IPCommands
                                Apr 26, 2024 11:09:23.580672979 CEST5874970750.87.219.149192.168.2.7220-box2389.bluehost.com ESMTP Exim 4.96.2 #2 Fri, 26 Apr 2024 03:09:23 -0600
                                220-We do not authorize the use of this system to transport unsolicited,
                                220 and/or bulk e-mail.
                                Apr 26, 2024 11:09:23.580873966 CEST49707587192.168.2.750.87.219.149EHLO 579569
                                Apr 26, 2024 11:09:23.777550936 CEST5874970750.87.219.149192.168.2.7250-box2389.bluehost.com Hello 579569 [102.129.152.220]
                                250-SIZE 52428800
                                250-8BITMIME
                                250-PIPELINING
                                250-PIPECONNECT
                                250-AUTH PLAIN LOGIN
                                250-STARTTLS
                                250 HELP
                                Apr 26, 2024 11:09:23.778237104 CEST49707587192.168.2.750.87.219.149STARTTLS
                                Apr 26, 2024 11:09:23.976628065 CEST5874970750.87.219.149192.168.2.7220 TLS go ahead

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:11:09:17
                                Start date:26/04/2024
                                Path:C:\Users\user\Desktop\PO#50124.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\PO#50124.exe"
                                Imagebase:0xa40000
                                File size:684'032 bytes
                                MD5 hash:B4306234A3B45C69DF6A6A7CECD6070C
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1386811526.0000000003FC3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1386811526.0000000003FC3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:3
                                Start time:11:09:20
                                Start date:26/04/2024
                                Path:C:\Users\user\Desktop\PO#50124.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\PO#50124.exe"
                                Imagebase:0x860000
                                File size:684'032 bytes
                                MD5 hash:B4306234A3B45C69DF6A6A7CECD6070C
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2591871064.0000000002D1C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2591871064.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2591871064.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2589430439.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2589430439.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:3.5%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:10
                                  Total number of Limit Nodes:1
                                  execution_graph 14962 13ab838 14963 13ab87a 14962->14963 14964 13ab880 GetModuleHandleW 14962->14964 14963->14964 14965 13ab8ad 14964->14965 14966 13ab8e0 14967 13ab8f4 14966->14967 14968 13ab919 14967->14968 14970 13aabd0 14967->14970 14971 13abaa0 LoadLibraryExW 14970->14971 14973 13abb19 14971->14973 14973->14968

                                  Executed Functions

                                  Function 07690588 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 31bb5249b84435ba372052bf40e83a5762f13d2a255873b7b7e8910d1e599a73
                                  • Instruction ID: f9a09c4f2a1448c925f62df6412155e603f42a98d0c85cf2464d7dc511f08a62
                                  • Opcode Fuzzy Hash: 31bb5249b84435ba372052bf40e83a5762f13d2a255873b7b7e8910d1e599a73
                                  • Instruction Fuzzy Hash: 04E0127481E24ADFCB018F2099155B9FFBC5B5B214F0025A5980A97256D7709959CB04
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 013AABD0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 13aabd0-13abae0 2 13abae8-13abb17 LoadLibraryExW 0->2 3 13abae2-13abae5 0->3 4 13abb19-13abb1f 2->4 5 13abb20-13abb3d 2->5 3->2 4->5
                                  APIs
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,013AB919,00000800,00000000,00000000), ref: 013ABB0A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1385955915.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_13a0000_PO#50124.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 6a4dfb1c593e40d00ab3a367817d58816de6a655d51be728db2f8a27a8ce1e03
                                  • Instruction ID: d12b2a32dd4b39331c52df139876fc63332887cef725626a69cd7c8a0f00477b
                                  • Opcode Fuzzy Hash: 6a4dfb1c593e40d00ab3a367817d58816de6a655d51be728db2f8a27a8ce1e03
                                  • Instruction Fuzzy Hash: 0F1100B6D003098FDB24DF9AC444BAEFBF4EB88314F50842AE919A7200C375A945CFA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 013AB838 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 8 13ab838-13ab878 9 13ab87a-13ab87d 8->9 10 13ab880-13ab8ab GetModuleHandleW 8->10 9->10 11 13ab8ad-13ab8b3 10->11 12 13ab8b4-13ab8c8 10->12 11->12
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000), ref: 013AB89E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1385955915.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_13a0000_PO#50124.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 86d97d06473fd6353dd6727a93d1a2b0c2186cf66123fa77cf784518ecdf0338
                                  • Instruction ID: d845739be123872971100e7b1c9ff5e3486a5f26c5f3af171b499b17b431d346
                                  • Opcode Fuzzy Hash: 86d97d06473fd6353dd6727a93d1a2b0c2186cf66123fa77cf784518ecdf0338
                                  • Instruction Fuzzy Hash: 5711E3B5C003498FDB14DF9AC445BDEFBF8EB88314F14842AD529A7214D375A545CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07690656 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 14 7690656-7690666 15 7690668-7690674 14->15 17 769067f-769069b 15->17 18 76906a0-76906e2 17->18 20 76906e8-769075e 18->20 21 76901e5-76901ee 18->21 20->17 26 7690764-7690765 20->26 22 76901f0 21->22 23 76901f7-7690b21 21->23 22->23 26->15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (
                                  • API String ID: 0-3887548279
                                  • Opcode ID: ccb266cd2730d95651f9167df2c3395221523b4bb51c451df55305fa16bad222
                                  • Instruction ID: f947ddbf28fdf611bdb4b72146649a0ee1ee8904c4983284e6081272376f9c2b
                                  • Opcode Fuzzy Hash: ccb266cd2730d95651f9167df2c3395221523b4bb51c451df55305fa16bad222
                                  • Instruction Fuzzy Hash: AA2112B0815229CFCBA1CF64C9507ECBBB8FB0E310F1094E9D51EA2282DB315A92CF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07691768 Relevance: .3, Instructions: 286COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 286 7691768-7691791 287 76917f0-7691800 286->287 288 7691793-76917b4 286->288 291 76919d6-76919dd 287->291 292 7691806-7691810 287->292 288->287 293 76917b6-76917bc 288->293 296 76919ec-76919ff 291->296 297 76919df-76919e7 call 769145c 291->297 294 769181a-7691824 292->294 295 7691812-7691819 292->295 298 76917ca-76917cf 293->298 299 76917be-76917c0 293->299 302 7691a09-7691a9b 294->302 303 769182a-769186a 294->303 297->296 300 76917dc-76917e9 298->300 301 76917d1-76917d5 298->301 299->298 300->287 301->300 333 7691a9d-7691aaa 302->333 334 7691ad5-7691adf 302->334 314 769186c-7691872 303->314 315 7691882-7691886 303->315 316 7691874 314->316 317 7691876-7691878 314->317 318 7691888-76918ad 315->318 319 76918b3-76918cb call 769144c 315->319 316->315 317->315 318->319 328 76918d8-76918e0 319->328 329 76918cd-76918d2 319->329 331 76918e2-76918f0 328->331 332 76918f6-7691915 328->332 329->328 331->332 340 769192d-7691931 332->340 341 7691917-769191d 332->341 333->334 344 7691aac-7691abf 333->344 335 7691ae9-7691aeb 334->335 336 7691ae1-7691ae3 334->336 336->335 342 769198a-76919d3 340->342 343 7691933-7691940 340->343 345 769191f 341->345 346 7691921-7691923 341->346 342->291 351 7691942-7691974 343->351 352 7691976-7691983 343->352 344->334 356 7691ac1-7691ad4 call 769146c 344->356 345->340 346->340 351->352 352->342
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c70a656164983505377a9f36fcc851c837677149f2dad0762900bf9282193873
                                  • Instruction ID: 168bf7900f269bc0629a7a16a9ee2641c4f9728431bac95ea10d2831a9222d2d
                                  • Opcode Fuzzy Hash: c70a656164983505377a9f36fcc851c837677149f2dad0762900bf9282193873
                                  • Instruction Fuzzy Hash: FBB18E74B0120A9FDB18DB78D594BAEB7FAEF89604F2440A9E506DB3A1CB30DD01CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010BD06C Relevance: .1, Instructions: 77COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 549 10bd06c-10bd07e 550 10bd118-10bd11f 549->550 551 10bd084 549->551 552 10bd086-10bd092 550->552 551->552 553 10bd098-10bd0ba 552->553 554 10bd124-10bd129 552->554 556 10bd12e-10bd143 553->556 557 10bd0bc-10bd0e0 553->557 554->553 561 10bd0fa-10bd102 556->561 560 10bd0e8-10bd0f8 557->560 560->561 562 10bd150 560->562 563 10bd145-10bd14e 561->563 564 10bd104-10bd115 561->564 563->564
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1385253281.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_10bd000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2d9caf4c0ebb6d3658229a21d3ecf2b0c6d16f139a4a76d857dc7fd65f6a8a76
                                  • Instruction ID: 219c228da2fd6b859e395eab406cc1a1d00811f6349dc7ccd3b03af5365e66ad
                                  • Opcode Fuzzy Hash: 2d9caf4c0ebb6d3658229a21d3ecf2b0c6d16f139a4a76d857dc7fd65f6a8a76
                                  • Instruction Fuzzy Hash: FE214B71504200EFDB15DF94D9C0B56FFA5FB88318F20C5A9E9490F246C33AC416CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0769010F Relevance: .1, Instructions: 73COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 566 769010f-76901b5 572 76901ba-76905b6 566->572 574 769094d-7690bb5 572->574 575 76905bc-7690942 572->575 575->574
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f18704bfef21491d09a87a391a13b42c31670f9c2de520c67de3f5091c2b7956
                                  • Instruction ID: 8daebc80a57466226dc1c812f723988bd90a2d113f7172e47c2b487260d2c212
                                  • Opcode Fuzzy Hash: f18704bfef21491d09a87a391a13b42c31670f9c2de520c67de3f5091c2b7956
                                  • Instruction Fuzzy Hash: A33114B495421ADFDB64CF64C845BE9BBB9BF49300F1090EAD50EA7280EB309A85DF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010DD01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 581 10dd01c-10dd02e 582 10dd0bd-10dd0c4 581->582 583 10dd034 581->583 584 10dd036-10dd042 582->584 583->584 585 10dd0c9-10dd0ce 584->585 586 10dd048-10dd06a 584->586 585->586 588 10dd06c-10dd086 586->588 589 10dd0d3-10dd0e8 586->589 592 10dd08e-10dd09d 588->592 593 10dd09f-10dd0a7 589->593 592->593 594 10dd0f5 592->594 595 10dd0a9-10dd0ba 593->595 596 10dd0ea-10dd0f3 593->596 596->595
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1385380266.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_10dd000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2ce4c80e203d0f99a1417fa8f5216ef7fa2c653f9d720360efaf0c93c3fe8bbd
                                  • Instruction ID: 45eb5833b42a50b1d2feb6d2d57b6f58071423c3e072e22bb02f1183aef4f319
                                  • Opcode Fuzzy Hash: 2ce4c80e203d0f99a1417fa8f5216ef7fa2c653f9d720360efaf0c93c3fe8bbd
                                  • Instruction Fuzzy Hash: AD21D075604300DFDB25DF64D984B16BFA5EBC8314F24C5ADE98A4B286C336D847CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010DD2F0 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 598 10dd2f0-10dd302 599 10dd308 598->599 600 10dd391-10dd398 598->600 601 10dd30a-10dd316 599->601 600->601 602 10dd39d-10dd3a2 601->602 603 10dd31c-10dd33e 601->603 602->603 605 10dd3a7-10dd3bc 603->605 606 10dd340-10dd35a 603->606 611 10dd373-10dd37b 605->611 609 10dd362-10dd371 606->609 610 10dd3c9 609->610 609->611 612 10dd37d-10dd38e 611->612 613 10dd3be-10dd3c7 611->613 613->612
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1385380266.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_10dd000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 956678b86789cec984ccfbf72714a62be87f4c97b25e82329a3de4c9722614b7
                                  • Instruction ID: 719fce973eb51ef4f54a4f41bb3f14fbb5be4917441b906ab4ac7a161024e6a0
                                  • Opcode Fuzzy Hash: 956678b86789cec984ccfbf72714a62be87f4c97b25e82329a3de4c9722614b7
                                  • Instruction Fuzzy Hash: EF21F5B1604304DFDB15DF94D9C0B2ABBA5EB84314F20C5ADD8894B286C736D446CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07691290 Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cbfee93f3ae1ec32161d1b4af7142bf47b62dd89b0dbc8247297554277f3b692
                                  • Instruction ID: 749d9206c3f75a7a14c98b97f95a920f1e45d749e4d22a03e6d68d18041da489
                                  • Opcode Fuzzy Hash: cbfee93f3ae1ec32161d1b4af7142bf47b62dd89b0dbc8247297554277f3b692
                                  • Instruction Fuzzy Hash: FB11B47170030A8BEB18DA29C8807AAB6E6FF85211F64C079D40ECB755DE30A8468B94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07691280 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a1732b3f17504c122b8a69d0ac2711281d9048c4ba42245b570410b5115e43c9
                                  • Instruction ID: 131c7c1dc0d4621cc6593fa902205b55f41a325d34eb5c31c5bc7e3a7bce8e76
                                  • Opcode Fuzzy Hash: a1732b3f17504c122b8a69d0ac2711281d9048c4ba42245b570410b5115e43c9
                                  • Instruction Fuzzy Hash: E011E4B17043078BDB18DB68C8907AAB7F6BF85211F28C07AC44ACF756DE309846CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010DD006 Relevance: .1, Instructions: 60COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1385380266.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_10dd000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 70e1c55ea2d12505c2f58f0750827d822034ccf1cea6a652c25d54b9a0222ea3
                                  • Instruction ID: b126655bfce8713523873fbf075707c5008d4d69f2ee8d854660a5f9a0c9dc8b
                                  • Opcode Fuzzy Hash: 70e1c55ea2d12505c2f58f0750827d822034ccf1cea6a652c25d54b9a0222ea3
                                  • Instruction Fuzzy Hash: 0021C6755093808FCB17CF64D590715BFB1EB85314F28C5DAD8898B697C33AD40ACB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010BD067 Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1385253281.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_10bd000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5ce60a6613beba357b00576ac525f5d38281a445edcd2f7d64ba7977a5eeb665
                                  • Instruction ID: d8317670683862858a37df7a968b913fa612606597c6cbfd68fb6e5c25d7e13b
                                  • Opcode Fuzzy Hash: 5ce60a6613beba357b00576ac525f5d38281a445edcd2f7d64ba7977a5eeb665
                                  • Instruction Fuzzy Hash: 50219D76504284EFDB06CF54D9C4B56BFB2FB88318F2486A9D9890B256C33AD426CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010DD2EB Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1385380266.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_10dd000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                  • Instruction ID: 4c281dfc0560197bc70ce7fbbf1d91c02b1b7c5d0d03048ca372f50f22e6c1c4
                                  • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                  • Instruction Fuzzy Hash: 3711BB75504380CFCB06CF58D5C0B15BBA2FB84324F24C6AAD8894B296C33AD40ACF62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0769017F Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1d9c9492480b088270918e2118dbe81ea76049e127e83e70eb86e1c3e1e29ba4
                                  • Instruction ID: ff32afe47ab4ce53cbee9f9b9ea8d0eca9dd010d7ee41673f00484d9bc51e108
                                  • Opcode Fuzzy Hash: 1d9c9492480b088270918e2118dbe81ea76049e127e83e70eb86e1c3e1e29ba4
                                  • Instruction Fuzzy Hash: 011146B4A15219CFDB60CF64CD45BE8BBB8BF09304F1090EAE54EA7281DB706A81CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 076901F9 Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 42e1e48b11360fc0053b5772c78cf4b89e5a79f4ae793b3c08a450e663572382
                                  • Instruction ID: d34d4d6210fe78067f4fd7f93c6649735e010f228eb79f3ff38668eca4aae4a6
                                  • Opcode Fuzzy Hash: 42e1e48b11360fc0053b5772c78cf4b89e5a79f4ae793b3c08a450e663572382
                                  • Instruction Fuzzy Hash: F9113774919259CFCF64CF20C9547E8BBF9AB4A314F1491E5C41EAB392D7319A86CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010BD92D Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1385253281.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_10bd000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f6d2ec3838c4d8a1f1868ce6eec5c01a68ff0a170e70f39cdece7a8741c6f6b0
                                  • Instruction ID: d058f4b93ab2a98defda49d0ab49ce961f83b30224278b12cac91c6503225c62
                                  • Opcode Fuzzy Hash: f6d2ec3838c4d8a1f1868ce6eec5c01a68ff0a170e70f39cdece7a8741c6f6b0
                                  • Instruction Fuzzy Hash: AB01F7311093049EE7204E55CCC47AAFFD9DF41729F08C45AED990A282C2389844CB75
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0769036E Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5df051b21608022fd85123ec1cbbc9450e27e210fff93a06a5d1308911dc6363
                                  • Instruction ID: ebc22a9030126637101bc6330edb3283a35d79ff1001b3f1bd32a3509f8d62e0
                                  • Opcode Fuzzy Hash: 5df051b21608022fd85123ec1cbbc9450e27e210fff93a06a5d1308911dc6363
                                  • Instruction Fuzzy Hash: 3311E2B5919219CFDB64CF64CD40BE8BBB8BB49305F1091EAD40EA7241DB319E86CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07690823 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3f063a4be7a5497e2e7eb6daa888b8a0798916ff2e59d581dd0a7d9be83fc672
                                  • Instruction ID: d7ebd5808b034279d412f2919aa831ce129f4003eacf3adf7c3f66a4e049f417
                                  • Opcode Fuzzy Hash: 3f063a4be7a5497e2e7eb6daa888b8a0798916ff2e59d581dd0a7d9be83fc672
                                  • Instruction Fuzzy Hash: 2311277191522ACFCB61CF68C9487ECBBF8BB4A315F1041E9D54EA7291CB315A92CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07690495 Relevance: .0, Instructions: 38COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 265a29410a81d0b210f5cf16939e46de6a6ffaaf9039bc364e576996b6b505f3
                                  • Instruction ID: 546c9731dc98b67ff1c71f266d7574e40a99da125c60e975087db73df311a8f9
                                  • Opcode Fuzzy Hash: 265a29410a81d0b210f5cf16939e46de6a6ffaaf9039bc364e576996b6b505f3
                                  • Instruction Fuzzy Hash: 31012C78909119CFCF64CF10C944AE8BBF8AB8A314F14A1E9841EA7392D7319A86CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0769084F Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6195748a107e7ac15353212bc396f8ab947537e686e300bd73bd95af300ac63f
                                  • Instruction ID: e1ad71cb64b918850f22ef1b0156c98313f41dd57e0b55f159479dc7a2e9dc1a
                                  • Opcode Fuzzy Hash: 6195748a107e7ac15353212bc396f8ab947537e686e300bd73bd95af300ac63f
                                  • Instruction Fuzzy Hash: 301113B491422ACFCF64CF64C9447ECBBF8AB4D304F1050E9D94AA2250CB319A91CF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010BD92C Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1385253281.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_10bd000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 75f16be8c59520c12dd4f1512f2bc13df5a5880cac7de481c5333d8eb457fc11
                                  • Instruction ID: af60374fc18a3bee52f96512e7126ab08e661ef7d14f135c4d32f67d26714416
                                  • Opcode Fuzzy Hash: 75f16be8c59520c12dd4f1512f2bc13df5a5880cac7de481c5333d8eb457fc11
                                  • Instruction Fuzzy Hash: AFF096714053449EE7508E1ACCC4BA6FFD8EB81738F18C59EED885B287C279A844CB71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0769074E Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9671fe58609bf85e3a6d0a2d8d1a51e1112b67a0c16a9288c11a3b64838d513e
                                  • Instruction ID: 6423a1098480f3949cd321d1e3d5136269ae4089b607c6f66006450fd7a45155
                                  • Opcode Fuzzy Hash: 9671fe58609bf85e3a6d0a2d8d1a51e1112b67a0c16a9288c11a3b64838d513e
                                  • Instruction Fuzzy Hash: E7011371D192298FCB61CFA4C9847ECBBF4AB0E300F1040EAD44AA3252C7315A96CF04
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07690210 Relevance: .0, Instructions: 30COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f46cc8ce6c902a3cf2a4c195a1925d00ba33dd566c1419018e4467869062820c
                                  • Instruction ID: 7e1567c668caa88ddd55aa6c5b0c44e73cfb3a1c19d4db40d4c637c5c45e011e
                                  • Opcode Fuzzy Hash: f46cc8ce6c902a3cf2a4c195a1925d00ba33dd566c1419018e4467869062820c
                                  • Instruction Fuzzy Hash: FE01AF35A051299FDB60CF54C980FE9BBB9AB09304F1480D9E509A7252CB32AE82DF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0769031B Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fd6cfd5b3851bfc78bd592e35ffc7c503b8b1f6308e513803b5280d102586076
                                  • Instruction ID: 87052c8489dd0da09dc09d4d0717a5f87f79409b11b872104bcf52380cdfc34b
                                  • Opcode Fuzzy Hash: fd6cfd5b3851bfc78bd592e35ffc7c503b8b1f6308e513803b5280d102586076
                                  • Instruction Fuzzy Hash: 17F0B77491921ADFDF10CF64C644BE8BBF9BB5A315F0890E5940EAB252C3319A86CF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 076905C2 Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4edba55d5f7b90887e43a447693a60c41e7afd011ba124a973c102da57ef2b5f
                                  • Instruction ID: f8139265bcd114ccf730b4f86474ae3677ee0376c96d00ed14184f765e918ae8
                                  • Opcode Fuzzy Hash: 4edba55d5f7b90887e43a447693a60c41e7afd011ba124a973c102da57ef2b5f
                                  • Instruction Fuzzy Hash: 15F0A974E08218DBCF54CF94D851AEDFBB9BF49304F2091A9950DA7246D7315942CF80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07690406 Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e795cff9403c4c12edc46433d3aa4654459ef0f253657ca3267e461de72988e4
                                  • Instruction ID: 2f03a28797f286d9aa19360791b59cd165840b4dd36618e9307511882bbd0dd3
                                  • Opcode Fuzzy Hash: e795cff9403c4c12edc46433d3aa4654459ef0f253657ca3267e461de72988e4
                                  • Instruction Fuzzy Hash: 8EF09078919246CFCB20CF20C1445B87BBCAB47320F1491EA845B9B292D731D946CF10
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0769064A Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 64820763369206fffb8f3414a70effa961183f1ee35f97747a71ce5e646b41ea
                                  • Instruction ID: 83da0a28125500360de5cbc2ca109a31e44a1a10e1bac30f432f4073ea7610ff
                                  • Opcode Fuzzy Hash: 64820763369206fffb8f3414a70effa961183f1ee35f97747a71ce5e646b41ea
                                  • Instruction Fuzzy Hash: 24F015B59042088FDB04CF95C881AE8B7F8AB49300F1090A6D50AE7241C770AA86CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07690ACA Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 35dcbaa6e633fb69b4613e82b9750ebca994a421b7f0d288e55c34d4f17e7a71
                                  • Instruction ID: 1def2e13809edebd672955782d56165d49214553d451295de3f826086a2b1b73
                                  • Opcode Fuzzy Hash: 35dcbaa6e633fb69b4613e82b9750ebca994a421b7f0d288e55c34d4f17e7a71
                                  • Instruction Fuzzy Hash: AFF01274914219CFCF64CF20C5947E8B7B8AB4A314F1091E9841EA33A1DB315EC6CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0769086B Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 408be0b462aa3467af692b15bcd4c20bc5d09321e94391143cc766c50d4ff712
                                  • Instruction ID: 7899ee9a74079fae652a0404ae0947de2cbcd83b8562a0fe4b4e645205a5c4e7
                                  • Opcode Fuzzy Hash: 408be0b462aa3467af692b15bcd4c20bc5d09321e94391143cc766c50d4ff712
                                  • Instruction Fuzzy Hash: 69F07F75A051199FDB50CF64C980BE8BBB9AB09314F1485D9E509A3252CB32AA85DF00
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07690781 Relevance: .0, Instructions: 19COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e868a1f306090f1111991cda6abb044963ee591b008a081debc6a97c7e122ffa
                                  • Instruction ID: 4924a3de183eae77bdc0ee0270c30de6e99f63ffa8eb85405f33ef1303226f11
                                  • Opcode Fuzzy Hash: e868a1f306090f1111991cda6abb044963ee591b008a081debc6a97c7e122ffa
                                  • Instruction Fuzzy Hash: 1EE0E578A09208DFCB51CBA8C950AA9BFB9AB4D300F209198950DAB342C7325942CF80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07690A7F Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 394eb6bf4ae7a2b25d4bfc2c63e7b399c73e0bc1113bca57bc4d698be008e716
                                  • Instruction ID: e2533422a4d7a4646b7c11ff0e548532ea35f81733ea8fc954bddc2d0e05018f
                                  • Opcode Fuzzy Hash: 394eb6bf4ae7a2b25d4bfc2c63e7b399c73e0bc1113bca57bc4d698be008e716
                                  • Instruction Fuzzy Hash: E0E0ED389002188FCBA4CF20C9546DCBBB4AB89310F1495E9841EA33A1DB309E82CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07692D16 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 84b3d934a5af7602fbe1bd793949cf865c9196f59a241c4f8ea5091c05b1001a
                                  • Instruction ID: 2ce794cb9306c22bf3c3efc654f5333fd707ab3a68f6fbaaa7ed8f2d63b8276a
                                  • Opcode Fuzzy Hash: 84b3d934a5af7602fbe1bd793949cf865c9196f59a241c4f8ea5091c05b1001a
                                  • Instruction Fuzzy Hash: 93D022FBB0411AEA4E2009C6B0821FDBF04F1C22AE7481477D2178A502CA25830B6B92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 07693450 Relevance: .4, Instructions: 353COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1390347406.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7690000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7fd6c02d4f46824c9d1a34f0ebb4384a9d6f6e343fc7e7de02d7ce37d1f573f4
                                  • Instruction ID: aa0e1adf85a413fe934be69df44704a1bdb83779f0d46f98ab448fedb257122a
                                  • Opcode Fuzzy Hash: 7fd6c02d4f46824c9d1a34f0ebb4384a9d6f6e343fc7e7de02d7ce37d1f573f4
                                  • Instruction Fuzzy Hash: D8D1A9B17007019FEB2ADB7AC450BAABBEAAF89704F14847DD156DB390DB35E801CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:11.6%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:19
                                  Total number of Limit Nodes:4
                                  execution_graph 26557 1140848 26559 114084e 26557->26559 26558 114091b 26559->26558 26561 114138d 26559->26561 26563 1141396 26561->26563 26562 1141488 26562->26559 26563->26562 26565 1147eb8 26563->26565 26566 1147ec2 26565->26566 26567 1147edc 26566->26567 26570 68ffa40 26566->26570 26575 68ffa50 26566->26575 26567->26563 26572 68ffa65 26570->26572 26571 68ffc7a 26571->26567 26572->26571 26573 68ffc91 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26572->26573 26574 68ffca0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26572->26574 26573->26572 26574->26572 26577 68ffa65 26575->26577 26576 68ffc7a 26576->26567 26577->26576 26578 68ffc91 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26577->26578 26579 68ffca0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26577->26579 26578->26577 26579->26577

                                  Executed Functions

                                  Function 068F2360 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $q$$q$$q$$q$$q$$q
                                  • API String ID: 0-2069967915
                                  • Opcode ID: 5b7bd5ae2b1356a35d264d63add9a57c6f64ed039c021a570b8acae0b345a63e
                                  • Instruction ID: 32f3701eb32b0afc49af86888d44ae9d4254b7380694a2ecb657006ab7574ea9
                                  • Opcode Fuzzy Hash: 5b7bd5ae2b1356a35d264d63add9a57c6f64ed039c021a570b8acae0b345a63e
                                  • Instruction Fuzzy Hash: 3ED24834E107048FDB64DBA8C494A9DB7B2FF89314F5585A9E609EB354EB30ED85CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068FB240 Relevance: 8.3, Strings: 6, Instructions: 772COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $q$$q$$q$$q$$q$$q
                                  • API String ID: 0-2069967915
                                  • Opcode ID: f3f85fbddc4b0d02ed6225895b6e5bb553c5a6944a597b49f3933262f185ba3c
                                  • Instruction ID: e2813d5fd8c258d721fd4cf5fec8aabe71e9581ae717315fefe40d28aad36403
                                  • Opcode Fuzzy Hash: f3f85fbddc4b0d02ed6225895b6e5bb553c5a6944a597b49f3933262f185ba3c
                                  • Instruction Fuzzy Hash: 23527430F202098FDF64DB69D4907ADBBB2FB89310F24856AE605DB395DA35DC81CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F7D78 Relevance: 3.0, Strings: 2, Instructions: 477COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1920 68f7d78-68f7d96 1921 68f7d98-68f7d9b 1920->1921 1922 68f7d9d-68f7dab 1921->1922 1923 68f7db2-68f7db5 1921->1923 1930 68f7e1e-68f7e34 1922->1930 1931 68f7dad 1922->1931 1924 68f7db7-68f7dc1 1923->1924 1925 68f7dc2-68f7dc5 1923->1925 1927 68f7dc7-68f7de1 1925->1927 1928 68f7de6-68f7de9 1925->1928 1927->1928 1932 68f7e0c-68f7e0e 1928->1932 1933 68f7deb-68f7e07 1928->1933 1939 68f804f-68f8059 1930->1939 1940 68f7e3a-68f7e43 1930->1940 1931->1923 1934 68f7e15-68f7e18 1932->1934 1935 68f7e10 1932->1935 1933->1932 1934->1921 1934->1930 1935->1934 1943 68f805a-68f8064 1940->1943 1944 68f7e49-68f7e66 1940->1944 1947 68f8066-68f808f 1943->1947 1948 68f80b5 1943->1948 1952 68f803c-68f8049 1944->1952 1953 68f7e6c-68f7e94 1944->1953 1949 68f8091-68f8094 1947->1949 1950 68f80b7-68f80ba 1948->1950 1949->1950 1954 68f8096-68f80b2 1949->1954 1955 68f8167-68f816a 1950->1955 1956 68f80c0-68f80cc 1950->1956 1952->1939 1952->1940 1953->1952 1977 68f7e9a-68f7ea3 1953->1977 1954->1948 1957 68f839f-68f83a1 1955->1957 1958 68f8170-68f817f 1955->1958 1963 68f80d7-68f80d9 1956->1963 1961 68f83a8-68f83ab 1957->1961 1962 68f83a3 1957->1962 1971 68f819e-68f81e2 1958->1971 1972 68f8181-68f819c 1958->1972 1961->1949 1965 68f83b1-68f83ba 1961->1965 1962->1961 1966 68f80db-68f80e1 1963->1966 1967 68f80f1-68f80f5 1963->1967 1974 68f80e5-68f80e7 1966->1974 1975 68f80e3 1966->1975 1968 68f80f7-68f8101 1967->1968 1969 68f8103 1967->1969 1976 68f8108-68f810a 1968->1976 1969->1976 1983 68f81e8-68f81f9 1971->1983 1984 68f8373-68f8389 1971->1984 1972->1971 1974->1967 1975->1967 1978 68f810c-68f810f 1976->1978 1979 68f8121-68f815a 1976->1979 1977->1943 1980 68f7ea9-68f7ec5 1977->1980 1978->1965 1979->1958 2003 68f815c-68f8166 1979->2003 1989 68f7ecb-68f7ef5 1980->1989 1990 68f802a-68f8036 1980->1990 1992 68f81ff-68f821c 1983->1992 1993 68f835e-68f836d 1983->1993 1984->1957 2006 68f7efb-68f7f23 1989->2006 2007 68f8020-68f8025 1989->2007 1990->1952 1990->1977 1992->1993 2004 68f8222-68f8318 call 68f6598 1992->2004 1993->1983 1993->1984 2056 68f831a-68f8324 2004->2056 2057 68f8326 2004->2057 2006->2007 2013 68f7f29-68f7f57 2006->2013 2007->1990 2013->2007 2019 68f7f5d-68f7f66 2013->2019 2019->2007 2021 68f7f6c-68f7f9e 2019->2021 2028 68f7fa9-68f7fc5 2021->2028 2029 68f7fa0-68f7fa4 2021->2029 2028->1990 2031 68f7fc7-68f801e call 68f6598 2028->2031 2029->2007 2030 68f7fa6 2029->2030 2030->2028 2031->1990 2058 68f832b-68f832d 2056->2058 2057->2058 2058->1993 2059 68f832f-68f8334 2058->2059 2060 68f8336-68f8340 2059->2060 2061 68f8342 2059->2061 2062 68f8347-68f8349 2060->2062 2061->2062 2062->1993 2063 68f834b-68f8357 2062->2063 2063->1993
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $q$$q
                                  • API String ID: 0-3126353813
                                  • Opcode ID: 69aa03ed1b25257b8dcf9e63e287756311a37aa958fb303ce4d5502970b4c955
                                  • Instruction ID: 5e6e44571ee051b5ece3e6a62c99bfb6da40ce9b5e44d988049dabb1f6c3556f
                                  • Opcode Fuzzy Hash: 69aa03ed1b25257b8dcf9e63e287756311a37aa958fb303ce4d5502970b4c955
                                  • Instruction Fuzzy Hash: A2029A70B102058FDB64DB68D850BAEBBB2FF84314F648569D615DB394EB71EC82CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F5598 Relevance: 1.8, Strings: 1, Instructions: 593COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2329 68f5598-68f55b5 2330 68f55b7-68f55ba 2329->2330 2331 68f55bc-68f55c6 2330->2331 2332 68f55d4-68f55d7 2330->2332 2335 68f55cd-68f55cf 2331->2335 2333 68f560f-68f5612 2332->2333 2334 68f55d9-68f55df 2332->2334 2338 68f561c-68f561f 2333->2338 2339 68f5614-68f5617 2333->2339 2336 68f576c-68f579b 2334->2336 2337 68f55e5-68f55ed 2334->2337 2335->2332 2355 68f57a5-68f57a8 2336->2355 2337->2336 2340 68f55f3-68f5600 2337->2340 2341 68f563c-68f563f 2338->2341 2342 68f5621-68f5637 2338->2342 2339->2338 2340->2336 2344 68f5606-68f560a 2340->2344 2345 68f5655-68f5658 2341->2345 2346 68f5641-68f5650 2341->2346 2342->2341 2344->2333 2347 68f565a-68f5660 2345->2347 2348 68f5667-68f566a 2345->2348 2346->2345 2351 68f56c2-68f56c5 2347->2351 2352 68f5662 2347->2352 2353 68f568e-68f5691 2348->2353 2354 68f566c-68f5689 2348->2354 2358 68f56ca-68f56cd 2351->2358 2352->2348 2359 68f5698-68f569b 2353->2359 2360 68f5693-68f5695 2353->2360 2354->2353 2356 68f57ca-68f57cd 2355->2356 2357 68f57aa-68f57ae 2355->2357 2364 68f57ef-68f57f2 2356->2364 2365 68f57cf-68f57d3 2356->2365 2362 68f5896-68f58d4 2357->2362 2363 68f57b4-68f57bc 2357->2363 2366 68f56cf-68f56d5 2358->2366 2367 68f56e0-68f56e3 2358->2367 2359->2366 2368 68f569d-68f56a0 2359->2368 2360->2359 2395 68f58d6-68f58d9 2362->2395 2363->2362 2371 68f57c2-68f57c5 2363->2371 2369 68f580a-68f580d 2364->2369 2370 68f57f4-68f5805 2364->2370 2365->2362 2372 68f57d9-68f57e1 2365->2372 2366->2331 2373 68f56db 2366->2373 2376 68f56e5-68f56e9 2367->2376 2377 68f56f0-68f56f3 2367->2377 2374 68f56ac-68f56af 2368->2374 2375 68f56a2-68f56ab 2368->2375 2382 68f580f-68f5813 2369->2382 2383 68f582b-68f582e 2369->2383 2370->2369 2371->2356 2372->2362 2388 68f57e7-68f57ea 2372->2388 2373->2367 2384 68f56bd-68f56c0 2374->2384 2385 68f56b1-68f56b8 2374->2385 2378 68f575e-68f576b 2376->2378 2379 68f56eb 2376->2379 2380 68f56fb-68f56fe 2377->2380 2381 68f56f5-68f56f6 2377->2381 2379->2377 2390 68f571a-68f571d 2380->2390 2391 68f5700-68f5715 2380->2391 2381->2380 2382->2362 2392 68f5819-68f5821 2382->2392 2393 68f583f-68f5842 2383->2393 2394 68f5830-68f583a 2383->2394 2384->2351 2384->2358 2385->2384 2388->2364 2397 68f571f-68f5725 2390->2397 2398 68f5730-68f5733 2390->2398 2391->2390 2392->2362 2396 68f5823-68f5826 2392->2396 2399 68f585c-68f585f 2393->2399 2400 68f5844-68f5848 2393->2400 2394->2393 2401 68f58df-68f58e2 2395->2401 2402 68f59c3-68f5b57 2395->2402 2396->2383 2397->2334 2406 68f572b 2397->2406 2408 68f5747-68f574a 2398->2408 2409 68f5735-68f5742 2398->2409 2403 68f5869-68f586c 2399->2403 2404 68f5861-68f5868 2399->2404 2400->2362 2410 68f584a-68f5852 2400->2410 2401->2402 2411 68f58e8-68f58eb 2401->2411 2478 68f5c8d-68f5ca0 2402->2478 2479 68f5b5d-68f5b64 2402->2479 2413 68f586e-68f5875 2403->2413 2414 68f587c-68f587e 2403->2414 2406->2398 2408->2397 2418 68f574c-68f574e 2408->2418 2409->2408 2410->2362 2415 68f5854-68f5857 2410->2415 2416 68f58ed-68f5900 2411->2416 2417 68f5903-68f5906 2411->2417 2423 68f588e-68f5895 2413->2423 2424 68f5877 2413->2424 2425 68f5885-68f5888 2414->2425 2426 68f5880 2414->2426 2415->2399 2421 68f5908-68f5919 2417->2421 2422 68f5920-68f5923 2417->2422 2419 68f5755-68f5758 2418->2419 2420 68f5750 2418->2420 2419->2330 2419->2378 2420->2419 2430 68f5925-68f592c 2421->2430 2436 68f591b 2421->2436 2422->2430 2431 68f5931-68f5934 2422->2431 2424->2414 2425->2355 2425->2423 2426->2425 2430->2431 2433 68f594e-68f5951 2431->2433 2434 68f5936-68f5947 2431->2434 2437 68f596b-68f596e 2433->2437 2438 68f5953-68f5964 2433->2438 2434->2430 2446 68f5949 2434->2446 2436->2422 2439 68f597c-68f597f 2437->2439 2440 68f5970-68f5977 2437->2440 2438->2416 2447 68f5966 2438->2447 2443 68f5999-68f599c 2439->2443 2444 68f5981-68f5992 2439->2444 2440->2439 2448 68f599e-68f59af 2443->2448 2449 68f59ba-68f59bd 2443->2449 2444->2434 2453 68f5994 2444->2453 2446->2433 2447->2437 2448->2430 2458 68f59b5 2448->2458 2449->2402 2452 68f5ca3-68f5ca6 2449->2452 2455 68f5ca8-68f5cad 2452->2455 2456 68f5cb0-68f5cb2 2452->2456 2453->2443 2455->2456 2459 68f5cb9-68f5cbc 2456->2459 2460 68f5cb4 2456->2460 2458->2449 2459->2395 2461 68f5cc2-68f5ccb 2459->2461 2460->2459 2480 68f5b6a-68f5b9d 2479->2480 2481 68f5c18-68f5c1f 2479->2481 2491 68f5b9f 2480->2491 2492 68f5ba2-68f5be3 2480->2492 2481->2478 2482 68f5c21-68f5c54 2481->2482 2494 68f5c59-68f5c86 2482->2494 2495 68f5c56 2482->2495 2491->2492 2503 68f5bfb-68f5c02 2492->2503 2504 68f5be5-68f5bf6 2492->2504 2494->2461 2495->2494 2506 68f5c0a-68f5c0c 2503->2506 2504->2461 2506->2461
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $
                                  • API String ID: 0-3993045852
                                  • Opcode ID: df66e4543529be6db2d2540678bc2d21b7afc34d05dd19212e97a5f088415cb3
                                  • Instruction ID: 6b9b52b235e6a3e1ae4b482fe492aab656286c5733ccf9e2711bc5b199b13de6
                                  • Opcode Fuzzy Hash: df66e4543529be6db2d2540678bc2d21b7afc34d05dd19212e97a5f088415cb3
                                  • Instruction Fuzzy Hash: CF22BF35F202048FDF64DBA8C4806AEBBF2EF95310F25846AD656EB384DA35DC41CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F65E8 Relevance: .8, Instructions: 813COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ddd9143f57d0d8dd423f627a056f7c4c3ce05506de12f52e88eb5f26bd49ec93
                                  • Instruction ID: c417619d4f2bc95f7f48c3976639ac53780d83a22411835ea3c8663292ccf039
                                  • Opcode Fuzzy Hash: ddd9143f57d0d8dd423f627a056f7c4c3ce05506de12f52e88eb5f26bd49ec93
                                  • Instruction Fuzzy Hash: 3D628E35B102048FDB64DB68D594BADBBF2EF84314F148669E605EB354EB35EC86CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068FC198 Relevance: .6, Instructions: 641COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d66dae22a083d9dae2fd83061649d6b3217fd0c7fd71dcd6677be48bd46f3439
                                  • Instruction ID: f45be69fbf5a5779394a8ac6da08d31692679ef0608ee44fff28219a8c27caac
                                  • Opcode Fuzzy Hash: d66dae22a083d9dae2fd83061649d6b3217fd0c7fd71dcd6677be48bd46f3439
                                  • Instruction Fuzzy Hash: 71329375F102098FDB64DB68D490BAEBBB2FB88314F108525E605EB394DB35ED42CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068FACD8 Relevance: 10.4, Strings: 8, Instructions: 393COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 68facd8-68facf6 1 68facf8-68facfb 0->1 2 68facfd-68fad06 1->2 3 68fad0b-68fad0e 1->3 2->3 4 68faef5-68faefe 3->4 5 68fad14-68fad17 3->5 8 68fad36-68fad3f 4->8 9 68faf04-68faf0e 4->9 6 68fad19-68fad2c 5->6 7 68fad31-68fad34 5->7 6->7 7->8 12 68fad4e-68fad51 7->12 10 68faf0f-68faf21 8->10 11 68fad45 8->11 26 68faed7-68faeeb 10->26 27 68faf23-68faf46 10->27 13 68fad46 11->13 14 68fad53-68fad57 12->14 15 68fad62-68fad65 12->15 17 68facca-68faccc 13->17 18 68fad48-68fad49 13->18 14->9 19 68fad5d 14->19 20 68fad79-68fad7c 15->20 21 68fad67-68fad74 15->21 17->13 23 68facce-68facd1 17->23 18->12 19->15 24 68fad9f-68fada2 20->24 25 68fad7e-68fad9a 20->25 21->20 30 68fac87-68facc8 23->30 31 68facd3 23->31 28 68fadac-68fadae 24->28 29 68fada4-68fada9 24->29 25->24 51 68faef2 26->51 33 68faf48-68faf4b 27->33 36 68fadb5-68fadb8 28->36 37 68fadb0 28->37 29->28 30->17 31->0 39 68faf4d-68faf57 33->39 40 68faf58-68faf5b 33->40 36->1 41 68fadbe-68fade2 36->41 37->36 42 68faf5d-68faf61 40->42 43 68faf68-68faf6b 40->43 41->51 66 68fade8-68fadf7 41->66 44 68fafa9-68fafe4 42->44 45 68faf63 42->45 48 68faf6d 43->48 49 68faf7a-68faf7d 43->49 62 68fafea-68faff6 44->62 63 68fb1d7-68fb1ea 44->63 45->43 133 68faf6d call 68fb230 48->133 134 68faf6d call 68fb240 48->134 52 68faf7f-68faf9b 49->52 53 68fafa0-68fafa3 49->53 51->4 52->53 53->44 56 68fb20c-68fb20e 53->56 55 68faf73-68faf75 55->49 58 68fb215-68fb218 56->58 59 68fb210 56->59 58->33 64 68fb21e-68fb228 58->64 59->58 69 68faff8-68fb011 62->69 70 68fb016-68fb05a 62->70 65 68fb1ec 63->65 71 68fb1ed 65->71 73 68fae0f-68fae4a call 68f6598 66->73 74 68fadf9-68fadff 66->74 69->65 88 68fb05c-68fb06e 70->88 89 68fb076-68fb0b5 70->89 71->71 90 68fae4c-68fae52 73->90 91 68fae62-68fae79 73->91 76 68fae03-68fae05 74->76 77 68fae01 74->77 76->73 77->73 88->89 96 68fb19c-68fb1b1 89->96 97 68fb0bb-68fb196 call 68f6598 89->97 94 68fae56-68fae58 90->94 95 68fae54 90->95 103 68fae7b-68fae81 91->103 104 68fae91-68faea2 91->104 94->91 95->91 96->63 97->96 106 68fae85-68fae87 103->106 107 68fae83 103->107 110 68faeba-68faece 104->110 111 68faea4-68faeaa 104->111 106->104 107->104 110->26 113 68faeae-68faeb0 111->113 114 68faeac 111->114 113->110 114->110 133->55 134->55
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $q$$q$$q$$q$$q$$q$$q$$q
                                  • API String ID: 0-3886557441
                                  • Opcode ID: 591fb1f257f676e40fc1a0ed479133258f750f48fffd5f940277274b65655be7
                                  • Instruction ID: e83ce11043e122eac89d5849802d00b43191d99b689d113ab7ff451cf5a0a0dd
                                  • Opcode Fuzzy Hash: 591fb1f257f676e40fc1a0ed479133258f750f48fffd5f940277274b65655be7
                                  • Instruction Fuzzy Hash: 5FE16130E20309CFDB69DB69D4906AEBBB2FF85314F118529D609EB344DB71EC468B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F9150 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 866 68f9150-68f9175 867 68f9177-68f917a 866->867 868 68f9a38-68f9a3b 867->868 869 68f9180-68f9195 867->869 870 68f9a3d-68f9a5c 868->870 871 68f9a61-68f9a63 868->871 877 68f91ad-68f91c3 869->877 878 68f9197-68f919d 869->878 870->871 872 68f9a6a-68f9a6d 871->872 873 68f9a65 871->873 872->867 876 68f9a73-68f9a7d 872->876 873->872 883 68f91ce-68f91d0 877->883 879 68f919f 878->879 880 68f91a1-68f91a3 878->880 879->877 880->877 884 68f91e8-68f9259 883->884 885 68f91d2-68f91d8 883->885 896 68f925b-68f927e 884->896 897 68f9285-68f92a1 884->897 886 68f91dc-68f91de 885->886 887 68f91da 885->887 886->884 887->884 896->897 902 68f92cd-68f92e8 897->902 903 68f92a3-68f92c6 897->903 908 68f92ea-68f930c 902->908 909 68f9313-68f932e 902->909 903->902 908->909 914 68f9353-68f9361 909->914 915 68f9330-68f934c 909->915 916 68f9363-68f936c 914->916 917 68f9371-68f93eb 914->917 915->914 916->876 923 68f93ed-68f940b 917->923 924 68f9438-68f944d 917->924 928 68f940d-68f941c 923->928 929 68f9427-68f9436 923->929 924->868 928->929 929->923 929->924
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $q$$q$$q$$q
                                  • API String ID: 0-4102054182
                                  • Opcode ID: 666b0d38a0e11e117c2ecfe03a744ecabf4cadc392e4cb48e196ac2d9e13cafd
                                  • Instruction ID: c03eca6198125869c45e0a34322d959fc0bc810d68ebded643536f0bd6bdffce
                                  • Opcode Fuzzy Hash: 666b0d38a0e11e117c2ecfe03a744ecabf4cadc392e4cb48e196ac2d9e13cafd
                                  • Instruction Fuzzy Hash: BB916330F102198FDB64DB69D850BAEBBF2BF89300F108565D919EB344EE71DD818B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068FCF58 Relevance: 4.5, Strings: 3, Instructions: 796COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 932 68fcf58-68fcf73 933 68fcf75-68fcf78 932->933 934 68fcf7a-68fcfbc 933->934 935 68fcfc1-68fcfc4 933->935 934->935 936 68fd00d-68fd010 935->936 937 68fcfc6-68fd008 935->937 939 68fd033-68fd036 936->939 940 68fd012-68fd02e 936->940 937->936 942 68fd038-68fd04e 939->942 943 68fd053-68fd056 939->943 940->939 942->943 944 68fd05c-68fd05f 943->944 945 68fd440-68fd44c 943->945 952 68fd06e-68fd071 944->952 953 68fd061-68fd063 944->953 950 68fd452-68fd73f 945->950 951 68fd1b0-68fd1bf 945->951 1144 68fd966-68fd970 950->1144 1145 68fd745-68fd74b 950->1145 957 68fd1ce-68fd1da 951->957 958 68fd1c1-68fd1c6 951->958 959 68fd07b-68fd07e 952->959 960 68fd073-68fd078 952->960 954 68fd43d 953->954 955 68fd069 953->955 954->945 955->952 965 68fd971-68fd9a6 957->965 966 68fd1e0-68fd1f2 957->966 958->957 967 68fd0c7-68fd0ca 959->967 968 68fd080-68fd0c2 959->968 960->959 983 68fd9a8-68fd9ab 965->983 979 68fd1f7-68fd1fa 966->979 969 68fd0cc-68fd10e 967->969 970 68fd113-68fd116 967->970 968->967 969->970 972 68fd15f-68fd162 970->972 973 68fd118-68fd127 970->973 984 68fd1ab-68fd1ae 972->984 985 68fd164-68fd1a6 972->985 980 68fd129-68fd12e 973->980 981 68fd136-68fd142 973->981 987 68fd1fc-68fd23e 979->987 988 68fd243-68fd246 979->988 980->981 981->965 990 68fd148-68fd15a 981->990 993 68fd9ce-68fd9d1 983->993 994 68fd9ad-68fd9c9 983->994 984->951 984->979 985->984 987->988 997 68fd28f-68fd292 988->997 998 68fd248-68fd28a 988->998 990->972 995 68fd9d3 993->995 996 68fd9e0-68fd9e3 993->996 994->993 1191 68fd9d3 call 68fdad8 995->1191 1192 68fd9d3 call 68fdac5 995->1192 1003 68fda16-68fda18 996->1003 1004 68fd9e5-68fda11 996->1004 1005 68fd29d-68fd2a0 997->1005 1006 68fd294-68fd296 997->1006 998->997 1013 68fda1f-68fda22 1003->1013 1014 68fda1a 1003->1014 1004->1003 1017 68fd2e9-68fd2eb 1005->1017 1018 68fd2a2-68fd2e4 1005->1018 1015 68fd2fb-68fd304 1006->1015 1016 68fd298 1006->1016 1012 68fd9d9-68fd9db 1012->996 1013->983 1027 68fda24-68fda33 1013->1027 1014->1013 1023 68fd306-68fd30b 1015->1023 1024 68fd313-68fd31f 1015->1024 1016->1005 1021 68fd2ed 1017->1021 1022 68fd2f2-68fd2f5 1017->1022 1018->1017 1021->1022 1022->933 1022->1015 1023->1024 1030 68fd325-68fd339 1024->1030 1031 68fd430-68fd435 1024->1031 1045 68fda9a-68fdaaf 1027->1045 1046 68fda35-68fda98 call 68f6598 1027->1046 1030->954 1050 68fd33f-68fd351 1030->1050 1031->954 1046->1045 1061 68fd375-68fd377 1050->1061 1062 68fd353-68fd359 1050->1062 1065 68fd381-68fd38d 1061->1065 1066 68fd35d-68fd369 1062->1066 1067 68fd35b 1062->1067 1076 68fd38f-68fd399 1065->1076 1077 68fd39b 1065->1077 1070 68fd36b-68fd373 1066->1070 1067->1070 1070->1065 1079 68fd3a0-68fd3a2 1076->1079 1077->1079 1079->954 1081 68fd3a8-68fd3c4 call 68f6598 1079->1081 1089 68fd3c6-68fd3cb 1081->1089 1090 68fd3d3-68fd3df 1081->1090 1089->1090 1090->1031 1092 68fd3e1-68fd42e 1090->1092 1092->954 1146 68fd74d-68fd752 1145->1146 1147 68fd75a-68fd763 1145->1147 1146->1147 1147->965 1148 68fd769-68fd77c 1147->1148 1150 68fd956-68fd960 1148->1150 1151 68fd782-68fd788 1148->1151 1150->1144 1150->1145 1152 68fd78a-68fd78f 1151->1152 1153 68fd797-68fd7a0 1151->1153 1152->1153 1153->965 1154 68fd7a6-68fd7c7 1153->1154 1157 68fd7c9-68fd7ce 1154->1157 1158 68fd7d6-68fd7df 1154->1158 1157->1158 1158->965 1159 68fd7e5-68fd802 1158->1159 1159->1150 1162 68fd808-68fd80e 1159->1162 1162->965 1163 68fd814-68fd82d 1162->1163 1165 68fd949-68fd950 1163->1165 1166 68fd833-68fd85a 1163->1166 1165->1150 1165->1162 1166->965 1169 68fd860-68fd86a 1166->1169 1169->965 1170 68fd870-68fd887 1169->1170 1172 68fd889-68fd894 1170->1172 1173 68fd896-68fd8b1 1170->1173 1172->1173 1173->1165 1178 68fd8b7-68fd8d0 call 68f6598 1173->1178 1182 68fd8df-68fd8e8 1178->1182 1183 68fd8d2-68fd8d7 1178->1183 1182->965 1184 68fd8ee-68fd942 1182->1184 1183->1182 1184->1165 1191->1012 1192->1012
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $q$$q$$q
                                  • API String ID: 0-3067366958
                                  • Opcode ID: 2e909d40528ee6d7e7722c2df8d175ac25890fc7b43337cb5bbf9ec87a3e0538
                                  • Instruction ID: 0c0e28f997ac786e5217a5af05ac346a1cb984f723a034942776a1b5b8df4063
                                  • Opcode Fuzzy Hash: 2e909d40528ee6d7e7722c2df8d175ac25890fc7b43337cb5bbf9ec87a3e0538
                                  • Instruction Fuzzy Hash: 91625834A107198FCB65EB68D591A9EBBE2FF84304B208A68D505DF358DB71FC46CB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F4B58 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1325 68f4b58-68f4b7c 1326 68f4b7e-68f4b81 1325->1326 1327 68f4b87-68f4c7f 1326->1327 1328 68f5260-68f5263 1326->1328 1348 68f4c85-68f4ccd 1327->1348 1349 68f4d02-68f4d09 1327->1349 1329 68f5265-68f527f 1328->1329 1330 68f5284-68f5286 1328->1330 1329->1330 1331 68f528d-68f5290 1330->1331 1332 68f5288 1330->1332 1331->1326 1335 68f5296-68f52a3 1331->1335 1332->1331 1371 68f4cd2 call 68f5408 1348->1371 1372 68f4cd2 call 68f5418 1348->1372 1350 68f4d0f-68f4d7f 1349->1350 1351 68f4d8d-68f4d96 1349->1351 1368 68f4d8a 1350->1368 1369 68f4d81 1350->1369 1351->1335 1362 68f4cd8-68f4cf4 1366 68f4cff-68f4d00 1362->1366 1367 68f4cf6 1362->1367 1366->1349 1367->1366 1368->1351 1369->1368 1371->1362 1372->1362
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: fq$XPq$\Oq
                                  • API String ID: 0-132346853
                                  • Opcode ID: f6c7b2c4170c48b2330e704f6bed22fc5a84163378f36509f9ac55650c797436
                                  • Instruction ID: 2e4e4a759f18147c274847a8fd3fd3264385afbf7caba221ef63ea10e24cfae9
                                  • Opcode Fuzzy Hash: f6c7b2c4170c48b2330e704f6bed22fc5a84163378f36509f9ac55650c797436
                                  • Instruction Fuzzy Hash: C0617F30E102089FEB549BA9C8557AEBEF6FF88300F20852AE205EB395DE754C45CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0114EB50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1373 114eb50-114eb5b 1374 114eb85-114eba2 call 114e2b8 1373->1374 1375 114eb5d-114eb84 1373->1375 1380 114eba3-114eba4 1374->1380 1381 114eba6-114eba9 1380->1381 1382 114ebaa-114ebf4 1380->1382 1382->1380 1387 114ebf6-114ec09 1382->1387 1390 114ec0f-114ec9c GlobalMemoryStatusEx 1387->1390 1391 114ec0b-114ec0e 1387->1391 1395 114eca5-114eccd 1390->1395 1396 114ec9e-114eca4 1390->1396 1396->1395
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2591052710.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_1140000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: _
                                  • API String ID: 0-701932520
                                  • Opcode ID: 7568d695be304a023af5da9fbf94c8ecae5d1975f3ea631f827e034bc9eae4f5
                                  • Instruction ID: 37a77d6e022e3a6ee7c2762c1fe1b936b40f17520bcb531a7f14cceecf678023
                                  • Opcode Fuzzy Hash: 7568d695be304a023af5da9fbf94c8ecae5d1975f3ea631f827e034bc9eae4f5
                                  • Instruction Fuzzy Hash: 25412472D043498FDB18DFA9D80479EBBF0AF89210F15856AD504A7381EB389845CBD0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F9141 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2263 68f9141-68f9175 2264 68f9177-68f917a 2263->2264 2265 68f9a38-68f9a3b 2264->2265 2266 68f9180-68f9195 2264->2266 2267 68f9a3d-68f9a5c 2265->2267 2268 68f9a61-68f9a63 2265->2268 2274 68f91ad-68f91c3 2266->2274 2275 68f9197-68f919d 2266->2275 2267->2268 2269 68f9a6a-68f9a6d 2268->2269 2270 68f9a65 2268->2270 2269->2264 2273 68f9a73-68f9a7d 2269->2273 2270->2269 2280 68f91ce-68f91d0 2274->2280 2276 68f919f 2275->2276 2277 68f91a1-68f91a3 2275->2277 2276->2274 2277->2274 2281 68f91e8-68f9259 2280->2281 2282 68f91d2-68f91d8 2280->2282 2293 68f925b-68f927e 2281->2293 2294 68f9285-68f92a1 2281->2294 2283 68f91dc-68f91de 2282->2283 2284 68f91da 2282->2284 2283->2281 2284->2281 2293->2294 2299 68f92cd-68f92e8 2294->2299 2300 68f92a3-68f92c6 2294->2300 2305 68f92ea-68f930c 2299->2305 2306 68f9313-68f932e 2299->2306 2300->2299 2305->2306 2311 68f9353-68f9361 2306->2311 2312 68f9330-68f934c 2306->2312 2313 68f9363-68f936c 2311->2313 2314 68f9371-68f93eb 2311->2314 2312->2311 2313->2273 2320 68f93ed-68f940b 2314->2320 2321 68f9438-68f944d 2314->2321 2325 68f940d-68f941c 2320->2325 2326 68f9427-68f9436 2320->2326 2321->2265 2325->2326 2326->2320 2326->2321
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $q$$q
                                  • API String ID: 0-3126353813
                                  • Opcode ID: 78ed597026b5c50203aa4fededbccd349ea3fc56cb91a01ca864947f376ecea5
                                  • Instruction ID: 360b5562f2b8dd8e4c64f02a8b2f44c7a2dffdfe9d219b1ab2d62a5d8154d24c
                                  • Opcode Fuzzy Hash: 78ed597026b5c50203aa4fededbccd349ea3fc56cb91a01ca864947f376ecea5
                                  • Instruction Fuzzy Hash: 9F516031F102159FDB54DB69D850BAE7BF2BF88300F108469D919DB348EA71DC828B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0114E2B8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2507 114e2b8-114ec9c GlobalMemoryStatusEx 2510 114eca5-114eccd 2507->2510 2511 114ec9e-114eca4 2507->2511 2511->2510
                                  APIs
                                  • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0114EBA2), ref: 0114EC8F
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2591052710.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_1140000_PO#50124.jbxd
                                  Similarity
                                  • API ID: GlobalMemoryStatus
                                  • String ID:
                                  • API String ID: 1890195054-0
                                  • Opcode ID: afdb1dd25dd154e413bc6c1b97d7f49cdc25cb2e78e2473c36cc9e7c5fb94d1f
                                  • Instruction ID: 01ca0bb09a58ab63219fae517c591f361b33985548796f3012ac0435cf7f3768
                                  • Opcode Fuzzy Hash: afdb1dd25dd154e413bc6c1b97d7f49cdc25cb2e78e2473c36cc9e7c5fb94d1f
                                  • Instruction Fuzzy Hash: 931142B1C0065A9BDB24DF9AC545B9EFBF4FF08320F11812AE918B7240D778A941CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F4B48 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: XPq
                                  • API String ID: 0-1601936878
                                  • Opcode ID: adef97fb306bc86548355c9f2a17e15e966ca4843a4d28f9351c0f104616ec58
                                  • Instruction ID: 3e018e47e93889220938a14d94cfa25d55a19a8079a8654f6d00e54d353d5bb6
                                  • Opcode Fuzzy Hash: adef97fb306bc86548355c9f2a17e15e966ca4843a4d28f9351c0f104616ec58
                                  • Instruction Fuzzy Hash: 6D419C30A102089FDB549FA9C81579EBFF2FF88300F21852AE145AB395DA758C01CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068FDAD8 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: PHq
                                  • API String ID: 0-3820536768
                                  • Opcode ID: 0b969e3a478dbb44b5689a3865d05032d118fe92dec2c905a12a6466ddf7d947
                                  • Instruction ID: f33482d6b1ad4a2b3f2fd4570aa913defb9f2e686df3d431042aae0aff51438d
                                  • Opcode Fuzzy Hash: 0b969e3a478dbb44b5689a3865d05032d118fe92dec2c905a12a6466ddf7d947
                                  • Instruction Fuzzy Hash: AC417C30E106099FDB65DF65C4547AEBBB2FF89344F204929E606EB344EB70A846CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068FDAC5 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: PHq
                                  • API String ID: 0-3820536768
                                  • Opcode ID: a93baa52f0202217f4d6b59a7106e0f4a5f60c570059109ec13ad51ccbfa8921
                                  • Instruction ID: ccb29bca94e6483fc2349cde5487e709524c1e274bd88761c74a3b146bd06188
                                  • Opcode Fuzzy Hash: a93baa52f0202217f4d6b59a7106e0f4a5f60c570059109ec13ad51ccbfa8921
                                  • Instruction Fuzzy Hash: 5B418F30E10709CFDB65DF65C4546AEBBB2FF85340F24492AE605EB244EB75E846CB41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F21C5 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: PHq
                                  • API String ID: 0-3820536768
                                  • Opcode ID: 377838f37d6a9215a7503e321167f3feee80be0d4b76b574ea57e34484fa1a83
                                  • Instruction ID: 08eb3a39bacbf836176cb616858679f0ee7cfe83c94404840c336dab7a800427
                                  • Opcode Fuzzy Hash: 377838f37d6a9215a7503e321167f3feee80be0d4b76b574ea57e34484fa1a83
                                  • Instruction Fuzzy Hash: A4311030B202058FDB5A9BB5C02476EBBE2BB89200F244578D502DB398DF36DD42C790
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F21D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: PHq
                                  • API String ID: 0-3820536768
                                  • Opcode ID: c6ed4cc4d33b5a412ae244ef0b9a1baa47984ffbe132a36df23b948c9ecb4743
                                  • Instruction ID: 25ecd07473b6baa612fb56f4a914e286a8dddc565596840efe6815db331ea3b5
                                  • Opcode Fuzzy Hash: c6ed4cc4d33b5a412ae244ef0b9a1baa47984ffbe132a36df23b948c9ecb4743
                                  • Instruction Fuzzy Hash: E331EF30B202058FDB69ABB5D46476EBBE3BB89640F244578D502DB388DE32DD42C791
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068FB230 Relevance: .3, Instructions: 297COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1474e675f78a844f625e5ba3128a9c552560b6807a0b2dd56b9cc181171e6cef
                                  • Instruction ID: eccae875356615ff4cb9f3f2562acc7126436b553e1471a5adba971f0570db33
                                  • Opcode Fuzzy Hash: 1474e675f78a844f625e5ba3128a9c552560b6807a0b2dd56b9cc181171e6cef
                                  • Instruction Fuzzy Hash: 8CA18370F202098FEF74DBA9C4907AEBBE6EB89310F248429E605DB395CA35DC819751
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068FB648 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 99e096132168566d969c5a8aaa7b9f6e33ba983ec63f246edd671698b2ba04f1
                                  • Instruction ID: 117115b3fd9fff3ef19850e8f1ba49ecd5a0182f768bb1fbbc500307a3c59831
                                  • Opcode Fuzzy Hash: 99e096132168566d969c5a8aaa7b9f6e33ba983ec63f246edd671698b2ba04f1
                                  • Instruction Fuzzy Hash: 14A15A34E202098FDFA4DF58C4807ADBBB1FB85310F248526E655DB355DA34EC82CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F61E0 Relevance: .2, Instructions: 229COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cf778108d873bb8420f998a57d4195906131f99c2724d960a9422d5db795e3c5
                                  • Instruction ID: 7eee854ad73a1738a7a89fbcf0ed7105aed13d9f67b4cd5c8a93eefface7b842
                                  • Opcode Fuzzy Hash: cf778108d873bb8420f998a57d4195906131f99c2724d960a9422d5db795e3c5
                                  • Instruction Fuzzy Hash: 9E61C471F101214FDF549B7DC84069EBADBAFC4224B154539D90AEB364EEB6EC8287C2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F4288 Relevance: .2, Instructions: 220COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aa4f43cce39a57b85a74a475b2a2f7845de63586bdd0b8fab88a4dd9d6dd494f
                                  • Instruction ID: e173ed5dc46e36ab3639e947409615ccbdfac75c67bc99bc120273daedb857f1
                                  • Opcode Fuzzy Hash: aa4f43cce39a57b85a74a475b2a2f7845de63586bdd0b8fab88a4dd9d6dd494f
                                  • Instruction Fuzzy Hash: BC814D34B102098FDB54DFA9C4547AEBBF2AF89304F248529E50AEB349EF34EC428741
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F45A8 Relevance: .2, Instructions: 220COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0c34f34bb497eda555a848d592007b57188585e3a8cb3cbb167fad840e618dc1
                                  • Instruction ID: bb2eefba1623c2db6eb12e97d7399507b289b64c66dcfe0aafd0c9d3d864f4f2
                                  • Opcode Fuzzy Hash: 0c34f34bb497eda555a848d592007b57188585e3a8cb3cbb167fad840e618dc1
                                  • Instruction Fuzzy Hash: F3913F34E102198FDF60DF68C850B9DBBB1FF85310F20869AD649EB255DB70A985CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F4298 Relevance: .2, Instructions: 218COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 001599eb5b9783669ec8be25893903a8bfd980cdc71a1ba807d1ca98013f6ab2
                                  • Instruction ID: 091e5dcc05b0acf9195309420f0cce390ea02545a5a1d168b116ae55d9ed9113
                                  • Opcode Fuzzy Hash: 001599eb5b9783669ec8be25893903a8bfd980cdc71a1ba807d1ca98013f6ab2
                                  • Instruction Fuzzy Hash: 39813F34B102099FDB54DFA9C4547AEBBF2AF89304F118529E50AEB349EF74DC428751
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F45C0 Relevance: .2, Instructions: 210COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c2aca973f7c05a1f4d5582c2bb9f47f0bd4f4be3f40c120098871d473eb2dc3a
                                  • Instruction ID: 041f06d05b41188a495e3516f04a1209ac181f4ded22b10183e57ec66ae53fb9
                                  • Opcode Fuzzy Hash: c2aca973f7c05a1f4d5582c2bb9f47f0bd4f4be3f40c120098871d473eb2dc3a
                                  • Instruction Fuzzy Hash: A0911F34E102198BDF60DF68C850B9DB7B1FF89310F208699D649BB355DB71A985CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068FEB18 Relevance: .2, Instructions: 204COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3bb425c9dc6cd19f4ae6a610e63c0e8b68065b8198bef949937376fdcbeee0bf
                                  • Instruction ID: 3a46f3a79b8f26cf792fa48bfb7b8345655a42b917ae627bb4f1a087f3956e7c
                                  • Opcode Fuzzy Hash: 3bb425c9dc6cd19f4ae6a610e63c0e8b68065b8198bef949937376fdcbeee0bf
                                  • Instruction Fuzzy Hash: 01714030E102099FDB54EBA9C894AAEBBF6FF84304F248529E515EB354DB30ED46CB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068FEB28 Relevance: .2, Instructions: 201COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1b0028ec1c60ecfe55f5d050e061bc904ba478d3606e811b15f6dc3781be84bf
                                  • Instruction ID: dc2b5eefbda9c4019f80ca39b9634e6d6f09af86ef81c1874a63d7c3e83bd9de
                                  • Opcode Fuzzy Hash: 1b0028ec1c60ecfe55f5d050e061bc904ba478d3606e811b15f6dc3781be84bf
                                  • Instruction Fuzzy Hash: A7713D30E102099FDB54EBA9C994AAEBBF6FF84304F248529D505EB364DB30ED46CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068FFA40 Relevance: .2, Instructions: 172COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 94f16f039f07ecd05e8d2a4c008aaf3fc5a72efd909e95089fac63a7b045e57f
                                  • Instruction ID: 45c232f8ed808a70ee46a65828cfbec07727a7dfe676de0da2f050121ce7ea09
                                  • Opcode Fuzzy Hash: 94f16f039f07ecd05e8d2a4c008aaf3fc5a72efd909e95089fac63a7b045e57f
                                  • Instruction Fuzzy Hash: 2751C970F202148BEFB46768D89576F3A9ADB8D715F20442AE70AD73D4CB78DC4293A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068FFCA0 Relevance: .2, Instructions: 171COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3087df0e5873ac31ecf35559b8137b86920295db18bfbc4f7419b5e285a463ff
                                  • Instruction ID: 533869795327cc7ab23f3e41a8153a9e6167b279051d9b68399c15ab6a7c13df
                                  • Opcode Fuzzy Hash: 3087df0e5873ac31ecf35559b8137b86920295db18bfbc4f7419b5e285a463ff
                                  • Instruction Fuzzy Hash: A751B231E102089FDB64EB78E4946ADBBB2FF84315F208879E316EB250DB359C55CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068FFA50 Relevance: .2, Instructions: 163COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 95e4eec75bd016fc1f4db311aa78fb8416c5886528be9f243f13eee800b79e90
                                  • Instruction ID: 45fc41648c08d60c26f9de39f2d50fad6a091e2a4ea46481958b60141796ea51
                                  • Opcode Fuzzy Hash: 95e4eec75bd016fc1f4db311aa78fb8416c5886528be9f243f13eee800b79e90
                                  • Instruction Fuzzy Hash: 7A51B670F202189BEFB46768D89476F3A9ADB8D715F204429E70AD73D4CB78DC4293A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F5418 Relevance: .1, Instructions: 126COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cbc7c4f421e66036173c6fff15f9139f3b40dc8ea167c855796208057d731c80
                                  • Instruction ID: 6d922ecab1d1249a0beed4b171414a5ffccdd6ca7de18e50faf1e7acbc512d2d
                                  • Opcode Fuzzy Hash: cbc7c4f421e66036173c6fff15f9139f3b40dc8ea167c855796208057d731c80
                                  • Instruction Fuzzy Hash: 12412D71E106098FDF70CF99D881AAFFBF2FBA8210F10492AE355D7650D630E9558B92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F5588 Relevance: .1, Instructions: 99COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8bddb794117704b2aedef41e69896aae54840dec7aa407e1a1e02d5fd10cad4c
                                  • Instruction ID: 0e30b37495978bd54ea91dcd777656f0790677fc30e42e576ea617523be6cd82
                                  • Opcode Fuzzy Hash: 8bddb794117704b2aedef41e69896aae54840dec7aa407e1a1e02d5fd10cad4c
                                  • Instruction Fuzzy Hash: 3531A471E142058FDB608F69C8C466EBBB1EB55310F15886AE36ADB651D638E840CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F2088 Relevance: .1, Instructions: 97COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3820351d14f5445b5ee8abd8d1e3574831e817962c2c7e4835b668978e54407c
                                  • Instruction ID: ea482d6d73e39e9683aae29df630be5229180f4c39f14916eac33758f20d1e39
                                  • Opcode Fuzzy Hash: 3820351d14f5445b5ee8abd8d1e3574831e817962c2c7e4835b668978e54407c
                                  • Instruction Fuzzy Hash: 1B316234E106058FCB59DFA4C46569EBBF2FF89300F108519E906EB354DB71AD42CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F2098 Relevance: .1, Instructions: 91COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fac45e38f7125773bdc1bd6c0f6f427e5d611e3e2f788b530fa92ca82d384f0f
                                  • Instruction ID: 7a74102bd535f8c18a7eb3c38baf9b3c3dd8497ac3f4932a91c2b06efb00a023
                                  • Opcode Fuzzy Hash: fac45e38f7125773bdc1bd6c0f6f427e5d611e3e2f788b530fa92ca82d384f0f
                                  • Instruction Fuzzy Hash: C3317234E106099BCB19DFA4C86569EB7B2FF89300F10C519EA06E7344DB71BD42CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F3A88 Relevance: .1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5f0fc14e67f9d5012f8ff715dfda05c67968cc339d9a7c041b8bd49b6d203dfc
                                  • Instruction ID: a193585f3d2eaa18896b076e3815b2a9f514b2e9ccc36fa411da577924a75da7
                                  • Opcode Fuzzy Hash: 5f0fc14e67f9d5012f8ff715dfda05c67968cc339d9a7c041b8bd49b6d203dfc
                                  • Instruction Fuzzy Hash: 60216976E106189FDB54DF69D891BAEBBF5FB48710F118025EA05EB344EB30D9408B94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F3A98 Relevance: .1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8f558fd8e462f57f7eba036b70b75203542fa9d2c5283d969a64e144f4c9fc4f
                                  • Instruction ID: bb855b24a879e26cb0623011e385a0b86eb900ef912d11d81ee7475a331751be
                                  • Opcode Fuzzy Hash: 8f558fd8e462f57f7eba036b70b75203542fa9d2c5283d969a64e144f4c9fc4f
                                  • Instruction Fuzzy Hash: 8D216676E107189FDB50DFA9D890BAEBBF5FB48710F118029EA05EB344EB30D8408B94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010FD044 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2590730806.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10fd000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 58ed1c91946ea32bce28d3f8ad824a6ed729406832bccfaeb07e56fdc631090f
                                  • Instruction ID: 2c2448c2f5846c44d7d7d0df280ba8755ba4dcdbb1ac4b6c415a3b7224fefa6d
                                  • Opcode Fuzzy Hash: 58ed1c91946ea32bce28d3f8ad824a6ed729406832bccfaeb07e56fdc631090f
                                  • Instruction Fuzzy Hash: E8214271604204AFDB11CF64D9C1B26BBA5FB84314F20C6ADEA890F742C736D847CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068FFC91 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 44926e00d8dd1f2d6f367851cf299be53106012dec96b71050d28dd7bc47b57a
                                  • Instruction ID: 4f8a01278daeefae1c788b1741f20358efd7f802651dc74488099304318146e8
                                  • Opcode Fuzzy Hash: 44926e00d8dd1f2d6f367851cf299be53106012dec96b71050d28dd7bc47b57a
                                  • Instruction Fuzzy Hash: F811E532F101144BCBA9AB69D4A426EB7E6EB85210B24843AE70AD7344EA249C428381
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F3BA8 Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 58b0b068ac440371d1f7349c092aa2d29812432c88205d89c8c15b00f4154e78
                                  • Instruction ID: 22a4a12d3010ea799ea8956afccb83c94035d62b7c0854205476db78ee17bc1a
                                  • Opcode Fuzzy Hash: 58b0b068ac440371d1f7349c092aa2d29812432c88205d89c8c15b00f4154e78
                                  • Instruction Fuzzy Hash: C511A136B101284FDB95A77DC8246EE7BA7ABC8310F008539D60AE7348DE65DC0287D0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068FA308 Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 93584480b06b5deca25d6a0f11c6c685778e1eb43c749401e070b236634ab9a0
                                  • Instruction ID: 8b0f9ecd85d150fc427e93a8d595a84142b1c8ea5304fd0e30e0c4eef18fd9a8
                                  • Opcode Fuzzy Hash: 93584480b06b5deca25d6a0f11c6c685778e1eb43c749401e070b236634ab9a0
                                  • Instruction Fuzzy Hash: 0D01F734B242104FC765963CE86175E7BEAEB8A720F108469E60ECB385EE11EC028791
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F41E9 Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d9cc3dc4936242dae14d2c315dfdaf027979c28ec7950404105ad741bb1eb2e9
                                  • Instruction ID: 28ddf6483d5e851cb99f60ea2620f0be56a11a26cfef36946d39d4feb2217a49
                                  • Opcode Fuzzy Hash: d9cc3dc4936242dae14d2c315dfdaf027979c28ec7950404105ad741bb1eb2e9
                                  • Instruction Fuzzy Hash: 7301D434B241100FDB6097ADA41476FABC7EBC9310F24843AE20AC735ADE62DC428391
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010FD03F Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2590730806.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_10fd000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                  • Instruction ID: e8b0c1af198cceab9bdaa607945737ff73c30a15e7786ab8c222c7d50f7e2ad2
                                  • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                  • Instruction Fuzzy Hash: 3F11DD75504284DFCB16CF54C9C5B15BFA2FB84324F24C6ADE9894B692C33AD44ACF62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F3861 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8b1f99ef9e747a925e04b66bfc0c1f2fc3550fedaa60fcdb1e5df1f08f97813a
                                  • Instruction ID: c5fa7362671d653b04aedcb9f5c2ec19e2428c000484dbc65a280978645d04dd
                                  • Opcode Fuzzy Hash: 8b1f99ef9e747a925e04b66bfc0c1f2fc3550fedaa60fcdb1e5df1f08f97813a
                                  • Instruction Fuzzy Hash: CE21F2B1D11219AFCB10DF9AD884ACEFBF4FB48310F10812AEA18B7240C3756944CFA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F3B97 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5c8dc5745aa920ab37b1c2f184270a95cd81a2f21722cc99720fa7e1b7206489
                                  • Instruction ID: adce8fc43fa4573c598196db4f9385608fbb120eafce2f12eebb78944e5c5407
                                  • Opcode Fuzzy Hash: 5c8dc5745aa920ab37b1c2f184270a95cd81a2f21722cc99720fa7e1b7206489
                                  • Instruction Fuzzy Hash: F5012436B201180BDFA5A67DCC243EE3AA79BC9310F00443AE60AE7348EE608C0287D0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F3868 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3d0e6970d3e31cd995a9d1a95fe8a8165316019ad7e667b2688197598c88c6d1
                                  • Instruction ID: e08c0bb65cee02fce35e128c26619f265769a489270d006a557bcbcfefd903d1
                                  • Opcode Fuzzy Hash: 3d0e6970d3e31cd995a9d1a95fe8a8165316019ad7e667b2688197598c88c6d1
                                  • Instruction Fuzzy Hash: 1B11E4B5D112199FCB10DF9AD885ADEFBB4FF48310F10812AE918A7340D3756944CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068FED99 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 81779d889f99d70941744d42ef2f04ecaec55e5c7780839d90eabc0a2f909a7c
                                  • Instruction ID: 25de51ddd96c1fe90870a2812bf7d64ca812988ec51afd3267b8ab3355b6e5ca
                                  • Opcode Fuzzy Hash: 81779d889f99d70941744d42ef2f04ecaec55e5c7780839d90eabc0a2f909a7c
                                  • Instruction Fuzzy Hash: 1C01DF35B101102BCB71AA6DA86472F77DAEBC9710F10842AE70ECB385EA61EC028381
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F41F8 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3cb0a7e2571c4ba2a2774ce467706c5cc5e6b7c70992368936f6ef51ef22714b
                                  • Instruction ID: 2d07a4e475620eee1f05430e2e9517de3ebce073b25d258bb64f99bd162497c1
                                  • Opcode Fuzzy Hash: 3cb0a7e2571c4ba2a2774ce467706c5cc5e6b7c70992368936f6ef51ef22714b
                                  • Instruction Fuzzy Hash: 24018135B201144FDB6496AEA45572FA7DADBCD720F20843AF60AC735ADE72EC424391
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068FEDA8 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 97e39377d869a365e89b2588723a35c38700deb05453f7d2c71094faaa09118f
                                  • Instruction ID: 098690dcce4c8827a786d782b81c84f362adfb5f9291b71c0d2ef423e63d6d2b
                                  • Opcode Fuzzy Hash: 97e39377d869a365e89b2588723a35c38700deb05453f7d2c71094faaa09118f
                                  • Instruction Fuzzy Hash: A3018135B201101BDBB5A66DA46872F66DAEBC9710F10843AE70EC7354EA65DC0243D1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068FA318 Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0c40862871bd91b535146d85f395c3124530fb08e18eec23ec25e5a0166e74a5
                                  • Instruction ID: a74f63932415270192be1bf1273ab1a77290c12943d66188c9222c39ae12451d
                                  • Opcode Fuzzy Hash: 0c40862871bd91b535146d85f395c3124530fb08e18eec23ec25e5a0166e74a5
                                  • Instruction Fuzzy Hash: 8E013135B202104FDBA5E66DE85572E77DAEB89724F108469E60EDB384EE21EC018791
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F6469 Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb35797997aacceadb1326c49f1bba6ef0987bffa372ad76c459c229c132e16a
                                  • Instruction ID: f1cb075648198afa88687315aab6aed55f28cc6a14a91b470e6c1b931cc08e12
                                  • Opcode Fuzzy Hash: fb35797997aacceadb1326c49f1bba6ef0987bffa372ad76c459c229c132e16a
                                  • Instruction Fuzzy Hash: 9CE09271E34208ABDB70EF64C91876E77699752208F244AA1D704DB241F236D941C791
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F6478 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a3f40778c56a94cb1829351910999078a94cedfe7366333d70a95a28b265ea9a
                                  • Instruction ID: 114f545757e90d7fb81bfb27ffca33b48838705b8f51ba0ff0f808914c273d6b
                                  • Opcode Fuzzy Hash: a3f40778c56a94cb1829351910999078a94cedfe7366333d70a95a28b265ea9a
                                  • Instruction Fuzzy Hash: 55E01271E34108ABDF60EFB4D95575E77ADDB05214F208AA5D608D7201F176DE4187C1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 068F7698 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
                                  • API String ID: 0-1298971921
                                  • Opcode ID: 65a767a2179156307e2f372be31a12a941b48853b9721e3f40d992585261997c
                                  • Instruction ID: a3a0390976b874a19304826e117795a2cbfe6d5000683cd4e17e192135e4ec9e
                                  • Opcode Fuzzy Hash: 65a767a2179156307e2f372be31a12a941b48853b9721e3f40d992585261997c
                                  • Instruction Fuzzy Hash: 31121B31E102198FEB64DB69E854B9EB7B2FF88705F218569D606EB354DB30DD81CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068FA940 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $q$$q$$q$$q$$q$$q$$q$$q
                                  • API String ID: 0-3886557441
                                  • Opcode ID: 63652d0ffd744ad88649f92e3cfdc295903a5833313b91230c12238a97c492d8
                                  • Instruction ID: ae37a68d00ad39516fd63e8648eeeea450ed7a28551738d602525f6246a380a7
                                  • Opcode Fuzzy Hash: 63652d0ffd744ad88649f92e3cfdc295903a5833313b91230c12238a97c492d8
                                  • Instruction Fuzzy Hash: 6391CF30E20209DFEB68DB65D544BAE7BF2BF44314F108529EA09EB384DB74AC45CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F7098 Relevance: 7.9, Strings: 6, Instructions: 405COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $q$$q$$q$$q$$q$$q
                                  • API String ID: 0-2069967915
                                  • Opcode ID: bd48055952aee1751394e1c1e97032397c84940d3ff8e8c398cf5bbaa381b3c8
                                  • Instruction ID: adb5abefb03833a26a43e4d831b410c53eccb27c5acb039640ae03de2da5a879
                                  • Opcode Fuzzy Hash: bd48055952aee1751394e1c1e97032397c84940d3ff8e8c398cf5bbaa381b3c8
                                  • Instruction Fuzzy Hash: DDF14F30A10309CFEB58EB65D454BAEBBB2BF88705F248568D615DB398DB35EC42CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F83D0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $q$$q$$q$$q
                                  • API String ID: 0-4102054182
                                  • Opcode ID: 060bdd371d3537f6ac79fed92d0b9dcfcec96fe16766e3b1a96fa96719cb9057
                                  • Instruction ID: f0f891c9ec7e20455fff3c581ddb6a47a4180b32128963cfdfb0ab18053c5218
                                  • Opcode Fuzzy Hash: 060bdd371d3537f6ac79fed92d0b9dcfcec96fe16766e3b1a96fa96719cb9057
                                  • Instruction Fuzzy Hash: 60B14C70F202098FDB68DBA5D8547AEBBB2BF88305F248569D605DB394DB74DC42CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068FACC8 Relevance: 5.2, Strings: 4, Instructions: 169COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $q$$q$$q$$q
                                  • API String ID: 0-4102054182
                                  • Opcode ID: ac8337ec35dffe4e16613ba9b30dbbfce85ba381c67fdd05e5f63248dfc4e7c9
                                  • Instruction ID: 47d61e298d2fa64034b5f9b1e34e8b7f585f0ff4cf1b21b14b351f8ff03fbbd5
                                  • Opcode Fuzzy Hash: ac8337ec35dffe4e16613ba9b30dbbfce85ba381c67fdd05e5f63248dfc4e7c9
                                  • Instruction Fuzzy Hash: 69519534F20205CFDFA9EB64D4806ADB7B6EB88725F148529EA09DB344DB31EC41CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 068F87E8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2598021793.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68f0000_PO#50124.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LRq$LRq$$q$$q
                                  • API String ID: 0-2204215535
                                  • Opcode ID: a30e8c8fa20d4b6507278bd9d7771478bc8ca7f9eb242f5489f0b79677f2b889
                                  • Instruction ID: 4d37595e9a984dd8f1f22744f0126a4cbd096964a648e1d040742faa8028ff6f
                                  • Opcode Fuzzy Hash: a30e8c8fa20d4b6507278bd9d7771478bc8ca7f9eb242f5489f0b79677f2b889
                                  • Instruction Fuzzy Hash: AC51A170B202058FDB58DB68D840B6EB7F6BF89714B148669E601DB354DA30EC45CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%