Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2C01EPgbbjrSPr7.exe

Overview

General Information

Sample Name:2C01EPgbbjrSPr7.exe
Analysis ID:626545
MD5:dc6c55fee2366dee1d9c502bf061a8dc
SHA1:609b99bc51ea6e1512d4aa1636a4586d2f6b29d6
SHA256:99c52b9d5bcaa8af4bae268f70a39b94c0b2879dfed2cbdabd25c6fef5ff2258
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SGDT)

Classification

Process Tree

  • System is w10x64
  • 2C01EPgbbjrSPr7.exe (PID: 6992 cmdline: "C:\Users\user\Desktop\2C01EPgbbjrSPr7.exe" MD5: DC6C55FEE2366DEE1D9C502BF061A8DC)
    • RegSvcs.exe (PID: 6108 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "leakkim@dtvcambodia.com", "Password": "@DTVcambodia2017", "Host": "mail.dtvcambodia.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.507717756.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.507717756.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000004.00000000.279997636.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000000.279997636.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000004.00000000.279367854.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                4.2.RegSvcs.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  4.2.RegSvcs.exe.400000.0.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                  • 0x30dc2:$s1: get_kbok
                  • 0x316f6:$s2: get_CHoo
                  • 0x32369:$s3: set_passwordIsSet
                  • 0x30bc6:$s4: get_enableLog
                  • 0x3529a:$s8: torbrowser
                  • 0x33c76:$s10: logins
                  • 0x335f5:$s11: credential
                  • 0x2ffbb:$g1: get_Clipboard
                  • 0x2ffc9:$g2: get_Keyboard
                  • 0x2ffd6:$g3: get_Password
                  • 0x315a4:$g4: get_CtrlKeyDown
                  • 0x315b4:$g5: get_ShiftKeyDown
                  • 0x315c5:$g6: get_AltKeyDown
                  4.0.RegSvcs.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 26 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 4.0.RegSvcs.exe.400000.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "leakkim@dtvcambodia.com", "Password": "@DTVcambodia2017", "Host": "mail.dtvcambodia.com"}
                    Multi AV Scanner detection for submitted file
                    Source: 2C01EPgbbjrSPr7.exeVirustotal: Detection: 32%Perma Link
                    Source: 2C01EPgbbjrSPr7.exeReversingLabs: Detection: 61%
                    Machine Learning detection for sample
                    Source: 2C01EPgbbjrSPr7.exeJoe Sandbox ML: detected
                    Source: 4.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                    Source: 2C01EPgbbjrSPr7.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 2C01EPgbbjrSPr7.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02DADFF0

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2C01EPgbbjrSPr7.exe.41888c8.3.raw.unpack, type: UNPACKEDPE
                    Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                    Source: Joe Sandbox ViewIP Address: 192.185.162.134 192.185.162.134
                    Source: RegSvcs.exe, 00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: RegSvcs.exe, 00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: RegSvcs.exe, 00000004.00000002.512946550.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.511389823.0000000002F03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                    Source: RegSvcs.exe, 00000004.00000002.512946550.0000000005BE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: RegSvcs.exe, 00000004.00000002.513029654.0000000005C2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/Sl
                    Source: RegSvcs.exe, 00000004.00000002.512946550.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.513181926.0000000005C9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a95e9caafddea
                    Source: RegSvcs.exe, 00000004.00000002.513029654.0000000005C2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/sk
                    Source: RegSvcs.exe, 00000004.00000002.512946550.0000000005BE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a95e9caafd
                    Source: RegSvcs.exe, 00000004.00000002.511389823.0000000002F03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dtvcambodia.com
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.243510111.00000000015ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.w
                    Source: RegSvcs.exe, 00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://eolgGu.com
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: RegSvcs.exe, 00000004.00000002.511389823.0000000002F03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.dtvcambodia.com
                    Source: RegSvcs.exe, 00000004.00000002.512946550.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.511389823.0000000002F03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0F
                    Source: RegSvcs.exe, 00000004.00000002.512946550.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.511389823.0000000002F03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.254284053.0000000005E79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.253625429.0000000005EA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.254284053.0000000005E79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com7
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.254284053.0000000005E79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288273378.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.281259255.0000000005E70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comaI)
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288273378.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.281259255.0000000005E70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comceTF
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.253560396.0000000005E7A000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.253090300.0000000005E79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcom7
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.254284053.0000000005E79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomI)
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.253560396.0000000005E7A000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.253090300.0000000005E79000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.254284053.0000000005E79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.253560396.0000000005E7A000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.253090300.0000000005E79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessed
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288273378.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.281259255.0000000005E70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgreta
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.253560396.0000000005E7A000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.252302756.0000000005E78000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.253090300.0000000005E79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comkP)
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288273378.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.281259255.0000000005E70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.254284053.0000000005E79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsiv
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.254284053.0000000005E79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comtud
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.243999766.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.244124001.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.243951668.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.244065913.0000000005E8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.243999766.0000000005E8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comW
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.243999766.0000000005E8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comcI
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.243999766.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.243951668.0000000005E8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comx
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.246407275.0000000005E74000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.246653744.0000000005E74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.c
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.246378606.0000000005EAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.246653744.0000000005E74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.246653744.0000000005E74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/:
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.246407275.0000000005E74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn4
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.246407275.0000000005E74000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.246653744.0000000005E74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn7
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.246653744.0000000005E74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnicre2
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.243716394.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.243840965.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.243810275.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.243764153.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.243882011.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.243743765.0000000005E8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.245662763.0000000005E76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krC
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.245662763.0000000005E76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kre
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.244443790.0000000005E8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.244414864.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.244443790.0000000005E8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comr
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.254284053.0000000005E79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.254284053.0000000005E79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.dephy
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: RegSvcs.exe, 00000004.00000002.512946550.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.513029654.0000000005C2C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.511389823.0000000002F03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: RegSvcs.exe, 00000004.00000002.512946550.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.513029654.0000000005C2C000.00000004.00000800.00020000.00000000.sdmp, 2D85F72862B55C4EADD9E66E06947F3D0.4.drString found in binary or memory: http://x1.i.lencr.org/
                    Source: RegSvcs.exe, 00000004.00000002.512946550.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.513029654.0000000005C2C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.511389823.0000000002F03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: RegSvcs.exe, 00000004.00000002.512946550.0000000005BE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/d
                    Source: RegSvcs.exe, 00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%$
                    Source: RegSvcs.exe, 00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                    Source: RegSvcs.exe, 00000004.00000002.511188968.0000000002ECB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.511337884.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.511295523.0000000002EF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drm1JEWaqqI1.net
                    Source: RegSvcs.exe, 00000004.00000002.513029654.0000000005C2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sldl.windowsupdate.com/
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.286333778.000000000403F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.507717756.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000000.279367854.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: RegSvcs.exe, 00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                    Source: unknownDNS traffic detected: queries for: mail.dtvcambodia.com

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Modifies the hosts file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.2C01EPgbbjrSPr7.exe.41888c8.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.2C01EPgbbjrSPr7.exe.41888c8.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: Process Memory Space: RegSvcs.exe PID: 6108, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 4.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007b0521C396u002dCDD4u002d4B8Fu002d8DB5u002d045B90A6C938u007d/u003197B8149u002dCA5Eu002d4A78u002dA70Au002dCE490C237E5C.csLarge array initialization: .cctor: array initializer size 12012
                    Source: 4.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b0521C396u002dCDD4u002d4B8Fu002d8DB5u002d045B90A6C938u007d/u003197B8149u002dCA5Eu002d4A78u002dA70Au002dCE490C237E5C.csLarge array initialization: .cctor: array initializer size 12012
                    Source: 4.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b0521C396u002dCDD4u002d4B8Fu002d8DB5u002d045B90A6C938u007d/u003197B8149u002dCA5Eu002d4A78u002dA70Au002dCE490C237E5C.csLarge array initialization: .cctor: array initializer size 12012
                    Source: 4.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b0521C396u002dCDD4u002d4B8Fu002d8DB5u002d045B90A6C938u007d/u003197B8149u002dCA5Eu002d4A78u002dA70Au002dCE490C237E5C.csLarge array initialization: .cctor: array initializer size 12012
                    Source: 4.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b0521C396u002dCDD4u002d4B8Fu002d8DB5u002d045B90A6C938u007d/u003197B8149u002dCA5Eu002d4A78u002dA70Au002dCE490C237E5C.csLarge array initialization: .cctor: array initializer size 12012
                    Source: 4.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007b0521C396u002dCDD4u002d4B8Fu002d8DB5u002d045B90A6C938u007d/u003197B8149u002dCA5Eu002d4A78u002dA70Au002dCE490C237E5C.csLarge array initialization: .cctor: array initializer size 12012
                    Source: 2C01EPgbbjrSPr7.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.2C01EPgbbjrSPr7.exe.41888c8.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.2C01EPgbbjrSPr7.exe.41888c8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: Process Memory Space: RegSvcs.exe PID: 6108, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA70E80_2_02DA70E8
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DAA8500_2_02DAA850
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA00400_2_02DA0040
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA28300_2_02DA2830
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA9E900_2_02DA9E90
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DAAEB80_2_02DAAEB8
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA7AD80_2_02DA7AD8
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA7AC80_2_02DA7AC8
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA1AC00_2_02DA1AC0
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA1AB00_2_02DA1AB0
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA7B830_2_02DA7B83
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA23B80_2_02DA23B8
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA33B00_2_02DA33B0
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA23A80_2_02DA23A8
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA33000_2_02DA3300
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA70D80_2_02DA70D8
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA78080_2_02DA7808
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA00070_2_02DA0007
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DAA83F0_2_02DAA83F
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA282B0_2_02DA282B
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DAA1D00_2_02DAA1D0
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DAA1CF0_2_02DAA1CF
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA21580_2_02DA2158
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA21680_2_02DA2168
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA0EF00_2_02DA0EF0
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA9E810_2_02DA9E81
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA26500_2_02DA2650
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA264C0_2_02DA264C
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA0F000_2_02DA0F00
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA7C200_2_02DA7C20
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA1DD00_2_02DA1DD0
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA75E80_2_02DA75E8
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA1DE00_2_02DA1DE0
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA8D980_2_02DA8D98
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA8D970_2_02DA8D97
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_00B520500_2_00B52050
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00E234A04_2_00E234A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00E231A04_2_00E231A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00E209084_2_00E20908
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00E27E304_2_00E27E30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00E285804_2_00E28580
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00E286804_2_00E28680
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00F647A04_2_00F647A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00F646B04_2_00F646B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00F6D6604_2_00F6D660
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_05ED65084_2_05ED6508
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_05ED71204_2_05ED7120
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_05ED90D84_2_05ED90D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_05ED68504_2_05ED6850
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 05EDBC18 appears 48 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 98%
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.286333778.000000000403F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenOOTwECnjSqKtJrhjFcwUgB.exe4 vs 2C01EPgbbjrSPr7.exe
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.286333778.000000000403F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs 2C01EPgbbjrSPr7.exe
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000003.269344146.0000000003941000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs 2C01EPgbbjrSPr7.exe
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000000.240821247.0000000000C1E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameg863j.exe8 vs 2C01EPgbbjrSPr7.exe
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.283797713.0000000003077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenOOTwECnjSqKtJrhjFcwUgB.exe4 vs 2C01EPgbbjrSPr7.exe
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.289470326.0000000007A40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs 2C01EPgbbjrSPr7.exe
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.283195243.0000000003021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs 2C01EPgbbjrSPr7.exe
                    Source: 2C01EPgbbjrSPr7.exeBinary or memory string: OriginalFilenameg863j.exe8 vs 2C01EPgbbjrSPr7.exe
                    Source: 2C01EPgbbjrSPr7.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: 2C01EPgbbjrSPr7.exeVirustotal: Detection: 32%
                    Source: 2C01EPgbbjrSPr7.exeReversingLabs: Detection: 61%
                    Source: 2C01EPgbbjrSPr7.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exe "C:\Users\user\Desktop\2C01EPgbbjrSPr7.exe"
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2C01EPgbbjrSPr7.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@3/4@3/1
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: 2C01EPgbbjrSPr7.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
                    Source: 2C01EPgbbjrSPr7.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
                    Source: 2C01EPgbbjrSPr7.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
                    Source: 2C01EPgbbjrSPr7.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
                    Source: 2C01EPgbbjrSPr7.exeString found in binary or memory: (O-aDd(
                    Source: 4.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.RegSvcs.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.RegSvcs.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: 2C01EPgbbjrSPr7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: 2C01EPgbbjrSPr7.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_00B576BF push es; retf 0_2_00B576D6
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_00B576A7 push es; retf 0_2_00B576BE
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DB2057 push ebx; retf 0_2_02DB2058
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DB1A97 push cs; retf 0_2_02DB1A98
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeCode function: 0_2_02DA51FC push esi; ret 0_2_02DA51FE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00F6EB6C push 8405CF2Eh; iretd 4_2_00F6EB71
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_05ED1DF9 push ecx; iretd 4_2_05ED1DFA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_05EDEDD3 push esp; ret 4_2_05EDEE19
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_05EDB8AB pushfd ; iretd 4_2_05EDB8B2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_05ED1BC1 push eax; iretd 4_2_05ED1BC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_05ED1BC3 push eax; iretd 4_2_05ED1BCA
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.85472323726
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: 2C01EPgbbjrSPr7.exe PID: 6992, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.283797713.0000000003077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.283797713.0000000003077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exe TID: 7012Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 5234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 4582Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00F67878 sgdt fword ptr [eax]4_2_00F67878
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.283797713.0000000003077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.283797713.0000000003077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.283797713.0000000003077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.283797713.0000000003077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: RegSvcs.exe, 00000004.00000003.506326715.0000000005C9E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.513181926.0000000005C9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.283797713.0000000003077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.283797713.0000000003077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: RegSvcs.exe, 00000004.00000002.513029654.0000000005C2C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWHP
                    Source: RegSvcs.exe, 00000004.00000003.506326715.0000000005C9E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.513181926.0000000005C9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW?
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.283797713.0000000003077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.283797713.0000000003077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: 2C01EPgbbjrSPr7.exe, 00000000.00000002.283797713.0000000003077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_05EDC99E QueryDosDeviceA,LoadModule,SetVolumeLabelW,LocalFlags,UnregisterWaitUntilOOBECompleted,KiUserExceptionDispatcher,KiUserExceptionDispatcher,LdrInitializeThunk,4_2_05EDC99E
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000Jump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000Jump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 960008Jump to behavior
                    Modifies the hosts file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\2C01EPgbbjrSPr7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_05ED5594 GetUserNameW,4_2_05ED5594

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Modifies the hosts file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2C01EPgbbjrSPr7.exe.41888c8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2C01EPgbbjrSPr7.exe.41888c8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.507717756.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.279997636.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.279367854.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.286333778.000000000403F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.280271675.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.279715834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 2C01EPgbbjrSPr7.exe PID: 6992, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6108, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: Yara matchFile source: 00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6108, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2C01EPgbbjrSPr7.exe.41888c8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.2C01EPgbbjrSPr7.exe.41888c8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.507717756.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.279997636.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.279367854.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.286333778.000000000403F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.280271675.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.279715834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 2C01EPgbbjrSPr7.exe PID: 6992, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6108, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		Path Interception211
                    Process Injection                    		1
                    Masquerading                    		2
                    OS Credential Dumping                    		211
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts2
                    Command and Scripting Interpreter                    		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    File and Directory Permissions Modification                    		1
                    Credentials in Registry                    		141
                    Virtualization/Sandbox Evasion                    		Remote Desktop Protocol11
                    Archive Collected Data                    		Exfiltration Over Bluetooth1
                    Non-Application Layer Protocol                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
                    Disable or Modify Tools                    		Security Account Manager1
                    Application Window Discovery                    		SMB/Windows Admin Shares2
                    Data from Local System                    		Automated Exfiltration1
                    Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)141
                    Virtualization/Sandbox Evasion                    		NTDS1
                    Account Discovery                    		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script211
                    Process Injection                    		LSA Secrets1
                    System Owner/User Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common11
                    Deobfuscate/Decode Files or Information                    		Cached Domain Credentials1
                    Remote System Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items4
                    Obfuscated Files or Information                    		DCSync114
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job3
                    Software Packing                    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    2C01EPgbbjrSPr7.exe32%VirustotalBrowse
                    2C01EPgbbjrSPr7.exe62%ReversingLabsByteCode-MSIL.Trojan.Injuke
                    2C01EPgbbjrSPr7.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    4.0.RegSvcs.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                    4.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.RegSvcs.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.RegSvcs.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.RegSvcs.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    SourceDetectionScannerLabelLink
                    dtvcambodia.com0%VirustotalBrowse
                    x1.i.lencr.org1%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.fontbureau.comsiv0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.founder.c0%URL Reputationsafe
                    http://www.fontbureau.comessed0%URL Reputationsafe
                    http://www.fontbureau.comcomI)0%Avira URL Cloudsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.fonts.comcI0%Avira URL Cloudsafe
                    http://www.fontbureau.comceTF0%Avira URL Cloudsafe
                    http://www.fontbureau.comcom70%Avira URL Cloudsafe
                    http://r3.i.lencr.org/0F0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cnicre20%Avira URL Cloudsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    https://drm1JEWaqqI1.net0%Avira URL Cloudsafe
                    http://www.fontbureau.comtud0%Avira URL Cloudsafe
                    http://www.fontbureau.comgreta0%URL Reputationsafe
                    http://www.fontbureau.comkP)0%Avira URL Cloudsafe
                    http://www.urwpp.dephy0%Avira URL Cloudsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://r3.o.lencr.org00%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.fontbureau.com70%Avira URL Cloudsafe
                    http://www.urwpp.de0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.sandoll.co.krC0%Avira URL Cloudsafe
                    http://www.fonts.comx0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    http://x1.i.lencr.org/0%URL Reputationsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://www.founder.com.cn/cn/:0%Avira URL Cloudsafe
                    http://www.fontbureau.comF0%URL Reputationsafe
                    http://cps.letsencrypt.org00%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    http://www.tiro.comr0%Avira URL Cloudsafe
                    http://www.fontbureau.comaI)0%Avira URL Cloudsafe
                    http://eolgGu.com0%Avira URL Cloudsafe
                    http://www.sandoll.co.kre0%URL Reputationsafe
                    http://dtvcambodia.com0%Avira URL Cloudsafe
                    http://www.fonts.comW0%URL Reputationsafe
                    http://www.fontbureau.comd0%URL Reputationsafe
                    http://en.w0%URL Reputationsafe
                    https://api.ipify.org%$0%Avira URL Cloudsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn/0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.founder.com.cn/cn70%URL Reputationsafe
                    http://mail.dtvcambodia.com0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.fontbureau.como0%URL Reputationsafe
                    http://www.founder.com.cn/cn40%URL Reputationsafe
                    http://x1.i.lencr.org/d0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    dtvcambodia.com
                    		192.185.162.134
                    		truetrueunknown
                    x1.i.lencr.org
                    		unknown
                    		unknownfalseunknown
                    mail.dtvcambodia.com
                    		unknown
                    		unknowntrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.fontbureau.com/designersG2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bThe2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers?2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.comsiv2C01EPgbbjrSPr7.exe, 00000000.00000003.254284053.0000000005E79000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.tiro.com2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.244443790.0000000005E8B000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.c2C01EPgbbjrSPr7.exe, 00000000.00000003.246407275.0000000005E74000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.246653744.0000000005E74000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comessed2C01EPgbbjrSPr7.exe, 00000000.00000003.253560396.0000000005E7A000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.253090300.0000000005E79000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comcomI)2C01EPgbbjrSPr7.exe, 00000000.00000003.254284053.0000000005E79000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://www.goodfont.co.kr2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fonts.comcI2C01EPgbbjrSPr7.exe, 00000000.00000003.243999766.0000000005E8B000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.comceTF2C01EPgbbjrSPr7.exe, 00000000.00000002.288273378.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.281259255.0000000005E70000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.comcom72C01EPgbbjrSPr7.exe, 00000000.00000003.253560396.0000000005E7A000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.253090300.0000000005E79000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://r3.i.lencr.org/0FRegSvcs.exe, 00000004.00000002.512946550.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.511389823.0000000002F03000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cnicre22C01EPgbbjrSPr7.exe, 00000000.00000003.246653744.0000000005E74000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.sajatypeworks.com2C01EPgbbjrSPr7.exe, 00000000.00000003.243716394.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.243840965.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.243810275.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.243764153.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.243882011.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.243743765.0000000005E8B000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netD2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn/cThe2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htm2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.com2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://drm1JEWaqqI1.netRegSvcs.exe, 00000004.00000002.511188968.0000000002ECB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.511337884.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.511295523.0000000002EF9000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.comtud2C01EPgbbjrSPr7.exe, 00000000.00000003.254284053.0000000005E79000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.comgreta2C01EPgbbjrSPr7.exe, 00000000.00000002.288273378.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.281259255.0000000005E70000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comkP)2C01EPgbbjrSPr7.exe, 00000000.00000003.253560396.0000000005E7A000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.252302756.0000000005E78000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.253090300.0000000005E79000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://www.urwpp.dephy2C01EPgbbjrSPr7.exe, 00000000.00000003.254284053.0000000005E79000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://x1.c.lencr.org/0RegSvcs.exe, 00000004.00000002.512946550.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.513029654.0000000005C2C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.511389823.0000000002F03000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://x1.i.lencr.org/0RegSvcs.exe, 00000004.00000002.512946550.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.513029654.0000000005C2C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.511389823.0000000002F03000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://r3.o.lencr.org0RegSvcs.exe, 00000004.00000002.512946550.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.511389823.0000000002F03000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/DPlease2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://api.ipify.org%GETMozilla/5.0RegSvcs.exe, 00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		low
                              http://www.fonts.com2C01EPgbbjrSPr7.exe, 00000000.00000003.243999766.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.244124001.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.243951668.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.244065913.0000000005E8B000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sandoll.co.kr2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPlease2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com72C01EPgbbjrSPr7.exe, 00000000.00000003.254284053.0000000005E79000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.urwpp.de2C01EPgbbjrSPr7.exe, 00000000.00000003.254284053.0000000005E79000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cn2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sakkal.com2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sandoll.co.krC2C01EPgbbjrSPr7.exe, 00000000.00000003.245662763.0000000005E76000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fonts.comx2C01EPgbbjrSPr7.exe, 00000000.00000003.243999766.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.243951668.0000000005E8B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip2C01EPgbbjrSPr7.exe, 00000000.00000002.286333778.000000000403F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.507717756.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000000.279367854.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.apache.org/licenses/LICENSE-2.02C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.254284053.0000000005E79000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://x1.i.lencr.org/RegSvcs.exe, 00000004.00000002.512946550.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.513029654.0000000005C2C000.00000004.00000800.00020000.00000000.sdmp, 2D85F72862B55C4EADD9E66E06947F3D0.4.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://DynDns.comDynDNSRegSvcs.exe, 00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cn/:2C01EPgbbjrSPr7.exe, 00000000.00000003.246653744.0000000005E74000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.comF2C01EPgbbjrSPr7.exe, 00000000.00000003.254284053.0000000005E79000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://cps.letsencrypt.org0RegSvcs.exe, 00000004.00000002.512946550.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.511389823.0000000002F03000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.tiro.comr2C01EPgbbjrSPr7.exe, 00000000.00000003.244414864.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.244443790.0000000005E8B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.comaI)2C01EPgbbjrSPr7.exe, 00000000.00000002.288273378.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.281259255.0000000005E70000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    http://eolgGu.comRegSvcs.exe, 00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sandoll.co.kre2C01EPgbbjrSPr7.exe, 00000000.00000003.245662763.0000000005E76000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://dtvcambodia.comRegSvcs.exe, 00000004.00000002.511389823.0000000002F03000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fonts.comW2C01EPgbbjrSPr7.exe, 00000000.00000003.243999766.0000000005E8B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.comd2C01EPgbbjrSPr7.exe, 00000000.00000003.253560396.0000000005E7A000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.253090300.0000000005E79000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.254284053.0000000005E79000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://en.w2C01EPgbbjrSPr7.exe, 00000000.00000003.243510111.00000000015ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.ipify.org%$RegSvcs.exe, 00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    http://www.carterandcone.coml2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cn/2C01EPgbbjrSPr7.exe, 00000000.00000003.246653744.0000000005E74000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlN2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn2C01EPgbbjrSPr7.exe, 00000000.00000003.246378606.0000000005EAD000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-jones.html2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designers/cabarga.html2C01EPgbbjrSPr7.exe, 00000000.00000003.253625429.0000000005EA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cn72C01EPgbbjrSPr7.exe, 00000000.00000003.246407275.0000000005E74000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.246653744.0000000005E74000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://mail.dtvcambodia.comRegSvcs.exe, 00000004.00000002.511389823.0000000002F03000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/2C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.como2C01EPgbbjrSPr7.exe, 00000000.00000002.288273378.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, 2C01EPgbbjrSPr7.exe, 00000000.00000003.281259255.0000000005E70000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cn42C01EPgbbjrSPr7.exe, 00000000.00000003.246407275.0000000005E74000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers82C01EPgbbjrSPr7.exe, 00000000.00000002.288950173.0000000007082000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://x1.i.lencr.org/dRegSvcs.exe, 00000004.00000002.512946550.0000000005BE8000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            192.185.162.134
                                            		dtvcambodia.comUnited States
                                            		46606UNIFIEDLAYER-AS-1UStrue

                                            General Information

                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                            Analysis ID:626545
                                            Start date and time: 14/05/202212:06:202022-05-14 12:06:20 +02:00
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 8m 34s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Sample file name:2C01EPgbbjrSPr7.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:27
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.adwa.spyw.evad.winEXE@3/4@3/1
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HDC Information:
                                            • Successful, ratio: 0.1% (good quality ratio 0%)
                                            • Quality average: 0%
                                            • Quality standard deviation: 0%
                                            HCA Information:
                                            • Successful, ratio: 98%
                                            • Number of executed functions: 91
                                            • Number of non-executed functions: 26
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe
                                            • Adjust boot time
                                            • Enable AMSI

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                            • Excluded IPs from analysis (whitelisted): 23.50.97.168
                                            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, crl.root-x1.letsencrypt.org.edgekey.net
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            12:07:31API Interceptor1x Sleep call for process: 2C01EPgbbjrSPr7.exe modified
                                            12:07:49API Interceptor632x Sleep call for process: RegSvcs.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            192.185.162.134KU8Nem8AgTxeMHZ.exeGet hashmaliciousBrowse
                                              draft BL.xlsxGet hashmaliciousBrowse
                                                UHHxvMh45L6Q0PI.exeGet hashmaliciousBrowse
                                                  Import Doc.xlsxGet hashmaliciousBrowse
                                                    VLCo8U5XU1JbLd5.exeGet hashmaliciousBrowse
                                                      pCGyCdiP09YjyNN.exeGet hashmaliciousBrowse
                                                        GAjJLlt1tTmXRw3.exeGet hashmaliciousBrowse
                                                          NnXlxZyaZUDKLcy.exeGet hashmaliciousBrowse
                                                            block.exeGet hashmaliciousBrowse
                                                              nunu$$.exeGet hashmaliciousBrowse
                                                                nunu.exeGet hashmaliciousBrowse

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  UNIFIEDLAYER-AS-1UShttps://tonymaster.com.br/php/php/secured_file.htmlGet hashmaliciousBrowse
                                                                  • 192.185.31.22
                                                                  https://relaxhere.org/de/rotluseipovamaetmGet hashmaliciousBrowse
                                                                  • 192.254.236.149
                                                                  ungewx6mWHGet hashmaliciousBrowse
                                                                  • 98.131.204.216
                                                                  Tsunami.armGet hashmaliciousBrowse
                                                                  • 98.131.204.233
                                                                  faiN1qtW6VGet hashmaliciousBrowse
                                                                  • 142.5.110.68
                                                                  U409.lnkGet hashmaliciousBrowse
                                                                  • 192.185.131.124
                                                                  2Qhf8IMXPrGet hashmaliciousBrowse
                                                                  • 98.131.204.200
                                                                  https://leadscrapper.com/ev/ntsiaimiGet hashmaliciousBrowse
                                                                  • 192.254.236.149
                                                                  https://surveyatos.comGet hashmaliciousBrowse
                                                                  • 192.185.190.187
                                                                  payment advice.exeGet hashmaliciousBrowse
                                                                  • 142.4.0.135
                                                                  https://securepubads.g.doubleclick.net/pcs/view?adurl=https%3a%2f%2fquzqvm.codesandbox.io?dg=cHJ6ZW15c2xhdy5rcmF3Y3p5a293c2tpQG1hZXJza2RyaWxsaW5nLmNvbQ==Get hashmaliciousBrowse
                                                                  • 192.185.78.150
                                                                  M456_ __ ___ __.exeGet hashmaliciousBrowse
                                                                  • 142.4.0.135
                                                                  POZ1809027.bit.gz.exeGet hashmaliciousBrowse
                                                                  • 142.4.0.135
                                                                  Falconincorporation_Form_Dt_05.12.2022.xlsGet hashmaliciousBrowse
                                                                  • 192.254.239.248
                                                                  z4ehq74vWOGet hashmaliciousBrowse
                                                                  • 173.83.212.190
                                                                  https://apiservices.krxd.net/click_tracker/track?kx_event_uid=LR25EaJr&clk=http://51462046981xnZKorVuKVrP.praiadofortecabofrio.com.br/aa/jkwarburton@nuskin.comGet hashmaliciousBrowse
                                                                  • 162.241.102.156
                                                                  https://apiservices.krxd.net/click_tracker/track?kx_event_uid=LR25EaJr&clk=http://89204186061IBowccqdtxpJ.praiadofortecabofrio.com.br/aa/fournier@saskpolytech.caGet hashmaliciousBrowse
                                                                  • 162.241.102.156
                                                                  9mfbEdx1Hp.exeGet hashmaliciousBrowse
                                                                  • 192.185.174.178
                                                                  ORDER M52022.xlsxGet hashmaliciousBrowse
                                                                  • 192.185.174.178
                                                                  x86Get hashmaliciousBrowse
                                                                  • 162.144.117.208

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                  Download File
                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):1391
                                                                  Entropy (8bit):7.705940075877404
                                                                  Encrypted:false
                                                                  SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                  MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                  SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                  SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                  SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                  Download File
                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                  File Type:data
                                                                  Category:modified
                                                                  Size (bytes):192
                                                                  Entropy (8bit):2.795995823915415
                                                                  Encrypted:false
                                                                  SSDEEP:3:kkFkle0gPQXfllXlE/zMcyzXNNX8RolJuRdyo1dlUKlGXJlDdt:kKHr1yzdNMa8Rdy+UKcXP
                                                                  MD5:D5EA50AB6E2D47C57A613BC60522B9A0
                                                                  SHA1:1E199675C0C52DE3FDCCCD2415826C7904191969
                                                                  SHA-256:11E594484545FF0179379C437CDA560836777544955144E2DBC50BDD676ED282
                                                                  SHA-512:4312819708CD78D76DF4F374ACFCC8BCFE6B8408A1D98CD47927FA3E7772BDFB24BB4B22D0450BBBDF83C689868EF399BFA37DA20A1E69725AF3C6BA5304AC0C
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:p...... ........mQ...g..(....................................................... ..........~...................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".5.a.6.2.8.1.5.c.-.5.6.f."...

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2C01EPgbbjrSPr7.exe.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\2C01EPgbbjrSPr7.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1216
                                                                  Entropy (8bit):5.355304211458859
                                                                  Encrypted:false
                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                  MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                  SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                  SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                  SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                  Malicious:true
                                                                  Reputation:high, very likely benign file
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                  C:\Windows\System32\drivers\etc\hosts

                                                                  Download File
                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):835
                                                                  Entropy (8bit):4.694294591169137
                                                                  Encrypted:false
                                                                  SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                                                  MD5:6EB47C1CF858E25486E42440074917F2
                                                                  SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                                                  SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                                                  SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                                                  Malicious:true
                                                                  Reputation:high, very likely benign file
                                                                  Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):7.8493365780126645
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  File name:2C01EPgbbjrSPr7.exe
                                                                  File size:833536
                                                                  MD5:dc6c55fee2366dee1d9c502bf061a8dc
                                                                  SHA1:609b99bc51ea6e1512d4aa1636a4586d2f6b29d6
                                                                  SHA256:99c52b9d5bcaa8af4bae268f70a39b94c0b2879dfed2cbdabd25c6fef5ff2258
                                                                  SHA512:8ca56693aabeeec0e59c1638d9097052bff8363a8f4629c3d523e46f970b4fac8e7a97b6c6c5f504c7eb63c8eb10e1b5785a5cd26b66fba562b1d1cd428e9956
                                                                  SSDEEP:12288:KaufL3YRRhPziuVIf5EKgZU4iFrqSwkVwQjylXPZmQJPEI5xnCIzjLjvllg+WKG:Kzf0H7iuVIRE9ZHo8VQ8N57dlW
                                                                  TLSH:250501153B5D3E62D5ABCB345152C00881B5FC9FBD33E12B7EA73D8E6818B5193A0AB1
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$>~b..............P.............F.... ........@.. ....................... ............@................................

                                                                  File Icon

                                                                  Icon Hash:00828e8e8686b000

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x4ccc46
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x627E3E24 [Fri May 13 11:16:52 2022 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:v4.0.30319
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  or al, byte ptr [eax+00h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [esi], cl
                                                                  inc eax
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  adc byte ptr [eax+00h], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax+eax*2], cl
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  adc dword ptr [eax+00h], eax
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xccbf40x4f.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xce0000x5a4.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xd00000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000xcac740xcae00False0.900544660736data7.85472323726IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0xce0000x5a40x600False0.422526041667data4.0893027472IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0xd00000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_VERSION0xce0900x314data
                                                                  RT_MANIFEST0xce3b40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Version Infos

                                                                  DescriptionData
                                                                  Translation0x0000 0x04b0
                                                                  LegalCopyrightCopyright 2017
                                                                  Assembly Version1.0.0.0
                                                                  InternalNameg863j.exe
                                                                  FileVersion1.0.0.0
                                                                  CompanyName
                                                                  LegalTrademarks
                                                                  Comments
                                                                  ProductNameCoffee Shop
                                                                  ProductVersion1.0.0.0
                                                                  FileDescriptionCoffee Shop
                                                                  OriginalFilenameg863j.exe

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 14, 2022 12:09:18.696096897 CEST49852587192.168.2.3192.185.162.134
                                                                  May 14, 2022 12:09:18.837666988 CEST58749852192.185.162.134192.168.2.3
                                                                  May 14, 2022 12:09:18.837800026 CEST49852587192.168.2.3192.185.162.134
                                                                  May 14, 2022 12:09:19.225521088 CEST58749852192.185.162.134192.168.2.3
                                                                  May 14, 2022 12:09:19.226907015 CEST49852587192.168.2.3192.185.162.134
                                                                  May 14, 2022 12:09:19.368829966 CEST58749852192.185.162.134192.168.2.3
                                                                  May 14, 2022 12:09:19.369097948 CEST49852587192.168.2.3192.185.162.134
                                                                  May 14, 2022 12:09:19.513761997 CEST58749852192.185.162.134192.168.2.3
                                                                  May 14, 2022 12:09:19.566498995 CEST49852587192.168.2.3192.185.162.134
                                                                  May 14, 2022 12:09:19.643241882 CEST49852587192.168.2.3192.185.162.134
                                                                  May 14, 2022 12:09:19.797015905 CEST58749852192.185.162.134192.168.2.3
                                                                  May 14, 2022 12:09:19.797054052 CEST58749852192.185.162.134192.168.2.3
                                                                  May 14, 2022 12:09:19.797072887 CEST58749852192.185.162.134192.168.2.3
                                                                  May 14, 2022 12:09:19.797126055 CEST49852587192.168.2.3192.185.162.134
                                                                  May 14, 2022 12:09:19.816838980 CEST49852587192.168.2.3192.185.162.134
                                                                  May 14, 2022 12:09:19.959172964 CEST58749852192.185.162.134192.168.2.3
                                                                  May 14, 2022 12:09:20.003353119 CEST49852587192.168.2.3192.185.162.134
                                                                  May 14, 2022 12:09:39.908737898 CEST49852587192.168.2.3192.185.162.134
                                                                  May 14, 2022 12:09:40.050744057 CEST58749852192.185.162.134192.168.2.3
                                                                  May 14, 2022 12:09:40.052113056 CEST49852587192.168.2.3192.185.162.134
                                                                  May 14, 2022 12:09:40.194169044 CEST58749852192.185.162.134192.168.2.3
                                                                  May 14, 2022 12:09:40.194650888 CEST49852587192.168.2.3192.185.162.134
                                                                  May 14, 2022 12:09:40.347683907 CEST58749852192.185.162.134192.168.2.3
                                                                  May 14, 2022 12:09:40.348759890 CEST49852587192.168.2.3192.185.162.134
                                                                  May 14, 2022 12:09:40.490468025 CEST58749852192.185.162.134192.168.2.3
                                                                  May 14, 2022 12:09:40.490757942 CEST49852587192.168.2.3192.185.162.134
                                                                  May 14, 2022 12:09:40.647701979 CEST58749852192.185.162.134192.168.2.3
                                                                  May 14, 2022 12:09:40.647914886 CEST49852587192.168.2.3192.185.162.134
                                                                  May 14, 2022 12:09:40.789446115 CEST58749852192.185.162.134192.168.2.3
                                                                  May 14, 2022 12:09:40.790183067 CEST49852587192.168.2.3192.185.162.134
                                                                  May 14, 2022 12:09:40.790239096 CEST49852587192.168.2.3192.185.162.134
                                                                  May 14, 2022 12:09:40.791019917 CEST49852587192.168.2.3192.185.162.134
                                                                  May 14, 2022 12:09:40.791034937 CEST49852587192.168.2.3192.185.162.134
                                                                  May 14, 2022 12:09:40.931632042 CEST58749852192.185.162.134192.168.2.3
                                                                  May 14, 2022 12:09:40.931677103 CEST58749852192.185.162.134192.168.2.3
                                                                  May 14, 2022 12:09:40.932300091 CEST58749852192.185.162.134192.168.2.3
                                                                  May 14, 2022 12:09:40.932327032 CEST58749852192.185.162.134192.168.2.3
                                                                  May 14, 2022 12:09:40.932929993 CEST58749852192.185.162.134192.168.2.3
                                                                  May 14, 2022 12:09:40.973928928 CEST49852587192.168.2.3192.185.162.134

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 14, 2022 12:09:18.372874975 CEST5420553192.168.2.38.8.8.8
                                                                  May 14, 2022 12:09:18.523155928 CEST53542058.8.8.8192.168.2.3
                                                                  May 14, 2022 12:09:18.532202959 CEST6275653192.168.2.38.8.8.8
                                                                  May 14, 2022 12:09:18.673108101 CEST53627568.8.8.8192.168.2.3
                                                                  May 14, 2022 12:09:24.027848959 CEST5849753192.168.2.38.8.8.8

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  May 14, 2022 12:09:18.372874975 CEST192.168.2.38.8.8.80xc04dStandard query (0)mail.dtvcambodia.comA (IP address)IN (0x0001)
                                                                  May 14, 2022 12:09:18.532202959 CEST192.168.2.38.8.8.80xc312Standard query (0)mail.dtvcambodia.comA (IP address)IN (0x0001)
                                                                  May 14, 2022 12:09:24.027848959 CEST192.168.2.38.8.8.80xe66dStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  May 14, 2022 12:09:18.523155928 CEST8.8.8.8192.168.2.30xc04dNo error (0)mail.dtvcambodia.comdtvcambodia.comCNAME (Canonical name)IN (0x0001)
                                                                  May 14, 2022 12:09:18.523155928 CEST8.8.8.8192.168.2.30xc04dNo error (0)dtvcambodia.com192.185.162.134A (IP address)IN (0x0001)
                                                                  May 14, 2022 12:09:18.673108101 CEST8.8.8.8192.168.2.30xc312No error (0)mail.dtvcambodia.comdtvcambodia.comCNAME (Canonical name)IN (0x0001)
                                                                  May 14, 2022 12:09:18.673108101 CEST8.8.8.8192.168.2.30xc312No error (0)dtvcambodia.com192.185.162.134A (IP address)IN (0x0001)
                                                                  May 14, 2022 12:09:24.049050093 CEST8.8.8.8192.168.2.30xe66dNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)

                                                                  SMTP Packets

                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                  May 14, 2022 12:09:19.225521088 CEST58749852192.185.162.134192.168.2.3220-jimmy.websitewelcome.com ESMTP Exim 4.94.2 #2 Sat, 14 May 2022 05:09:19 -0500
                                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                                  220 and/or bulk e-mail.
                                                                  May 14, 2022 12:09:19.226907015 CEST49852587192.168.2.3192.185.162.134EHLO 704672
                                                                  May 14, 2022 12:09:19.368829966 CEST58749852192.185.162.134192.168.2.3250-jimmy.websitewelcome.com Hello 704672 [102.129.143.55]
                                                                  250-SIZE 52428800
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-PIPE_CONNECT
                                                                  250-AUTH PLAIN LOGIN
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  May 14, 2022 12:09:19.369097948 CEST49852587192.168.2.3192.185.162.134STARTTLS
                                                                  May 14, 2022 12:09:19.513761997 CEST58749852192.185.162.134192.168.2.3220 TLS go ahead

                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:12:07:20
                                                                  Start date:14/05/2022
                                                                  Path:C:\Users\user\Desktop\2C01EPgbbjrSPr7.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\2C01EPgbbjrSPr7.exe"
                                                                  Imagebase:0xb50000
                                                                  File size:833536 bytes
                                                                  MD5 hash:DC6C55FEE2366DEE1D9C502BF061A8DC
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.286333778.000000000403F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.286333778.000000000403F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  General

                                                                  Target ID:4
                                                                  Start time:12:07:36
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:{path}
                                                                  Imagebase:0x700000
                                                                  File size:45152 bytes
                                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.507717756.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.507717756.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.279997636.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.279997636.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.279367854.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.279367854.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.280271675.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.280271675.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.279715834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.279715834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                  Reputation:high

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:6.8%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:17.9%
                                                                    Total number of Nodes:56
                                                                    Total number of Limit Nodes:3
                                                                    execution_graph 8522 2da43da 8526 2da5bf8 8522->8526 8529 2da5bf0 8522->8529 8523 2da43ee 8527 2da5c40 VirtualProtect 8526->8527 8528 2da5c7a 8527->8528 8528->8523 8530 2da5bf6 VirtualProtect 8529->8530 8532 2da5c7a 8530->8532 8532->8523 8533 2dacb78 8534 2dacbb9 ResumeThread 8533->8534 8535 2dacbe6 8534->8535 8536 2dacc18 8537 2dacda3 8536->8537 8538 2dacc3e 8536->8538 8538->8537 8540 2daab28 8538->8540 8541 2dace98 PostMessageW 8540->8541 8542 2dacf04 8541->8542 8542->8538 8543 2dac918 8544 2dac95b VirtualAllocEx 8543->8544 8545 2dac992 8544->8545 8546 2da385e 8548 2da5bf8 VirtualProtect 8546->8548 8549 2da5bf0 VirtualProtect 8546->8549 8547 2da386f 8548->8547 8549->8547 8566 2dac848 8567 2dac893 ReadProcessMemory 8566->8567 8568 2dac8d6 8567->8568 8569 2dac788 8570 2dac7d0 SetThreadContext 8569->8570 8572 2dac80e 8570->8572 8573 2da98cd 8577 2da9e21 8573->8577 8582 2da9e30 8573->8582 8574 2da98d9 8578 2da9e4d 8577->8578 8587 2daa83f 8578->8587 8591 2daa850 8578->8591 8579 2da9e70 8579->8574 8584 2da9e4d 8582->8584 8583 2da9e70 8583->8574 8585 2daa83f CreateProcessW 8584->8585 8586 2daa850 CreateProcessW 8584->8586 8585->8583 8586->8583 8588 2daa877 8587->8588 8589 2daa8d7 8588->8589 8595 2daaeb8 8588->8595 8589->8579 8592 2daa877 8591->8592 8593 2daa8d7 8592->8593 8594 2daaeb8 CreateProcessW 8592->8594 8593->8579 8594->8592 8596 2daaeeb 8595->8596 8597 2dab0ba 8596->8597 8599 2dac418 8596->8599 8597->8588 8600 2dac497 CreateProcessW 8599->8600 8602 2dac580 8600->8602 8603 2dac9c0 8604 2daca0b WriteProcessMemory 8603->8604 8606 2daca5c 8604->8606

                                                                    Executed Functions

                                                                    Function 02DA0040 Relevance: 4.0, Strings: 3, Instructions: 284COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 2da0040-2da0065 1 2da006c-2da00a8 0->1 2 2da0067 0->2 69 2da00aa call 2da0628 1->69 70 2da00aa call 2da0623 1->70 2->1 4 2da00b0 5 2da00b7-2da00d3 4->5 6 2da00dc-2da00dd 5->6 7 2da00d5 5->7 11 2da0433-2da043a 6->11 7->4 7->6 8 2da019a-2da01bf 7->8 9 2da035b-2da0367 7->9 10 2da01de-2da01e7 7->10 7->11 12 2da0213-2da0225 7->12 13 2da0270-2da027c 7->13 14 2da0311-2da0315 7->14 15 2da02b6-2da02f0 7->15 16 2da0254-2da026b 7->16 17 2da02f5-2da030c 7->17 18 2da022a-2da0236 7->18 19 2da016a-2da016e 7->19 20 2da010f-2da0124 7->20 21 2da03ac-2da03b8 7->21 22 2da00e2-2da00e6 7->22 23 2da0140-2da014c 7->23 24 2da03e0-2da03f8 7->24 25 2da0341-2da0356 7->25 26 2da0126-2da013b 7->26 27 2da01c4-2da01d9 7->27 28 2da02a4-2da02b1 7->28 8->5 33 2da0369 9->33 34 2da036e-2da0384 9->34 35 2da01fa-2da0201 10->35 36 2da01e9-2da01f8 10->36 12->5 41 2da027e 13->41 42 2da0283-2da029f 13->42 31 2da0328-2da032f 14->31 32 2da0317-2da0326 14->32 15->5 16->5 17->5 37 2da0238 18->37 38 2da023d-2da024f 18->38 29 2da0170-2da017f 19->29 30 2da0181-2da0188 19->30 20->5 39 2da03ba 21->39 40 2da03bf-2da03db 21->40 43 2da00e8-2da00f7 22->43 44 2da00f9-2da0100 22->44 47 2da014e 23->47 48 2da0153-2da0165 23->48 45 2da03fa 24->45 46 2da03ff-2da0415 24->46 25->5 26->5 27->5 28->5 49 2da018f-2da0195 29->49 30->49 50 2da0336-2da033c 31->50 32->50 33->34 64 2da038b-2da03a7 34->64 65 2da0386 34->65 52 2da0208-2da020e 35->52 36->52 37->38 38->5 39->40 40->5 41->42 42->5 53 2da0107-2da010d 43->53 44->53 45->46 61 2da041c-2da042e 46->61 62 2da0417 46->62 47->48 48->5 49->5 50->5 52->5 53->5 61->5 62->61 64->5 65->64 69->4 70->4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 7$7$~=JQ
                                                                    • API String ID: 0-1297039826
                                                                    • Opcode ID: 3cf0741b7ad30222caef592db5da25a82bdf2223acdc64c95cdc7d50086e2693
                                                                    • Instruction ID: d5bdcbe190f655360286e3681d90885f40c3dda25d150041b6e366e4da621971
                                                                    • Opcode Fuzzy Hash: 3cf0741b7ad30222caef592db5da25a82bdf2223acdc64c95cdc7d50086e2693
                                                                    • Instruction Fuzzy Hash: 30C12974D0420ADFCB04CFA6C4919AEFBB2FF89301B259559D416AB314DB34E942CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DAA850 Relevance: 3.9, Strings: 3, Instructions: 148COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 71 2daa850-2daa875 72 2daa87c-2daa8a4 71->72 73 2daa877 71->73 74 2daa8ab 72->74 73->72 75 2daa8b2-2daa8ce 74->75 76 2daa8d0 75->76 77 2daa8d7-2daa8d8 75->77 76->74 76->77 78 2daa95a-2daa96d 76->78 79 2daaa5b-2daaa64 76->79 80 2daaa18 76->80 81 2daa8dd-2daa8f4 76->81 82 2daa9fd-2daaa15 76->82 83 2daa972-2daa97b 76->83 84 2daa8f6-2daa904 76->84 85 2daa909-2daa90d 76->85 86 2daa9a9-2daa9bb 76->86 87 2daa9c0-2daa9d1 76->87 88 2daa940-2daa955 76->88 89 2daa980-2daa98c call 2daaeb8 76->89 90 2daaa47-2daaa59 76->90 77->82 78->75 94 2daaa1f-2daaa3b 80->94 81->75 82->80 83->75 84->79 95 2daa90f-2daa91e 85->95 96 2daa920-2daa927 85->96 86->75 91 2daa9d3-2daa9e2 87->91 92 2daa9e4-2daa9eb 87->92 88->75 97 2daa992-2daa9a4 89->97 90->94 100 2daa9f2-2daa9f8 91->100 92->100 98 2daaa3d 94->98 99 2daaa44-2daaa45 94->99 101 2daa92e-2daa93b 95->101 96->101 97->75 98->79 98->80 98->90 99->79 99->90 100->75 101->75
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: '7,:$/c+S$/c+S
                                                                    • API String ID: 0-3561956612
                                                                    • Opcode ID: d29347df139d01a04188e9e311e8ae20cad4fc7b95a47837f7cd8ab2cd20aac3
                                                                    • Instruction ID: 2be2c940e3f40a9d9f8a55b6147544cbd6db6cd4f3e0574a45c6b1087f2259ea
                                                                    • Opcode Fuzzy Hash: d29347df139d01a04188e9e311e8ae20cad4fc7b95a47837f7cd8ab2cd20aac3
                                                                    • Instruction Fuzzy Hash: 3B512574D06218DBCB04CFA5E590ADDFBF6BB89300F20A12AE446B7354E7349E86CB54
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA9E90 Relevance: 2.7, Strings: 2, Instructions: 189COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 103 2da9e90-2da9eb2 104 2da9eb9-2da9ed2 103->104 105 2da9eb4 103->105 106 2da9ed3 104->106 105->104 107 2da9eda-2da9ef6 106->107 108 2da9ef8 107->108 109 2da9eff-2da9f00 107->109 108->106 108->109 110 2da9f19-2da9f22 108->110 111 2daa119-2daa122 108->111 112 2daa0bf-2daa0cd 108->112 113 2daa0d2-2daa114 call 2da8d98 108->113 114 2daa052-2daa05b 108->114 115 2da9fd1-2da9ffc call 2da9da8 call 2da9de8 108->115 116 2da9f48-2da9f8a call 2da8d98 108->116 117 2daa0a8-2daa0ba 108->117 118 2da9f8f-2da9fa7 108->118 119 2da9fac-2da9fbe 108->119 120 2daa02d-2daa03f 108->120 121 2da9fc3-2da9fcc 108->121 122 2daa060-2daa06e 108->122 123 2daa001-2daa00d 108->123 124 2daa044-2daa04d 108->124 125 2da9f24-2da9f46 call 2da9da8 call 2da9de8 108->125 126 2da9f05-2da9f17 108->126 109->111 110->107 112->107 113->107 114->107 115->107 116->107 117->107 118->107 119->107 120->107 121->107 144 2daa079-2daa0a3 122->144 129 2daa00f 123->129 130 2daa016-2daa028 123->130 124->107 125->107 126->107 129->110 129->114 129->121 129->124 129->130 130->107 144->107
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: TYf$hjr)
                                                                    • API String ID: 0-1134518552
                                                                    • Opcode ID: 98ea94f1cde4a5e5255a5d2cc550324b0eea8619bbda50d27850979ab751c9f3
                                                                    • Instruction ID: 2b1bc40892f417bade96a8e8cea13393660b383e506c8fe6c6d37d4fe9036bdc
                                                                    • Opcode Fuzzy Hash: 98ea94f1cde4a5e5255a5d2cc550324b0eea8619bbda50d27850979ab751c9f3
                                                                    • Instruction Fuzzy Hash: 9371F471E15209DB8B04CFA5D5619EEFBB2EF89300F50942AD416F7314DB34AA42CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA9E81 Relevance: 2.7, Strings: 2, Instructions: 183COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 148 2da9e81-2da9eb2 149 2da9eb9-2da9ed2 148->149 150 2da9eb4 148->150 151 2da9ed3 149->151 150->149 152 2da9eda-2da9ef6 151->152 153 2da9ef8 152->153 154 2da9eff-2da9f00 152->154 153->151 153->154 155 2da9f19-2da9f22 153->155 156 2daa119-2daa122 153->156 157 2daa0bf-2daa0cd 153->157 158 2daa0d2-2daa114 call 2da8d98 153->158 159 2daa052-2daa05b 153->159 160 2da9fd1-2da9ffc call 2da9da8 call 2da9de8 153->160 161 2da9f48-2da9f8a call 2da8d98 153->161 162 2daa0a8-2daa0ba 153->162 163 2da9f8f-2da9fa7 153->163 164 2da9fac-2da9fbe 153->164 165 2daa02d-2daa03f 153->165 166 2da9fc3-2da9fcc 153->166 167 2daa060-2daa06e 153->167 168 2daa001-2daa00d 153->168 169 2daa044-2daa04d 153->169 170 2da9f24-2da9f46 call 2da9da8 call 2da9de8 153->170 171 2da9f05-2da9f17 153->171 154->156 155->152 157->152 158->152 159->152 160->152 161->152 162->152 163->152 164->152 165->152 166->152 189 2daa079-2daa0a3 167->189 174 2daa00f 168->174 175 2daa016-2daa028 168->175 169->152 170->152 171->152 174->155 174->159 174->166 174->169 174->175 175->152 189->152
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: TYf$hjr)
                                                                    • API String ID: 0-1134518552
                                                                    • Opcode ID: 557c3f4b93b6b6ea538f23d73d74efd5b85e9d102ab0b75c2fcbc63b1803d57a
                                                                    • Instruction ID: 6debaf795290e52ac56f9311c05dd34eb2d564b9f2ccae3b455b0589094ece31
                                                                    • Opcode Fuzzy Hash: 557c3f4b93b6b6ea538f23d73d74efd5b85e9d102ab0b75c2fcbc63b1803d57a
                                                                    • Instruction Fuzzy Hash: 2771E271E15209DFCB44CFA5D5A19EEFBB2AF89300F10942AD406B7314DB34AA42CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DAA83F Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 193 2daa83f-2daa875 194 2daa87c-2daa8a4 193->194 195 2daa877 193->195 196 2daa8ab 194->196 195->194 197 2daa8b2-2daa8ce 196->197 198 2daa8d0 197->198 199 2daa8d7-2daa8d8 197->199 198->196 198->199 200 2daa95a-2daa96d 198->200 201 2daaa5b-2daaa64 198->201 202 2daaa18 198->202 203 2daa8dd-2daa8f4 198->203 204 2daa9fd-2daaa15 198->204 205 2daa972-2daa97b 198->205 206 2daa8f6-2daa904 198->206 207 2daa909-2daa90d 198->207 208 2daa9a9-2daa9bb 198->208 209 2daa9c0-2daa9d1 198->209 210 2daa940-2daa955 198->210 211 2daa980-2daa98c call 2daaeb8 198->211 212 2daaa47-2daaa59 198->212 199->204 200->197 216 2daaa1f-2daaa3b 202->216 203->197 204->202 205->197 206->201 217 2daa90f-2daa91e 207->217 218 2daa920-2daa927 207->218 208->197 213 2daa9d3-2daa9e2 209->213 214 2daa9e4-2daa9eb 209->214 210->197 219 2daa992-2daa9a4 211->219 212->216 222 2daa9f2-2daa9f8 213->222 214->222 220 2daaa3d 216->220 221 2daaa44-2daaa45 216->221 223 2daa92e-2daa93b 217->223 218->223 219->197 220->201 220->202 220->212 221->201 221->212 222->197 223->197
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: '7,:$/c+S
                                                                    • API String ID: 0-553543793
                                                                    • Opcode ID: a18cd8ee89cefad30e71a3a0714fb53fa17211d8b92eccdd91b385907ed6f3a3
                                                                    • Instruction ID: 3a2f9a80ebeea2f520c08582c1ad133645dcd6428d8e5348eec14c02af4611da
                                                                    • Opcode Fuzzy Hash: a18cd8ee89cefad30e71a3a0714fb53fa17211d8b92eccdd91b385907ed6f3a3
                                                                    • Instruction Fuzzy Hash: D9510574E06219DFDB04CFA5E590ADDFBF2BB89310F24A12AE041B7354E7349A86CB54
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA0007 Relevance: 1.5, Strings: 1, Instructions: 299COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 325 2da0007-2da0032 326 2da0039-2da0065 325->326 327 2da0034-2da0038 325->327 328 2da006c-2da0089 326->328 329 2da0067 326->329 327->326 330 2da0091-2da00a8 328->330 329->328 396 2da00aa call 2da0628 330->396 397 2da00aa call 2da0623 330->397 331 2da00b0 332 2da00b7-2da00d3 331->332 333 2da00dc-2da00dd 332->333 334 2da00d5 332->334 338 2da0433-2da043a 333->338 334->331 334->333 335 2da019a-2da01bf 334->335 336 2da035b-2da0367 334->336 337 2da01de-2da01e7 334->337 334->338 339 2da0213-2da0225 334->339 340 2da0270-2da027c 334->340 341 2da0311-2da0315 334->341 342 2da02b6-2da02f0 334->342 343 2da0254-2da026b 334->343 344 2da02f5-2da030c 334->344 345 2da022a-2da0236 334->345 346 2da016a-2da016e 334->346 347 2da010f-2da0124 334->347 348 2da03ac-2da03b8 334->348 349 2da00e2-2da00e6 334->349 350 2da0140-2da014c 334->350 351 2da03e0-2da03f8 334->351 352 2da0341-2da0356 334->352 353 2da0126-2da013b 334->353 354 2da01c4-2da01d9 334->354 355 2da02a4-2da02b1 334->355 335->332 360 2da0369 336->360 361 2da036e-2da0384 336->361 362 2da01fa-2da0201 337->362 363 2da01e9-2da01f8 337->363 339->332 368 2da027e 340->368 369 2da0283-2da029f 340->369 358 2da0328-2da032f 341->358 359 2da0317-2da0326 341->359 342->332 343->332 344->332 364 2da0238 345->364 365 2da023d-2da024f 345->365 356 2da0170-2da017f 346->356 357 2da0181-2da0188 346->357 347->332 366 2da03ba 348->366 367 2da03bf-2da03db 348->367 370 2da00e8-2da00f7 349->370 371 2da00f9-2da0100 349->371 374 2da014e 350->374 375 2da0153-2da0165 350->375 372 2da03fa 351->372 373 2da03ff-2da0415 351->373 352->332 353->332 354->332 355->332 376 2da018f-2da0195 356->376 357->376 377 2da0336-2da033c 358->377 359->377 360->361 391 2da038b-2da03a7 361->391 392 2da0386 361->392 379 2da0208-2da020e 362->379 363->379 364->365 365->332 366->367 367->332 368->369 369->332 380 2da0107-2da010d 370->380 371->380 372->373 388 2da041c-2da042e 373->388 389 2da0417 373->389 374->375 375->332 376->332 377->332 379->332 380->332 388->332 389->388 391->332 392->391 396->331 397->331
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ~=JQ
                                                                    • API String ID: 0-2431498397
                                                                    • Opcode ID: a04fee13c9278ae7f16958a2d049800770cd5753dec7171739b4fd558144a5df
                                                                    • Instruction ID: 390493693f5b1ce3c4c61aeb5ffd01fb87756c6aa7df4a32bae226b1cd7b3ea0
                                                                    • Opcode Fuzzy Hash: a04fee13c9278ae7f16958a2d049800770cd5753dec7171739b4fd558144a5df
                                                                    • Instruction Fuzzy Hash: 85D15870D0420ACFCB04CFA5C4919AEFBB2FF8A301B25955AD856AB315DB34E942CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA70E8 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: N4(-
                                                                    • API String ID: 0-1634684801
                                                                    • Opcode ID: a51300afea07ede623c5b5646885c60ce95c279b8d3152872186ba820949664e
                                                                    • Instruction ID: 28ea9e85fdb7b77c3626ccd553c8f87a43a7b8b4c2158aae906e5329cfcd1b7b
                                                                    • Opcode Fuzzy Hash: a51300afea07ede623c5b5646885c60ce95c279b8d3152872186ba820949664e
                                                                    • Instruction Fuzzy Hash: 67B127B4E052198BDB04CFE9C99199EFBF2BF89304F25D12AD805AB358D7349D42CB64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA70D8 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: N4(-
                                                                    • API String ID: 0-1634684801
                                                                    • Opcode ID: 635e574a183d42b21f82b5d5bf3bb262b6c21809d8b5d56c75288ef3e6f90b08
                                                                    • Instruction ID: 3d396e62aae2f1090fafb1f5a39e911f8ebe98f876d586e5ae90e2c4eba8e44a
                                                                    • Opcode Fuzzy Hash: 635e574a183d42b21f82b5d5bf3bb262b6c21809d8b5d56c75288ef3e6f90b08
                                                                    • Instruction Fuzzy Hash: ECB135B4E052198FDB04CFA9C99199EFBF2BF89304F25D12AD805AB358D7349D42CB64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA2830 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: W=t
                                                                    • API String ID: 0-2133640408
                                                                    • Opcode ID: 300d47dcbbc6327a6bda512e41648dd07bd12f7efcd38fa630b96b6d28ab3dc2
                                                                    • Instruction ID: f4d9fc699699810de69816a4a62e1ed05113341abb6e137cd7d3ec152b2c4f8a
                                                                    • Opcode Fuzzy Hash: 300d47dcbbc6327a6bda512e41648dd07bd12f7efcd38fa630b96b6d28ab3dc2
                                                                    • Instruction Fuzzy Hash: 8A21CD71E046188BEB58CF6BD84469EFBF7AFC8200F04C1BAD909A7254DB341946CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DAAEB8 Relevance: .2, Instructions: 197COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1edbc1c28027a1c6fe48482b4a435d397c6ea50b1da84b32190f56fce7dc6e2e
                                                                    • Instruction ID: 419cf40b0593ac94e6533b72b7db7253b65e5c8b4670bfd39481139d920c5560
                                                                    • Opcode Fuzzy Hash: 1edbc1c28027a1c6fe48482b4a435d397c6ea50b1da84b32190f56fce7dc6e2e
                                                                    • Instruction Fuzzy Hash: 7E910275E116298BDB28DF66CC44BD9BBB6EF89300F1082EAD509A7350EB705E85CF44
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DADFF0 Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9971f586acb651106e621dc750cba24c0f19d849e6583a68ce8af39ab2a51c77
                                                                    • Instruction ID: bc8391974aa6e24966f11e75487241b497801c2a3831a955a688613485e9cea3
                                                                    • Opcode Fuzzy Hash: 9971f586acb651106e621dc750cba24c0f19d849e6583a68ce8af39ab2a51c77
                                                                    • Instruction Fuzzy Hash: 0B115A30D042188BDB148FA5D529BEEBBF1AB4E305F249179D851B3390C7788988CB78
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DAC418 Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 262 2dac418-2dac4a3 264 2dac4ae-2dac4b5 262->264 265 2dac4a5-2dac4ab 262->265 266 2dac4c0-2dac4d6 264->266 267 2dac4b7-2dac4bd 264->267 265->264 268 2dac4d8-2dac4de 266->268 269 2dac4e1-2dac57e CreateProcessW 266->269 267->266 268->269 271 2dac580-2dac586 269->271 272 2dac587-2dac5fb 269->272 271->272 280 2dac60d-2dac614 272->280 281 2dac5fd-2dac603 272->281 282 2dac62b 280->282 283 2dac616-2dac625 280->283 281->280 283->282
                                                                    APIs
                                                                    • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 02DAC56B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID: CreateProcess
                                                                    • String ID:
                                                                    • API String ID: 963392458-0
                                                                    • Opcode ID: d87a3e2aec68b17c53f841056247b543d7b9bee6d3a0b0e7ecf02b9cb74aa9e3
                                                                    • Instruction ID: d167ad256da84e55ff3d813528c3fe73c269cd13dde7f74d8e3419a8b26095a0
                                                                    • Opcode Fuzzy Hash: d87a3e2aec68b17c53f841056247b543d7b9bee6d3a0b0e7ecf02b9cb74aa9e3
                                                                    • Instruction Fuzzy Hash: E651F5719043289FDF20CF99C990BDDBBB5AF88314F15819AE908B7210DB759A88CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DAAAB5 Relevance: 1.6, APIs: 1, Instructions: 80windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 285 2daaab5-2daaad8 286 2daaada-2daab18 285->286 287 2daab27-2daab2f 285->287 288 2daab6a-2daab6b 286->288 289 2daab1a-2daab26 286->289 290 2dace98-2dacf02 PostMessageW 287->290 288->290 289->287 291 2dacf0b-2dacf1f 290->291 292 2dacf04-2dacf0a 290->292 292->291
                                                                    APIs
                                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 02DACEF5
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePost
                                                                    • String ID:
                                                                    • API String ID: 410705778-0
                                                                    • Opcode ID: 2a9cf625ad10e33ce401a6993ac836dcfe7ea204d314f8b5510977f0e67c3ac1
                                                                    • Instruction ID: 77207ff8759e0c5467c17e68554bbc0e1a16a72a76399207ee148a0d4c6e7d2b
                                                                    • Opcode Fuzzy Hash: 2a9cf625ad10e33ce401a6993ac836dcfe7ea204d314f8b5510977f0e67c3ac1
                                                                    • Instruction Fuzzy Hash: 5131E4B1909784DFEB01CF54CC54B9ABFB4FF29321F01845AD180AB291D3756984CFA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DAC9C0 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 294 2dac9c0-2daca11 296 2daca13-2daca1f 294->296 297 2daca21-2daca5a WriteProcessMemory 294->297 296->297 298 2daca5c-2daca62 297->298 299 2daca63-2daca84 297->299 298->299
                                                                    APIs
                                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02DACA4D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessWrite
                                                                    • String ID:
                                                                    • API String ID: 3559483778-0
                                                                    • Opcode ID: 206306255ff9d48b55245c5f59ea7aa791fe287f7172ebdb1ba78e12d0ddbc01
                                                                    • Instruction ID: 9946aaddfe3bc0ffc13c67bfd2d1ee77928cf3bebab97e06ef8b53b2085ba6b4
                                                                    • Opcode Fuzzy Hash: 206306255ff9d48b55245c5f59ea7aa791fe287f7172ebdb1ba78e12d0ddbc01
                                                                    • Instruction Fuzzy Hash: DA2114B19042599FCB10CF9AD985BEEBBF4FF48324F00842AE919A3340D774A944CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DAC848 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 301 2dac848-2dac8d4 ReadProcessMemory 303 2dac8dd-2dac8fe 301->303 304 2dac8d6-2dac8dc 301->304 304->303
                                                                    APIs
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02DAC8C7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessRead
                                                                    • String ID:
                                                                    • API String ID: 1726664587-0
                                                                    • Opcode ID: 4c28b1c3365400172e5f61480abef042e951156806b2f990dcf7011cbb1c24a9
                                                                    • Instruction ID: 27790777c0738ae0cebfe365df7887b0292667787843330ca47f99eb18d4931a
                                                                    • Opcode Fuzzy Hash: 4c28b1c3365400172e5f61480abef042e951156806b2f990dcf7011cbb1c24a9
                                                                    • Instruction Fuzzy Hash: 6221D3B19052599FCB10CF9AD984BDEBBF4FB48320F10842AE918A7350D374A944DBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DAC788 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 306 2dac788-2dac7d4 308 2dac7e0-2dac80c SetThreadContext 306->308 309 2dac7d6-2dac7de 306->309 310 2dac80e-2dac814 308->310 311 2dac815-2dac836 308->311 309->308 310->311
                                                                    APIs
                                                                    • SetThreadContext.KERNELBASE(?,00000000), ref: 02DAC7FF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID: ContextThread
                                                                    • String ID:
                                                                    • API String ID: 1591575202-0
                                                                    • Opcode ID: 0865ceccaeae866ae091af0a151ec05004d52e53553d816eb99669ccf925da76
                                                                    • Instruction ID: 3bf66d5815b9645a0430f280586861251b311bd26f72dda5cd0aade999b2a7cb
                                                                    • Opcode Fuzzy Hash: 0865ceccaeae866ae091af0a151ec05004d52e53553d816eb99669ccf925da76
                                                                    • Instruction Fuzzy Hash: B121F4B1D146599BCB00CF9AC985BAEFBF4BB48224F04816AD418A3340D778A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA5BF8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 320 2da5bf8-2da5c78 VirtualProtect 322 2da5c7a-2da5c80 320->322 323 2da5c81-2da5ca2 320->323 322->323
                                                                    APIs
                                                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02DA5C6B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID: ProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 544645111-0
                                                                    • Opcode ID: 5f5b2eddc1a413c2b01973c1c6962f29548d17fcfab54edb2bd2d5156baf8f76
                                                                    • Instruction ID: 5397598b9be4b4bf7ef3f316f1952984f5bf7cb14142c5215fa2ac7a0eaa8298
                                                                    • Opcode Fuzzy Hash: 5f5b2eddc1a413c2b01973c1c6962f29548d17fcfab54edb2bd2d5156baf8f76
                                                                    • Instruction Fuzzy Hash: C7210671D042499FCB10CF9AD584BDEBBF4EB48320F108429E558A7340D374A944DFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA5BF0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 313 2da5bf0-2da5bf4 314 2da5c3a-2da5c78 VirtualProtect 313->314 315 2da5bf6-2da5c38 313->315 317 2da5c7a-2da5c80 314->317 318 2da5c81-2da5ca2 314->318 315->314 317->318
                                                                    APIs
                                                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02DA5C6B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID: ProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 544645111-0
                                                                    • Opcode ID: a2b8fb0737c5fa4418a661e6cccfc32c9fa118485a4f222ace628bf41a98ff04
                                                                    • Instruction ID: f6b92586c0c73fe14de70cd7a7500a64e809609b86ae0b3ad2bb972e86e50b8c
                                                                    • Opcode Fuzzy Hash: a2b8fb0737c5fa4418a661e6cccfc32c9fa118485a4f222ace628bf41a98ff04
                                                                    • Instruction Fuzzy Hash: 762117B6D002499FCB10CF99D580BDEBBF0FB48324F148469E968A7310D778A945DFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DAC918 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02DAC983
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: 0161261feca7226eb004465ad09a2c9b5408ec832a99eaa873b87271a1c174d8
                                                                    • Instruction ID: 3b6bb91d09c4ecfadb99639e3ef3f506efb8c0f236e8853bb4ae339709500c80
                                                                    • Opcode Fuzzy Hash: 0161261feca7226eb004465ad09a2c9b5408ec832a99eaa873b87271a1c174d8
                                                                    • Instruction Fuzzy Hash: 7911E0B59042499FCB10CF9AD984BDEBBF4FB88324F10845AE528A7310D775A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DAAB28 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 02DACEF5
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePost
                                                                    • String ID:
                                                                    • API String ID: 410705778-0
                                                                    • Opcode ID: 9d16e15d9a96f9923a6a9873f26bc9af902122e723e3300444e1629c23da331e
                                                                    • Instruction ID: 979da8720721643df5b12737bf75acdf08504d45b396fe7bd66f2c4fe70b9500
                                                                    • Opcode Fuzzy Hash: 9d16e15d9a96f9923a6a9873f26bc9af902122e723e3300444e1629c23da331e
                                                                    • Instruction Fuzzy Hash: 5611F5B59043489FCB10CF99C595BEFBBF8EB48324F10845AE558A7700D375A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DACB78 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID: ResumeThread
                                                                    • String ID:
                                                                    • API String ID: 947044025-0
                                                                    • Opcode ID: 8f67421257e7ec802d0484938a188cc12ba46272dfeacd8c7ac08efe8e4b6436
                                                                    • Instruction ID: 4d1f4e8715df93dbc3ed3beaf4a5bff7cf377c463f74ed8e1b154cc8f999c3a3
                                                                    • Opcode Fuzzy Hash: 8f67421257e7ec802d0484938a188cc12ba46272dfeacd8c7ac08efe8e4b6436
                                                                    • Instruction Fuzzy Hash: 9611EEB19042498FCB10CF9AD984BDEBBF8EB88324F10845AD529A7340D779A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 02DA1DE0 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ;N`$;N`
                                                                    • API String ID: 0-2049779043
                                                                    • Opcode ID: faf67cf2c11b104fab278927908c9ee285a676b097b28e13d69c037912eb9e79
                                                                    • Instruction ID: 58aecb0451e26fca6a0db9aa232bd9b8b6d2c532a93a0c34c673187e0982edc8
                                                                    • Opcode Fuzzy Hash: faf67cf2c11b104fab278927908c9ee285a676b097b28e13d69c037912eb9e79
                                                                    • Instruction Fuzzy Hash: B36127B4E1521ADBCB04CFA6D4919AEFBB6FF88300F14902AD459AB344D3749A42CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA75E8 Relevance: 1.6, Strings: 1, Instructions: 340COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: D04l
                                                                    • API String ID: 0-4000787298
                                                                    • Opcode ID: 02c4e322967e0faa79aaf900d99c391a575c3a875ac654de47530776f41417b2
                                                                    • Instruction ID: e163d83523f92d9951fa111ac4a1c3f488f068821c5e83cf77254d6cfcf3272a
                                                                    • Opcode Fuzzy Hash: 02c4e322967e0faa79aaf900d99c391a575c3a875ac654de47530776f41417b2
                                                                    • Instruction Fuzzy Hash: EBC1BE75E0525A8FDB08CFB8C561AAEFBF2AF88214F258429D515E7354EB34DD01CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA1AC0 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: >DS
                                                                    • API String ID: 0-2404021088
                                                                    • Opcode ID: 0af2b4b121c3831cb48464e666405fefe583c6b3812c761c12fd08d57fde2126
                                                                    • Instruction ID: b516e28fcd88a71fe6433955ab0cc52fe948501177d0a614e8051b0abb96c0df
                                                                    • Opcode Fuzzy Hash: 0af2b4b121c3831cb48464e666405fefe583c6b3812c761c12fd08d57fde2126
                                                                    • Instruction Fuzzy Hash: 1971E074E0520ADFCB04CF99D5919AEFBB2FF49210F149519D419AB304D734EA42CFA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA1AB0 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: >DS
                                                                    • API String ID: 0-2404021088
                                                                    • Opcode ID: c8e1d7a16e37234ea4bf44a594476a87caeabb489b8153c65222b8e9f9146926
                                                                    • Instruction ID: c31e3c034961d15faff6d6b1d8af8671cce3e7480949356abc1f9059ef32b467
                                                                    • Opcode Fuzzy Hash: c8e1d7a16e37234ea4bf44a594476a87caeabb489b8153c65222b8e9f9146926
                                                                    • Instruction Fuzzy Hash: D761D174E0520ACFCB04CFA9C5919AEFBB2BF89210F14955AD459AB304D734DA42CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA2650 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: C/L
                                                                    • API String ID: 0-360731833
                                                                    • Opcode ID: 7c46cf60d297687a992466c786e520e28662f307affbe39a1b86f45f825723c6
                                                                    • Instruction ID: f0bb9336343fc5e9e65781ca665ca0fcbc83060fbad101fe59681bc83353b150
                                                                    • Opcode Fuzzy Hash: 7c46cf60d297687a992466c786e520e28662f307affbe39a1b86f45f825723c6
                                                                    • Instruction Fuzzy Hash: 1041B9B0E1560ADBCB48CF9AC5559AEFBF2AF88300F24D569C905B7314D7349A41CF94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA264C Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: C/L
                                                                    • API String ID: 0-360731833
                                                                    • Opcode ID: bae5c592d2de1f3a3f75b179c22eab4143dafbf2db2e2dfe652238c4001a9267
                                                                    • Instruction ID: 9dd09b73d3c39b2e647246cc9bf33336aae8ec2c18ba341bff46624d41d2cc03
                                                                    • Opcode Fuzzy Hash: bae5c592d2de1f3a3f75b179c22eab4143dafbf2db2e2dfe652238c4001a9267
                                                                    • Instruction Fuzzy Hash: 7A41D4B4E0560A9BCB08CF9AC5859AEFBB2EF88300F24D46AC905B7314D7349A41CF94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA282B Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: W=t
                                                                    • API String ID: 0-2133640408
                                                                    • Opcode ID: d07f55d77271b0548bfb65127cd955bb8a4e7c3f953cf9f54b5000ca131399c8
                                                                    • Instruction ID: f6123f0073078dfd32b9e5423e5fb762d4528c983cc6d52b1a9efa48e11fe1c4
                                                                    • Opcode Fuzzy Hash: d07f55d77271b0548bfb65127cd955bb8a4e7c3f953cf9f54b5000ca131399c8
                                                                    • Instruction Fuzzy Hash: 8811CB71E046189BEB5CCF6BD84469EFAF3AFC8300F04C17AD908A6258EB3409468F55
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA7AD8 Relevance: .3, Instructions: 281COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b6e0ff1667198f86b33219a664d163c6b180b69163da7a50db54743235bc94e9
                                                                    • Instruction ID: d64732605a20bf95b1697eeba31121fd28ba318a89b59cf540d2371e3cc41a42
                                                                    • Opcode Fuzzy Hash: b6e0ff1667198f86b33219a664d163c6b180b69163da7a50db54743235bc94e9
                                                                    • Instruction Fuzzy Hash: B9C127B0E05219DFDB14CFA9C990AAEFBB2FF89200F249169D509AB355DB309E41CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA7AC8 Relevance: .3, Instructions: 270COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d92049f6c095dea8f802e4a7295ab71c81a72a974a9ac9a6d2358cbc3e5ee3e1
                                                                    • Instruction ID: ce0ebb551381729a4b23ecbc298ed06a6c18ceff5e24afea755909fee72700aa
                                                                    • Opcode Fuzzy Hash: d92049f6c095dea8f802e4a7295ab71c81a72a974a9ac9a6d2358cbc3e5ee3e1
                                                                    • Instruction Fuzzy Hash: 7FC158B0E15219CFDB14CFA9C990AAEFBF2BF89200F24916AD409AB355D7309E41CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA7B83 Relevance: .2, Instructions: 249COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1076d09f628880cd97125d2fc7b29ada01efd8d6580cf3f04c86011f1f8237ad
                                                                    • Instruction ID: 04a9d8bc12bbfbe51a827c2a3734ad5816263fa39456a922d592da7ef1118b0b
                                                                    • Opcode Fuzzy Hash: 1076d09f628880cd97125d2fc7b29ada01efd8d6580cf3f04c86011f1f8237ad
                                                                    • Instruction Fuzzy Hash: 7EB147B4E05219CFDB14CFA8C990AAEFBB2FF89204F2495A9D509AB355D7309E41CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA7C20 Relevance: .2, Instructions: 230COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2797018d36c65f00a88dc9f7a9e01b3d4536ff25f8eadbdd1f404b1c8db764fe
                                                                    • Instruction ID: 78872c0451b7adca75cf0a08397ef7b06426451e6a77035479438c130756a04f
                                                                    • Opcode Fuzzy Hash: 2797018d36c65f00a88dc9f7a9e01b3d4536ff25f8eadbdd1f404b1c8db764fe
                                                                    • Instruction Fuzzy Hash: 40A157B0E05219DFDB14CFA8CA90AAEF7B2FF89204F209569D40AAB355D7309E41CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA0F00 Relevance: .2, Instructions: 178COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8330358916d6a8148835730498051e9caded26f3f6f7f25334ff62ba85286afb
                                                                    • Instruction ID: 7053d43aa1d94a6aaa612a5e4e159472b25e6617a1f7c82b9d2b63851af8b30b
                                                                    • Opcode Fuzzy Hash: 8330358916d6a8148835730498051e9caded26f3f6f7f25334ff62ba85286afb
                                                                    • Instruction Fuzzy Hash: B581CF74E10219CFCB04CFA9C58499EFBF2FF88251F249569E419AB364D330AA42CF55
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA0EF0 Relevance: .2, Instructions: 176COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9109fda15f1b7bec8741b944d98ff2d2b0e2924ae73af9c1927ab5748c6ba255
                                                                    • Instruction ID: 031b70989fecb830ffab3fe8d2fe0e5761f413e0056418409fd7a7610cd2a7ab
                                                                    • Opcode Fuzzy Hash: 9109fda15f1b7bec8741b944d98ff2d2b0e2924ae73af9c1927ab5748c6ba255
                                                                    • Instruction Fuzzy Hash: D671E074E10219CFCB04CFA9C58499EBBF2FF88211F24956AE419AB364D330AE46CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA3300 Relevance: .2, Instructions: 176COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 467fd2c52b95beefa6689d0ec9e01700fd7a2520755aa58663dd5d5a5e9ec058
                                                                    • Instruction ID: b9d194d71a4e77d28374d1c8f0afa4ace5bd1bbe189fa60e767469e322c16810
                                                                    • Opcode Fuzzy Hash: 467fd2c52b95beefa6689d0ec9e01700fd7a2520755aa58663dd5d5a5e9ec058
                                                                    • Instruction Fuzzy Hash: C871FE71E046558FDB59CF7B895428AFBB3AFCA214F19C1FAC8889A215DF340986CF11
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA23A8 Relevance: .2, Instructions: 174COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 45ce07437a27663c17b771ce5888b98905a029863d26fcafc947e9c5d5627120
                                                                    • Instruction ID: 591befe46494b985b065d07e6519e5d2a1450d0a0646c04e39e3e33d3f05acb2
                                                                    • Opcode Fuzzy Hash: 45ce07437a27663c17b771ce5888b98905a029863d26fcafc947e9c5d5627120
                                                                    • Instruction Fuzzy Hash: 61711370E152198FCB08CFAAC9959DEBBF2BB99310F24942AD815F7354D3349A41CB68
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA7808 Relevance: .2, Instructions: 174COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fdf945084d8d590e9ad88fd3f09ad8f95592d3e8e2f89d51ce2400509dbcf378
                                                                    • Instruction ID: 22dd00ebc9237235102b59a91849dc154bd66b9db13be87f6a18a1f5cbc2e06d
                                                                    • Opcode Fuzzy Hash: fdf945084d8d590e9ad88fd3f09ad8f95592d3e8e2f89d51ce2400509dbcf378
                                                                    • Instruction Fuzzy Hash: 74613B70E0521A9FEB04CFAAC490AAEFBF2BF89310F14D42AD415A7354D7349A41CFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA23B8 Relevance: .2, Instructions: 173COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7e0fe42f2d50b856779b03c3d5f06419318cd0f68ac43d9224d5531ee43b676d
                                                                    • Instruction ID: 85877594c04e0efc6247e4aa289eb97c9f59fd8c34e9eb35922572ffebeb1ab4
                                                                    • Opcode Fuzzy Hash: 7e0fe42f2d50b856779b03c3d5f06419318cd0f68ac43d9224d5531ee43b676d
                                                                    • Instruction Fuzzy Hash: D7710270E152198BCB08CFAAC5959DEFBF2BF98310F24942AD815BB354D3749A41CB68
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA1DD0 Relevance: .2, Instructions: 154COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c41f8d92368f578f4d5f610446dd62f60fdcb5d1a04e2d56229ee09879195c6e
                                                                    • Instruction ID: edf568ca3f55aa15a22472a0be888eb81f8251b00d69c53986733aa220f01101
                                                                    • Opcode Fuzzy Hash: c41f8d92368f578f4d5f610446dd62f60fdcb5d1a04e2d56229ee09879195c6e
                                                                    • Instruction Fuzzy Hash: F56138B5E0521A9BCB04CFA5D4519AEFBF2FF88300F14906AD419A7344D378DA42CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA2158 Relevance: .1, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5bf732df8a64741018400bb6d04feaaaeac63151ebbedda85dacad822593865f
                                                                    • Instruction ID: 6b899e9dd80ef29f1995b64827e5187b5938b100a31ea92bcf4ed7de43bdfd66
                                                                    • Opcode Fuzzy Hash: 5bf732df8a64741018400bb6d04feaaaeac63151ebbedda85dacad822593865f
                                                                    • Instruction Fuzzy Hash: 02512A75D1460A8FCB04CFA6C8459AEBBF2AF89310F24C56AC915A7354D7349A42CF54
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA2168 Relevance: .1, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2109b3c862210f6cdcfbec3cdf710c61477480e46263dee74573c25c33343305
                                                                    • Instruction ID: 785ec784594cb2a601c50e4e2e15ee5dfdc936826fbf479ad62832a836e03f77
                                                                    • Opcode Fuzzy Hash: 2109b3c862210f6cdcfbec3cdf710c61477480e46263dee74573c25c33343305
                                                                    • Instruction Fuzzy Hash: 3951F975D1460A9BCB04CFAAC4859EEFBF2AF88300F24D42AC955A7354D7349A42CFA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA33B0 Relevance: .1, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2be86e4facfa71f3d9911156d7847bdfe354e7c1f468ce9bb354945a13559298
                                                                    • Instruction ID: 2f94518b4c7f55000e4475279a412e3c82f53b80ac12fa1399a143a883f43765
                                                                    • Opcode Fuzzy Hash: 2be86e4facfa71f3d9911156d7847bdfe354e7c1f468ce9bb354945a13559298
                                                                    • Instruction Fuzzy Hash: 24416D71E116588BDB68DF6B9D4579EFBF3AFC8300F14C1BA850CA6214DB300A858F11
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DAA1D0 Relevance: .1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7f39e7e6936febceeb174ff91cfb8115089751ec90592c55dec5951272e7cf9f
                                                                    • Instruction ID: 2816b5f3533be2778238f9c050c2523da8fd95de186e0683ecd2bd81c252225d
                                                                    • Opcode Fuzzy Hash: 7f39e7e6936febceeb174ff91cfb8115089751ec90592c55dec5951272e7cf9f
                                                                    • Instruction Fuzzy Hash: B0110671E112199BDB48CFABD940AAEFBF7ABC8210F14C13AD508A7214DB305A02CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA8D98 Relevance: .1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 39c8221b3e53a0b59b106ee19d836f5c8b6f41457dde719810ccbb7f2be013fd
                                                                    • Instruction ID: 8545d6c699dfeb2e724b8a844685b170510e9384cfe37b0499db5a0b5bd0628d
                                                                    • Opcode Fuzzy Hash: 39c8221b3e53a0b59b106ee19d836f5c8b6f41457dde719810ccbb7f2be013fd
                                                                    • Instruction Fuzzy Hash: 1B111471E116188BDB18CFABD941AEEFBF7ABC8210F14C06AD808A7254DB315A018F91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DAA1CF Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f8cac07878b0e20aa5b205eac8cf0b7687da8b48037c430cfb72c5ea98240c53
                                                                    • Instruction ID: 77ea22ace46cfe022fe5fdbef7cdcb399ead303447a14ce35c119a5116567a5b
                                                                    • Opcode Fuzzy Hash: f8cac07878b0e20aa5b205eac8cf0b7687da8b48037c430cfb72c5ea98240c53
                                                                    • Instruction Fuzzy Hash: 3311B971E116199BDB48CF6BD945AAEFAF7AFC8200F14C13A9408B6354DB304A42CF55
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DA8D97 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.282363540.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2da0000_2C01EPgbbjrSPr7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f28ffb0a3824f01ca605c999d68ae7007be3a986d048a506ac64b2b9b9b43db9
                                                                    • Instruction ID: 337934950b5ceefc1f8ddb54bfe4fb39fdf8423f8a774835e52fd3ec163c62bf
                                                                    • Opcode Fuzzy Hash: f28ffb0a3824f01ca605c999d68ae7007be3a986d048a506ac64b2b9b9b43db9
                                                                    • Instruction Fuzzy Hash: 2011F5B0E116188BDB58CFABD9416AEFBF7AFC8200F14C02AD808E7354DB304A018F51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Execution Graph

                                                                    Execution Coverage:20.9%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:89
                                                                    Total number of Limit Nodes:5
                                                                    execution_graph 44438 ecd01c 44439 ecd034 44438->44439 44440 ecd08e 44439->44440 44445 f63ca4 44439->44445 44453 f65338 44439->44453 44457 f65348 44439->44457 44461 f67983 44439->44461 44448 f63caf 44445->44448 44446 f679e9 44450 f679e7 44446->44450 44477 f66964 44446->44477 44448->44446 44449 f679d9 44448->44449 44469 f67b10 44449->44469 44473 f67b00 44449->44473 44454 f6536e 44453->44454 44455 f63ca4 CallWindowProcW 44454->44455 44456 f6538f 44455->44456 44456->44440 44458 f6536e 44457->44458 44459 f63ca4 CallWindowProcW 44458->44459 44460 f6538f 44459->44460 44460->44440 44464 f679b5 44461->44464 44462 f679e9 44463 f66964 CallWindowProcW 44462->44463 44466 f679e7 44462->44466 44463->44466 44464->44462 44465 f679d9 44464->44465 44467 f67b10 CallWindowProcW 44465->44467 44468 f67b00 CallWindowProcW 44465->44468 44467->44466 44468->44466 44471 f67b1e 44469->44471 44470 f66964 CallWindowProcW 44470->44471 44471->44470 44472 f67c0b 44471->44472 44472->44450 44475 f67b1e 44473->44475 44474 f66964 CallWindowProcW 44474->44475 44475->44474 44476 f67c0b 44475->44476 44476->44450 44478 f6696f 44477->44478 44479 f67cda CallWindowProcW 44478->44479 44480 f67c89 44478->44480 44479->44480 44480->44450 44372 f6b670 44373 f6b684 44372->44373 44376 f6b8ba 44373->44376 44374 f6b68d 44377 f6b8c3 44376->44377 44382 f6bab6 44376->44382 44386 f6ba9c 44376->44386 44390 f6b991 44376->44390 44394 f6b9a0 44376->44394 44377->44374 44383 f6bac9 44382->44383 44384 f6badb 44382->44384 44398 f6bd97 44383->44398 44387 f6ba4f 44386->44387 44388 f6badb 44387->44388 44389 f6bd97 2 API calls 44387->44389 44389->44388 44391 f6b9e4 44390->44391 44392 f6badb 44391->44392 44393 f6bd97 2 API calls 44391->44393 44393->44392 44395 f6b9e4 44394->44395 44396 f6badb 44395->44396 44397 f6bd97 2 API calls 44395->44397 44397->44396 44399 f6bdb6 44398->44399 44403 f6bdf8 44399->44403 44407 f6bde8 44399->44407 44400 f6bdc6 44400->44384 44406 f6be32 44403->44406 44404 f6be5c RtlEncodePointer 44405 f6be85 44404->44405 44405->44400 44406->44404 44406->44405 44408 f6be32 44407->44408 44409 f6be5c RtlEncodePointer 44408->44409 44410 f6be85 44408->44410 44409->44410 44410->44400 44426 f65190 44427 f651f8 CreateWindowExW 44426->44427 44429 f652b4 44427->44429 44429->44429 44430 f66b50 GetCurrentProcess 44431 f66bc3 44430->44431 44432 f66bca GetCurrentThread 44430->44432 44431->44432 44433 f66c07 GetCurrentProcess 44432->44433 44434 f66c00 44432->44434 44435 f66c3d 44433->44435 44434->44433 44436 f66c65 GetCurrentThreadId 44435->44436 44437 f66c96 44436->44437 44411 5ed2260 44412 5ed227e 44411->44412 44416 5ed3d77 44412->44416 44420 5ed3d80 44412->44420 44413 5ed22b5 44418 5ed3dd9 LoadLibraryA 44416->44418 44419 5ed3e5c 44418->44419 44422 5ed3dd9 LoadLibraryA 44420->44422 44423 5ed3e5c 44422->44423 44424 f66d78 DuplicateHandle 44425 f66e0e 44424->44425

                                                                    Executed Functions

                                                                    Function 05EDC99E Relevance: 12.9, APIs: 8, Instructions: 936libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 5edc99e-5edd45c QueryDosDeviceA LoadModule SetVolumeLabelW LocalFlags UnregisterWaitUntilOOBECompleted KiUserExceptionDispatcher * 2 342 5edd45c call e20040 0->342 343 5edd45c call e20548 0->343 344 5edd45c call e20449 0->344 345 5edd45c call e2003c 0->345 113 5edd462-5edd4a4 346 5edd4a4 call e208aa 113->346 347 5edd4a4 call e20908 113->347 116 5edd4aa-5edd4ec 350 5edd4ec call e22290 116->350 351 5edd4ec call e2227f 116->351 119 5edd4f2-5edd534 352 5edd534 call e229e0 119->352 353 5edd534 call e229a8 119->353 354 5edd534 call e22d58 119->354 122 5edd53a-5edd5b3 355 5edd5b9 call e2a515 122->355 356 5edd5b9 call e2a448 122->356 357 5edd5b9 call e2a438 122->357 129 5edd5bf-5edd70d call e2a5e0 * 5 LdrInitializeThunk 150 5edda2f-5edda39 129->150 151 5edd713-5edd737 129->151 152 5eddd2d-5eddd3e 150->152 153 5edda3f-5edda62 150->153 165 5edd73d 151->165 166 5edd890-5edd8b4 151->166 157 5eddd44-5eddd4b 152->157 158 5ede0a3-5ede0aa 152->158 170 5edda68-5eddada 153->170 171 5eddd15-5eddd2a 153->171 160 5eddd51-5eddd5f 157->160 161 5eddde2-5eddde9 157->161 163 5ede12c-5ede147 158->163 164 5ede0b0-5ede121 158->164 348 5eddd65 call e2afe0 160->348 349 5eddd65 call e2aff0 160->349 168 5edddef-5eddf34 call 5edb2d0 call 5edaed8 161->168 169 5eddf59-5eddf60 161->169 164->163 165->166 167 5edd743-5edd88b 165->167 187 5edd8ba-5edd8bc 166->187 188 5edd8b6 166->188 167->150 168->158 169->158 175 5eddf66-5ede086 call 5edb2d0 call 5edaed8 call 5edaf20 169->175 210 5eddcfd-5eddd0f 170->210 211 5eddae0-5eddae7 170->211 185 5eddd2b 171->185 175->158 185->185 194 5edd8c3-5edd8ed 187->194 192 5edd8be 188->192 193 5edd8b8 188->193 192->194 193->187 219 5edd8ef 194->219 220 5edd8f3-5edd8f5 194->220 196 5eddd6b-5eddda5 360 5edddab call e2d438 196->360 361 5edddab call e2d798 196->361 362 5edddab call e2d429 196->362 210->170 210->171 216 5eddaed-5eddbfb 211->216 217 5eddc00-5eddc2b 211->217 216->210 217->210 225 5eddc31-5eddcd4 217->225 227 5edd8f7 219->227 228 5edd8f1 219->228 221 5edd8fc-5edd902 220->221 221->150 230 5edd908-5edda06 221->230 223 5edddb1 223->158 225->210 227->221 228->220 230->150 342->113 343->113 344->113 345->113 346->116 347->116 348->196 349->196 350->119 351->119 352->122 353->122 354->122 355->129 356->129 357->129 360->223 361->223 362->223
                                                                    APIs
                                                                    • QueryDosDeviceA.KERNEL32 ref: 05EDC9E3
                                                                    • LoadModule.KERNEL32 ref: 05EDCAA9
                                                                    • SetVolumeLabelW.KERNEL32 ref: 05EDCAEE
                                                                    • LocalFlags.KERNEL32 ref: 05EDCB33
                                                                    • UnregisterWaitUntilOOBECompleted.KERNEL32 ref: 05EDCB78
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDCE6F
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser$CompletedDeviceFlagsInitializeLabelLoadLocalModuleQueryThunkUnregisterUntilVolumeWait
                                                                    • String ID:
                                                                    • API String ID: 3705852545-0
                                                                    • Opcode ID: 0ba605c7b1ab11b783e09a0919cec874a5997c59e680f086c1708abd8f4392f0
                                                                    • Instruction ID: 2a3ae287cb52a07b741bcaed0df8bbe648025485a4f6d1f9997f3af8db803187
                                                                    • Opcode Fuzzy Hash: 0ba605c7b1ab11b783e09a0919cec874a5997c59e680f086c1708abd8f4392f0
                                                                    • Instruction Fuzzy Hash: F2A2F574A01228CFCB65EF64DD58B99B7B6BF48305F1081EAD50AA3350DB35AE86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00E234A0 Relevance: 4.5, APIs: 1, Instructions: 3045COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.509028836.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_e20000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4545adc687222126a0508d4ebfc8461e0e5217c08e5b036a4d4063a9ec5f64d5
                                                                    • Instruction ID: 4338dff48a97e0fcd4a047b54d87fe496853c9bea962f28f2f7f8993c9ea7634
                                                                    • Opcode Fuzzy Hash: 4545adc687222126a0508d4ebfc8461e0e5217c08e5b036a4d4063a9ec5f64d5
                                                                    • Instruction Fuzzy Hash: 6B63FA71D10A59CACB11EF68C984699F7B1FF95304F15D79AE448BB221EB30AAC4CF81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00E231A0 Relevance: 4.4, APIs: 1, Instructions: 2898COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetShortPathNameA.KERNEL32 ref: 00E25798
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.509028836.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_e20000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: NamePathShort
                                                                    • String ID:
                                                                    • API String ID: 1295925010-0
                                                                    • Opcode ID: 32ade08b892eb264bc4053e691b5916107e0f37dfd07168710ccbe8df9461ca1
                                                                    • Instruction ID: 689d11255d1c545441908f89b77b6f466ba5ebde2042e98d67b642260de71d60
                                                                    • Opcode Fuzzy Hash: 32ade08b892eb264bc4053e691b5916107e0f37dfd07168710ccbe8df9461ca1
                                                                    • Instruction Fuzzy Hash: 9563FA31D10A59CACB11EF68C984A99F7B1FF95304F15D79AE4487B221EB70AAC4CF81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05ED5594 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetUserNameW.ADVAPI32(00000000,00000000), ref: 05EDB20B
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: NameUser
                                                                    • String ID:
                                                                    • API String ID: 2645101109-0
                                                                    • Opcode ID: f5b5ef980ff9c3ebf23b253effd409f7964f8ee3d2ff64367bb9041d2d55836e
                                                                    • Instruction ID: 8296eb2b203b785fb7275949f2e18110b6d02ec31ced2cff3906854e9e9145ec
                                                                    • Opcode Fuzzy Hash: f5b5ef980ff9c3ebf23b253effd409f7964f8ee3d2ff64367bb9041d2d55836e
                                                                    • Instruction Fuzzy Hash: 30511170D002188BDB18CFA9C888B9DFBB5BF48314F159129E855AB350E7749845CFA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDC9BF Relevance: 12.6, APIs: 8, Instructions: 609libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 366 5edc9bf-5edd45c call 5edbc18 call 5edbda8 QueryDosDeviceA LoadModule SetVolumeLabelW LocalFlags UnregisterWaitUntilOOBECompleted KiUserExceptionDispatcher * 2 710 5edd45c call e20040 366->710 711 5edd45c call e20548 366->711 712 5edd45c call e20449 366->712 713 5edd45c call e2003c 366->713 481 5edd462-5edd4a4 714 5edd4a4 call e208aa 481->714 715 5edd4a4 call e20908 481->715 484 5edd4aa-5edd4ec 718 5edd4ec call e22290 484->718 719 5edd4ec call e2227f 484->719 487 5edd4f2-5edd534 720 5edd534 call e229e0 487->720 721 5edd534 call e229a8 487->721 722 5edd534 call e22d58 487->722 490 5edd53a-5edd5b3 723 5edd5b9 call e2a515 490->723 724 5edd5b9 call e2a448 490->724 725 5edd5b9 call e2a438 490->725 497 5edd5bf-5edd70d call e2a5e0 * 5 LdrInitializeThunk 518 5edda2f-5edda39 497->518 519 5edd713-5edd737 497->519 520 5eddd2d-5eddd3e 518->520 521 5edda3f-5edda62 518->521 533 5edd73d 519->533 534 5edd890-5edd8b4 519->534 525 5eddd44-5eddd4b 520->525 526 5ede0a3-5ede0aa 520->526 538 5edda68-5eddada 521->538 539 5eddd15-5eddd2a 521->539 528 5eddd51-5eddd5f 525->528 529 5eddde2-5eddde9 525->529 531 5ede12c-5ede147 526->531 532 5ede0b0-5ede121 526->532 716 5eddd65 call e2afe0 528->716 717 5eddd65 call e2aff0 528->717 536 5edddef-5eddf34 call 5edb2d0 call 5edaed8 529->536 537 5eddf59-5eddf60 529->537 532->531 533->534 535 5edd743-5edd88b 533->535 555 5edd8ba-5edd8bc 534->555 556 5edd8b6 534->556 535->518 536->526 537->526 543 5eddf66-5ede086 call 5edb2d0 call 5edaed8 call 5edaf20 537->543 578 5eddcfd-5eddd0f 538->578 579 5eddae0-5eddae7 538->579 553 5eddd2b 539->553 543->526 553->553 562 5edd8c3-5edd8ed 555->562 560 5edd8be 556->560 561 5edd8b8 556->561 560->562 561->555 587 5edd8ef 562->587 588 5edd8f3-5edd8f5 562->588 564 5eddd6b-5eddda5 728 5edddab call e2d438 564->728 729 5edddab call e2d798 564->729 730 5edddab call e2d429 564->730 578->538 578->539 584 5eddaed-5eddbfb 579->584 585 5eddc00-5eddc2b 579->585 584->578 585->578 593 5eddc31-5eddcd4 585->593 595 5edd8f7 587->595 596 5edd8f1 587->596 589 5edd8fc-5edd902 588->589 589->518 598 5edd908-5edda06 589->598 591 5edddb1 591->526 593->578 595->589 596->588 598->518 710->481 711->481 712->481 713->481 714->484 715->484 716->564 717->564 718->487 719->487 720->490 721->490 722->490 723->497 724->497 725->497 728->591 729->591 730->591
                                                                    APIs
                                                                    • QueryDosDeviceA.KERNEL32 ref: 05EDC9E3
                                                                    • LoadModule.KERNEL32 ref: 05EDCAA9
                                                                    • SetVolumeLabelW.KERNEL32 ref: 05EDCAEE
                                                                    • LocalFlags.KERNEL32 ref: 05EDCB33
                                                                    • UnregisterWaitUntilOOBECompleted.KERNEL32 ref: 05EDCB78
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDCE6F
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser$CompletedDeviceFlagsInitializeLabelLoadLocalModuleQueryThunkUnregisterUntilVolumeWait
                                                                    • String ID:
                                                                    • API String ID: 3705852545-0
                                                                    • Opcode ID: 832b797c96f260a4250cdffaaee9754c1ffd5be981f3a2701f54078a1aaf89d1
                                                                    • Instruction ID: d48197bde8e3cb25f5fe91bdd098baa41b35e1b4448b03f7c0277cb517e2de78
                                                                    • Opcode Fuzzy Hash: 832b797c96f260a4250cdffaaee9754c1ffd5be981f3a2701f54078a1aaf89d1
                                                                    • Instruction Fuzzy Hash: A7521674A00228CFCB65DF74D958799BBB6BF48306F1091EAD50AA3340DB35AE86CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDCA04 Relevance: 11.1, APIs: 7, Instructions: 602libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 734 5edca04-5edd45c call 5edbc18 call 5edbda8 LoadModule SetVolumeLabelW LocalFlags UnregisterWaitUntilOOBECompleted KiUserExceptionDispatcher * 2 1076 5edd45c call e20040 734->1076 1077 5edd45c call e20548 734->1077 1078 5edd45c call e20449 734->1078 1079 5edd45c call e2003c 734->1079 847 5edd462-5edd4a4 1080 5edd4a4 call e208aa 847->1080 1081 5edd4a4 call e20908 847->1081 850 5edd4aa-5edd4ec 1084 5edd4ec call e22290 850->1084 1085 5edd4ec call e2227f 850->1085 853 5edd4f2-5edd534 1086 5edd534 call e229e0 853->1086 1087 5edd534 call e229a8 853->1087 1088 5edd534 call e22d58 853->1088 856 5edd53a-5edd5b3 1089 5edd5b9 call e2a515 856->1089 1090 5edd5b9 call e2a448 856->1090 1091 5edd5b9 call e2a438 856->1091 863 5edd5bf-5edd70d call e2a5e0 * 5 LdrInitializeThunk 884 5edda2f-5edda39 863->884 885 5edd713-5edd737 863->885 886 5eddd2d-5eddd3e 884->886 887 5edda3f-5edda62 884->887 899 5edd73d 885->899 900 5edd890-5edd8b4 885->900 891 5eddd44-5eddd4b 886->891 892 5ede0a3-5ede0aa 886->892 904 5edda68-5eddada 887->904 905 5eddd15-5eddd2a 887->905 894 5eddd51-5eddd5f 891->894 895 5eddde2-5eddde9 891->895 897 5ede12c-5ede147 892->897 898 5ede0b0-5ede121 892->898 1082 5eddd65 call e2afe0 894->1082 1083 5eddd65 call e2aff0 894->1083 902 5edddef-5eddf34 call 5edb2d0 call 5edaed8 895->902 903 5eddf59-5eddf60 895->903 898->897 899->900 901 5edd743-5edd88b 899->901 921 5edd8ba-5edd8bc 900->921 922 5edd8b6 900->922 901->884 902->892 903->892 909 5eddf66-5ede086 call 5edb2d0 call 5edaed8 call 5edaf20 903->909 944 5eddcfd-5eddd0f 904->944 945 5eddae0-5eddae7 904->945 919 5eddd2b 905->919 909->892 919->919 928 5edd8c3-5edd8ed 921->928 926 5edd8be 922->926 927 5edd8b8 922->927 926->928 927->921 953 5edd8ef 928->953 954 5edd8f3-5edd8f5 928->954 930 5eddd6b-5eddda5 1094 5edddab call e2d438 930->1094 1095 5edddab call e2d798 930->1095 1096 5edddab call e2d429 930->1096 944->904 944->905 950 5eddaed-5eddbfb 945->950 951 5eddc00-5eddc2b 945->951 950->944 951->944 959 5eddc31-5eddcd4 951->959 961 5edd8f7 953->961 962 5edd8f1 953->962 955 5edd8fc-5edd902 954->955 955->884 964 5edd908-5edda06 955->964 957 5edddb1 957->892 959->944 961->955 962->954 964->884 1076->847 1077->847 1078->847 1079->847 1080->850 1081->850 1082->930 1083->930 1084->853 1085->853 1086->856 1087->856 1088->856 1089->863 1090->863 1091->863 1094->957 1095->957 1096->957
                                                                    APIs
                                                                    • LoadModule.KERNEL32 ref: 05EDCAA9
                                                                    • SetVolumeLabelW.KERNEL32 ref: 05EDCAEE
                                                                    • LocalFlags.KERNEL32 ref: 05EDCB33
                                                                    • UnregisterWaitUntilOOBECompleted.KERNEL32 ref: 05EDCB78
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDCE6F
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser$CompletedFlagsInitializeLabelLoadLocalModuleThunkUnregisterUntilVolumeWait
                                                                    • String ID:
                                                                    • API String ID: 4072977434-0
                                                                    • Opcode ID: a0d223fe7377074c96ab0e2b3dba3a1bac6a5fc351242d57f88f420753d2830a
                                                                    • Instruction ID: a0abd1c27902e58f187cf1d4aabedfedc1a02d14fb71ed8a3171be82349fc972
                                                                    • Opcode Fuzzy Hash: a0d223fe7377074c96ab0e2b3dba3a1bac6a5fc351242d57f88f420753d2830a
                                                                    • Instruction Fuzzy Hash: DA521774900228CFCB65DF74D998799BBB6BF48306F1091EAD50AA3340DB35AE86CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDCA49 Relevance: 11.1, APIs: 7, Instructions: 593libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1100 5edca49-5edd45c call 5edbc18 call 5edbda8 LoadModule SetVolumeLabelW LocalFlags UnregisterWaitUntilOOBECompleted KiUserExceptionDispatcher * 2 1439 5edd45c call e20040 1100->1439 1440 5edd45c call e20548 1100->1440 1441 5edd45c call e20449 1100->1441 1442 5edd45c call e2003c 1100->1442 1210 5edd462-5edd4a4 1443 5edd4a4 call e208aa 1210->1443 1444 5edd4a4 call e20908 1210->1444 1213 5edd4aa-5edd4ec 1447 5edd4ec call e22290 1213->1447 1448 5edd4ec call e2227f 1213->1448 1216 5edd4f2-5edd534 1449 5edd534 call e229e0 1216->1449 1450 5edd534 call e229a8 1216->1450 1451 5edd534 call e22d58 1216->1451 1219 5edd53a-5edd5b3 1452 5edd5b9 call e2a515 1219->1452 1453 5edd5b9 call e2a448 1219->1453 1454 5edd5b9 call e2a438 1219->1454 1226 5edd5bf-5edd70d call e2a5e0 * 5 LdrInitializeThunk 1247 5edda2f-5edda39 1226->1247 1248 5edd713-5edd737 1226->1248 1249 5eddd2d-5eddd3e 1247->1249 1250 5edda3f-5edda62 1247->1250 1262 5edd73d 1248->1262 1263 5edd890-5edd8b4 1248->1263 1254 5eddd44-5eddd4b 1249->1254 1255 5ede0a3-5ede0aa 1249->1255 1267 5edda68-5eddada 1250->1267 1268 5eddd15-5eddd2a 1250->1268 1257 5eddd51-5eddd5f 1254->1257 1258 5eddde2-5eddde9 1254->1258 1260 5ede12c-5ede147 1255->1260 1261 5ede0b0-5ede121 1255->1261 1445 5eddd65 call e2afe0 1257->1445 1446 5eddd65 call e2aff0 1257->1446 1265 5edddef-5eddf34 call 5edb2d0 call 5edaed8 1258->1265 1266 5eddf59-5eddf60 1258->1266 1261->1260 1262->1263 1264 5edd743-5edd88b 1262->1264 1284 5edd8ba-5edd8bc 1263->1284 1285 5edd8b6 1263->1285 1264->1247 1265->1255 1266->1255 1272 5eddf66-5ede086 call 5edb2d0 call 5edaed8 call 5edaf20 1266->1272 1307 5eddcfd-5eddd0f 1267->1307 1308 5eddae0-5eddae7 1267->1308 1282 5eddd2b 1268->1282 1272->1255 1282->1282 1291 5edd8c3-5edd8ed 1284->1291 1289 5edd8be 1285->1289 1290 5edd8b8 1285->1290 1289->1291 1290->1284 1316 5edd8ef 1291->1316 1317 5edd8f3-5edd8f5 1291->1317 1293 5eddd6b-5eddda5 1457 5edddab call e2d438 1293->1457 1458 5edddab call e2d798 1293->1458 1459 5edddab call e2d429 1293->1459 1307->1267 1307->1268 1313 5eddaed-5eddbfb 1308->1313 1314 5eddc00-5eddc2b 1308->1314 1313->1307 1314->1307 1322 5eddc31-5eddcd4 1314->1322 1324 5edd8f7 1316->1324 1325 5edd8f1 1316->1325 1318 5edd8fc-5edd902 1317->1318 1318->1247 1327 5edd908-5edda06 1318->1327 1320 5edddb1 1320->1255 1322->1307 1324->1318 1325->1317 1327->1247 1439->1210 1440->1210 1441->1210 1442->1210 1443->1213 1444->1213 1445->1293 1446->1293 1447->1216 1448->1216 1449->1219 1450->1219 1451->1219 1452->1226 1453->1226 1454->1226 1457->1320 1458->1320 1459->1320
                                                                    APIs
                                                                    • LoadModule.KERNEL32 ref: 05EDCAA9
                                                                    • SetVolumeLabelW.KERNEL32 ref: 05EDCAEE
                                                                    • LocalFlags.KERNEL32 ref: 05EDCB33
                                                                    • UnregisterWaitUntilOOBECompleted.KERNEL32 ref: 05EDCB78
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDCE6F
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser$CompletedFlagsInitializeLabelLoadLocalModuleThunkUnregisterUntilVolumeWait
                                                                    • String ID:
                                                                    • API String ID: 4072977434-0
                                                                    • Opcode ID: 2a25e639df9940b76dd283e3efba3bc83ac6ea50783bd0485eea054f1cf00f63
                                                                    • Instruction ID: 76632d65f9bf706b45e7a3b6f4df959e3b2df139c243e8a9b3e993483525349b
                                                                    • Opcode Fuzzy Hash: 2a25e639df9940b76dd283e3efba3bc83ac6ea50783bd0485eea054f1cf00f63
                                                                    • Instruction Fuzzy Hash: 02521674A00228CFCB65DF74D958799BBB6BF48306F1091EAD50AA3340DB35AE86CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDCA85 Relevance: 11.1, APIs: 7, Instructions: 588libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1463 5edca85-5edd45c call 5edbc18 call 5edbda8 LoadModule SetVolumeLabelW LocalFlags UnregisterWaitUntilOOBECompleted KiUserExceptionDispatcher * 2 1799 5edd45c call e20040 1463->1799 1800 5edd45c call e20548 1463->1800 1801 5edd45c call e20449 1463->1801 1802 5edd45c call e2003c 1463->1802 1570 5edd462-5edd4a4 1803 5edd4a4 call e208aa 1570->1803 1804 5edd4a4 call e20908 1570->1804 1573 5edd4aa-5edd4ec 1807 5edd4ec call e22290 1573->1807 1808 5edd4ec call e2227f 1573->1808 1576 5edd4f2-5edd534 1809 5edd534 call e229e0 1576->1809 1810 5edd534 call e229a8 1576->1810 1811 5edd534 call e22d58 1576->1811 1579 5edd53a-5edd5b3 1812 5edd5b9 call e2a515 1579->1812 1813 5edd5b9 call e2a448 1579->1813 1814 5edd5b9 call e2a438 1579->1814 1586 5edd5bf-5edd70d call e2a5e0 * 5 LdrInitializeThunk 1607 5edda2f-5edda39 1586->1607 1608 5edd713-5edd737 1586->1608 1609 5eddd2d-5eddd3e 1607->1609 1610 5edda3f-5edda62 1607->1610 1622 5edd73d 1608->1622 1623 5edd890-5edd8b4 1608->1623 1614 5eddd44-5eddd4b 1609->1614 1615 5ede0a3-5ede0aa 1609->1615 1627 5edda68-5eddada 1610->1627 1628 5eddd15-5eddd2a 1610->1628 1617 5eddd51-5eddd5f 1614->1617 1618 5eddde2-5eddde9 1614->1618 1620 5ede12c-5ede147 1615->1620 1621 5ede0b0-5ede121 1615->1621 1805 5eddd65 call e2afe0 1617->1805 1806 5eddd65 call e2aff0 1617->1806 1625 5edddef-5eddf34 call 5edb2d0 call 5edaed8 1618->1625 1626 5eddf59-5eddf60 1618->1626 1621->1620 1622->1623 1624 5edd743-5edd88b 1622->1624 1644 5edd8ba-5edd8bc 1623->1644 1645 5edd8b6 1623->1645 1624->1607 1625->1615 1626->1615 1632 5eddf66-5ede086 call 5edb2d0 call 5edaed8 call 5edaf20 1626->1632 1667 5eddcfd-5eddd0f 1627->1667 1668 5eddae0-5eddae7 1627->1668 1642 5eddd2b 1628->1642 1632->1615 1642->1642 1651 5edd8c3-5edd8ed 1644->1651 1649 5edd8be 1645->1649 1650 5edd8b8 1645->1650 1649->1651 1650->1644 1676 5edd8ef 1651->1676 1677 5edd8f3-5edd8f5 1651->1677 1653 5eddd6b-5eddda5 1817 5edddab call e2d438 1653->1817 1818 5edddab call e2d798 1653->1818 1819 5edddab call e2d429 1653->1819 1667->1627 1667->1628 1673 5eddaed-5eddbfb 1668->1673 1674 5eddc00-5eddc2b 1668->1674 1673->1667 1674->1667 1682 5eddc31-5eddcd4 1674->1682 1684 5edd8f7 1676->1684 1685 5edd8f1 1676->1685 1678 5edd8fc-5edd902 1677->1678 1678->1607 1687 5edd908-5edda06 1678->1687 1680 5edddb1 1680->1615 1682->1667 1684->1678 1685->1677 1687->1607 1799->1570 1800->1570 1801->1570 1802->1570 1803->1573 1804->1573 1805->1653 1806->1653 1807->1576 1808->1576 1809->1579 1810->1579 1811->1579 1812->1586 1813->1586 1814->1586 1817->1680 1818->1680 1819->1680
                                                                    APIs
                                                                    • LoadModule.KERNEL32 ref: 05EDCAA9
                                                                    • SetVolumeLabelW.KERNEL32 ref: 05EDCAEE
                                                                    • LocalFlags.KERNEL32 ref: 05EDCB33
                                                                    • UnregisterWaitUntilOOBECompleted.KERNEL32 ref: 05EDCB78
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDCE6F
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser$CompletedFlagsInitializeLabelLoadLocalModuleThunkUnregisterUntilVolumeWait
                                                                    • String ID:
                                                                    • API String ID: 4072977434-0
                                                                    • Opcode ID: 93818f159c9b9ce9553fdf09d4776ccc2b6390da1559b99be9392d365c1acef1
                                                                    • Instruction ID: b3422a7d20ec07d42b501db5f46dbaa6c02107b651690f4ed99a0eaa4cf2e9f9
                                                                    • Opcode Fuzzy Hash: 93818f159c9b9ce9553fdf09d4776ccc2b6390da1559b99be9392d365c1acef1
                                                                    • Instruction Fuzzy Hash: 2D521674A00228CFCB64DF74D958799BBB6BF48306F1091EAD54AA3340DB35AE86CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDCACA Relevance: 9.6, APIs: 6, Instructions: 581libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1823 5edcaca-5edd45c call 5edbc18 call 5edbda8 SetVolumeLabelW LocalFlags UnregisterWaitUntilOOBECompleted KiUserExceptionDispatcher * 2 2157 5edd45c call e20040 1823->2157 2158 5edd45c call e20548 1823->2158 2159 5edd45c call e20449 1823->2159 2160 5edd45c call e2003c 1823->2160 1928 5edd462-5edd4a4 2161 5edd4a4 call e208aa 1928->2161 2162 5edd4a4 call e20908 1928->2162 1931 5edd4aa-5edd4ec 2165 5edd4ec call e22290 1931->2165 2166 5edd4ec call e2227f 1931->2166 1934 5edd4f2-5edd534 2167 5edd534 call e229e0 1934->2167 2168 5edd534 call e229a8 1934->2168 2169 5edd534 call e22d58 1934->2169 1937 5edd53a-5edd5b3 2170 5edd5b9 call e2a515 1937->2170 2171 5edd5b9 call e2a448 1937->2171 2172 5edd5b9 call e2a438 1937->2172 1944 5edd5bf-5edd70d call e2a5e0 * 5 LdrInitializeThunk 1965 5edda2f-5edda39 1944->1965 1966 5edd713-5edd737 1944->1966 1967 5eddd2d-5eddd3e 1965->1967 1968 5edda3f-5edda62 1965->1968 1980 5edd73d 1966->1980 1981 5edd890-5edd8b4 1966->1981 1972 5eddd44-5eddd4b 1967->1972 1973 5ede0a3-5ede0aa 1967->1973 1985 5edda68-5eddada 1968->1985 1986 5eddd15-5eddd2a 1968->1986 1975 5eddd51-5eddd5f 1972->1975 1976 5eddde2-5eddde9 1972->1976 1978 5ede12c-5ede147 1973->1978 1979 5ede0b0-5ede121 1973->1979 2163 5eddd65 call e2afe0 1975->2163 2164 5eddd65 call e2aff0 1975->2164 1983 5edddef-5eddf34 call 5edb2d0 call 5edaed8 1976->1983 1984 5eddf59-5eddf60 1976->1984 1979->1978 1980->1981 1982 5edd743-5edd88b 1980->1982 2002 5edd8ba-5edd8bc 1981->2002 2003 5edd8b6 1981->2003 1982->1965 1983->1973 1984->1973 1990 5eddf66-5ede086 call 5edb2d0 call 5edaed8 call 5edaf20 1984->1990 2025 5eddcfd-5eddd0f 1985->2025 2026 5eddae0-5eddae7 1985->2026 2000 5eddd2b 1986->2000 1990->1973 2000->2000 2009 5edd8c3-5edd8ed 2002->2009 2007 5edd8be 2003->2007 2008 5edd8b8 2003->2008 2007->2009 2008->2002 2034 5edd8ef 2009->2034 2035 5edd8f3-5edd8f5 2009->2035 2011 5eddd6b-5eddda5 2175 5edddab call e2d438 2011->2175 2176 5edddab call e2d798 2011->2176 2177 5edddab call e2d429 2011->2177 2025->1985 2025->1986 2031 5eddaed-5eddbfb 2026->2031 2032 5eddc00-5eddc2b 2026->2032 2031->2025 2032->2025 2040 5eddc31-5eddcd4 2032->2040 2042 5edd8f7 2034->2042 2043 5edd8f1 2034->2043 2036 5edd8fc-5edd902 2035->2036 2036->1965 2045 5edd908-5edda06 2036->2045 2038 5edddb1 2038->1973 2040->2025 2042->2036 2043->2035 2045->1965 2157->1928 2158->1928 2159->1928 2160->1928 2161->1931 2162->1931 2163->2011 2164->2011 2165->1934 2166->1934 2167->1937 2168->1937 2169->1937 2170->1944 2171->1944 2172->1944 2175->2038 2176->2038 2177->2038
                                                                    APIs
                                                                    • SetVolumeLabelW.KERNEL32 ref: 05EDCAEE
                                                                    • LocalFlags.KERNEL32 ref: 05EDCB33
                                                                    • UnregisterWaitUntilOOBECompleted.KERNEL32 ref: 05EDCB78
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDCE6F
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser$CompletedFlagsInitializeLabelLocalThunkUnregisterUntilVolumeWait
                                                                    • String ID:
                                                                    • API String ID: 2945044011-0
                                                                    • Opcode ID: c9ae0e4a607de5877cb8bfbc75b9494a7857118a57d9ededb7dc6f2a9bb0ca74
                                                                    • Instruction ID: c3236449a235f0f23dbb55c21df6c70774a94f047ebc2d296f844a5c8661ee1a
                                                                    • Opcode Fuzzy Hash: c9ae0e4a607de5877cb8bfbc75b9494a7857118a57d9ededb7dc6f2a9bb0ca74
                                                                    • Instruction Fuzzy Hash: C7521674A00228CFCB64DF74D958799BBB6BF48306F1091EAD50AA3340DB35AE86CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDCB0F Relevance: 8.1, APIs: 5, Instructions: 574libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 2181 5edcb0f-5edd45c call 5edbc18 call 5edbda8 LocalFlags UnregisterWaitUntilOOBECompleted KiUserExceptionDispatcher * 2 2516 5edd45c call e20040 2181->2516 2517 5edd45c call e20548 2181->2517 2518 5edd45c call e20449 2181->2518 2519 5edd45c call e2003c 2181->2519 2284 5edd462-5edd4a4 2520 5edd4a4 call e208aa 2284->2520 2521 5edd4a4 call e20908 2284->2521 2287 5edd4aa-5edd4ec 2524 5edd4ec call e22290 2287->2524 2525 5edd4ec call e2227f 2287->2525 2290 5edd4f2-5edd534 2526 5edd534 call e229e0 2290->2526 2527 5edd534 call e229a8 2290->2527 2528 5edd534 call e22d58 2290->2528 2293 5edd53a-5edd5b3 2529 5edd5b9 call e2a515 2293->2529 2530 5edd5b9 call e2a448 2293->2530 2531 5edd5b9 call e2a438 2293->2531 2300 5edd5bf-5edd70d call e2a5e0 * 5 LdrInitializeThunk 2321 5edda2f-5edda39 2300->2321 2322 5edd713-5edd737 2300->2322 2323 5eddd2d-5eddd3e 2321->2323 2324 5edda3f-5edda62 2321->2324 2336 5edd73d 2322->2336 2337 5edd890-5edd8b4 2322->2337 2328 5eddd44-5eddd4b 2323->2328 2329 5ede0a3-5ede0aa 2323->2329 2341 5edda68-5eddada 2324->2341 2342 5eddd15-5eddd2a 2324->2342 2331 5eddd51-5eddd5f 2328->2331 2332 5eddde2-5eddde9 2328->2332 2334 5ede12c-5ede147 2329->2334 2335 5ede0b0-5ede121 2329->2335 2522 5eddd65 call e2afe0 2331->2522 2523 5eddd65 call e2aff0 2331->2523 2339 5edddef-5eddf34 call 5edb2d0 call 5edaed8 2332->2339 2340 5eddf59-5eddf60 2332->2340 2335->2334 2336->2337 2338 5edd743-5edd88b 2336->2338 2358 5edd8ba-5edd8bc 2337->2358 2359 5edd8b6 2337->2359 2338->2321 2339->2329 2340->2329 2346 5eddf66-5ede086 call 5edb2d0 call 5edaed8 call 5edaf20 2340->2346 2381 5eddcfd-5eddd0f 2341->2381 2382 5eddae0-5eddae7 2341->2382 2356 5eddd2b 2342->2356 2346->2329 2356->2356 2365 5edd8c3-5edd8ed 2358->2365 2363 5edd8be 2359->2363 2364 5edd8b8 2359->2364 2363->2365 2364->2358 2390 5edd8ef 2365->2390 2391 5edd8f3-5edd8f5 2365->2391 2367 5eddd6b-5eddda5 2534 5edddab call e2d438 2367->2534 2535 5edddab call e2d798 2367->2535 2536 5edddab call e2d429 2367->2536 2381->2341 2381->2342 2387 5eddaed-5eddbfb 2382->2387 2388 5eddc00-5eddc2b 2382->2388 2387->2381 2388->2381 2396 5eddc31-5eddcd4 2388->2396 2398 5edd8f7 2390->2398 2399 5edd8f1 2390->2399 2392 5edd8fc-5edd902 2391->2392 2392->2321 2401 5edd908-5edda06 2392->2401 2394 5edddb1 2394->2329 2396->2381 2398->2392 2399->2391 2401->2321 2516->2284 2517->2284 2518->2284 2519->2284 2520->2287 2521->2287 2522->2367 2523->2367 2524->2290 2525->2290 2526->2293 2527->2293 2528->2293 2529->2300 2530->2300 2531->2300 2534->2394 2535->2394 2536->2394
                                                                    APIs
                                                                    • LocalFlags.KERNEL32 ref: 05EDCB33
                                                                    • UnregisterWaitUntilOOBECompleted.KERNEL32 ref: 05EDCB78
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDCE6F
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser$CompletedFlagsInitializeLocalThunkUnregisterUntilWait
                                                                    • String ID:
                                                                    • API String ID: 3574001451-0
                                                                    • Opcode ID: c302401a00f268d7e3b2db3cba92172f4c8f79fd595662b1e68c8078cfc1e7bd
                                                                    • Instruction ID: fec1a6f11f4fae1e38dff2c565075d52b3ff2d095859dd59b55cd434a7791232
                                                                    • Opcode Fuzzy Hash: c302401a00f268d7e3b2db3cba92172f4c8f79fd595662b1e68c8078cfc1e7bd
                                                                    • Instruction Fuzzy Hash: 2C421774A00228CFCB64DF74D958799BBB6BF48306F1091EAD50AA3350DB35AE86CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00E229E0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 287COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 2537 e229e0-e229f9 2538 e22ab4-e22aba 2537->2538 2539 e229ff-e22a13 2537->2539 2541 e22abf-e22ac4 2538->2541 2542 e22a15-e22a17 2539->2542 2543 e22a19 2539->2543 2623 e22ac6 call e229e0 2541->2623 2624 e22ac6 call e22c84 2541->2624 2625 e22ac6 call e229a8 2541->2625 2544 e22a1c-e22a31 2542->2544 2543->2544 2547 e22a33-e22a42 2544->2547 2548 e22a78-e22aa1 2544->2548 2545 e22acc-e22ad3 2553 e22ad4 2547->2553 2554 e22a48-e22a4b 2547->2554 2551 e22aa3-e22aaa 2548->2551 2552 e22aac-e22ab2 2548->2552 2551->2545 2552->2545 2556 e22ad9-e22aed 2553->2556 2555 e22a51-e22a57 2554->2555 2554->2556 2555->2548 2558 e22a59-e22a76 2555->2558 2556->2541 2560 e22aef-e22b13 2556->2560 2558->2548 2562 e22b55-e22b57 2560->2562 2563 e22b15-e22b1a 2560->2563 2567 e22b61-e22b75 2562->2567 2568 e22b59-e22b5f 2562->2568 2565 e22b20-e22b23 2563->2565 2566 e22d3b 2563->2566 2569 e22d40-e22da4 CreateDirectoryTransactedW 2565->2569 2570 e22b29-e22b2f 2565->2570 2566->2569 2583 e22b90 2567->2583 2584 e22b77-e22b7b 2567->2584 2571 e22b96-e22b98 2568->2571 2613 e22dd2-e22dda 2569->2613 2570->2562 2572 e22b31-e22b50 2570->2572 2573 e22ba1-e22baa 2571->2573 2574 e22b9a-e22b9f 2571->2574 2594 e22c65-e22c79 2572->2594 2586 e22bba-e22bcc 2573->2586 2587 e22bac-e22bb5 2573->2587 2574->2573 2576 e22c04-e22c07 2574->2576 2576->2566 2580 e22c0d-e22c10 2576->2580 2580->2569 2585 e22c16-e22c1c 2580->2585 2583->2571 2584->2583 2588 e22b7d-e22b8e 2584->2588 2590 e22c1e-e22c3b 2585->2590 2591 e22c3d-e22c4e 2585->2591 2586->2566 2596 e22bd2-e22bd5 2586->2596 2587->2591 2588->2571 2588->2583 2590->2591 2591->2594 2601 e22c50-e22c5f 2591->2601 2611 e22c80-e22d17 2594->2611 2596->2569 2600 e22bdb-e22be1 2596->2600 2600->2591 2605 e22be3-e22c02 2600->2605 2601->2594 2605->2591 2618 e22d19-e22d1d 2611->2618 2619 e22d1f-e22d25 2611->2619 2618->2619 2620 e22d27-e22d2d 2618->2620 2621 e22d2f-e22d38 2619->2621 2620->2621 2623->2545 2624->2545 2625->2545
                                                                    APIs
                                                                    • CreateDirectoryTransactedW.KERNEL32(00000000), ref: 00E22D9D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.509028836.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_e20000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: CreateDirectoryTransacted
                                                                    • String ID: \$\$\
                                                                    • API String ID: 3398158531-3791832595
                                                                    • Opcode ID: d5c1b6a2ba7479305b44599084c67a8436a29fd9b02ee7e93067b972b351c2db
                                                                    • Instruction ID: b0a807367260a056dd1186cbb8c8d6a8b6da9a360dc9b4c51bba628dc9766c08
                                                                    • Opcode Fuzzy Hash: d5c1b6a2ba7479305b44599084c67a8436a29fd9b02ee7e93067b972b351c2db
                                                                    • Instruction Fuzzy Hash: F3A1F471B006249FDB28EB7898517BE77E2AF88318F14952DD616EB784EB309C4687D0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDCB54 Relevance: 6.6, APIs: 4, Instructions: 567libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 2626 5edcb54-5edd45c call 5edbc18 call 5edbda8 UnregisterWaitUntilOOBECompleted KiUserExceptionDispatcher * 2 2970 5edd45c call e20040 2626->2970 2971 5edd45c call e20548 2626->2971 2972 5edd45c call e20449 2626->2972 2973 5edd45c call e2003c 2626->2973 2727 5edd462-5edd4a4 2974 5edd4a4 call e208aa 2727->2974 2975 5edd4a4 call e20908 2727->2975 2730 5edd4aa-5edd4ec 2978 5edd4ec call e22290 2730->2978 2979 5edd4ec call e2227f 2730->2979 2733 5edd4f2-5edd534 2956 5edd534 call e229e0 2733->2956 2957 5edd534 call e229a8 2733->2957 2958 5edd534 call e22d58 2733->2958 2736 5edd53a-5edd5b3 2959 5edd5b9 call e2a515 2736->2959 2960 5edd5b9 call e2a448 2736->2960 2961 5edd5b9 call e2a438 2736->2961 2743 5edd5bf-5edd70d call e2a5e0 * 5 LdrInitializeThunk 2764 5edda2f-5edda39 2743->2764 2765 5edd713-5edd737 2743->2765 2766 5eddd2d-5eddd3e 2764->2766 2767 5edda3f-5edda62 2764->2767 2779 5edd73d 2765->2779 2780 5edd890-5edd8b4 2765->2780 2771 5eddd44-5eddd4b 2766->2771 2772 5ede0a3-5ede0aa 2766->2772 2784 5edda68-5eddada 2767->2784 2785 5eddd15-5eddd2a 2767->2785 2774 5eddd51-5eddd5f 2771->2774 2775 5eddde2-5eddde9 2771->2775 2777 5ede12c-5ede147 2772->2777 2778 5ede0b0-5ede121 2772->2778 2976 5eddd65 call e2afe0 2774->2976 2977 5eddd65 call e2aff0 2774->2977 2782 5edddef-5eddf34 call 5edb2d0 call 5edaed8 2775->2782 2783 5eddf59-5eddf60 2775->2783 2778->2777 2779->2780 2781 5edd743-5edd88b 2779->2781 2801 5edd8ba-5edd8bc 2780->2801 2802 5edd8b6 2780->2802 2781->2764 2782->2772 2783->2772 2789 5eddf66-5ede086 call 5edb2d0 call 5edaed8 call 5edaf20 2783->2789 2824 5eddcfd-5eddd0f 2784->2824 2825 5eddae0-5eddae7 2784->2825 2799 5eddd2b 2785->2799 2789->2772 2799->2799 2808 5edd8c3-5edd8ed 2801->2808 2806 5edd8be 2802->2806 2807 5edd8b8 2802->2807 2806->2808 2807->2801 2833 5edd8ef 2808->2833 2834 5edd8f3-5edd8f5 2808->2834 2810 5eddd6b-5eddda5 2964 5edddab call e2d438 2810->2964 2965 5edddab call e2d798 2810->2965 2966 5edddab call e2d429 2810->2966 2824->2784 2824->2785 2830 5eddaed-5eddbfb 2825->2830 2831 5eddc00-5eddc2b 2825->2831 2830->2824 2831->2824 2839 5eddc31-5eddcd4 2831->2839 2841 5edd8f7 2833->2841 2842 5edd8f1 2833->2842 2835 5edd8fc-5edd902 2834->2835 2835->2764 2844 5edd908-5edda06 2835->2844 2837 5edddb1 2837->2772 2839->2824 2841->2835 2842->2834 2844->2764 2956->2736 2957->2736 2958->2736 2959->2743 2960->2743 2961->2743 2964->2837 2965->2837 2966->2837 2970->2727 2971->2727 2972->2727 2973->2727 2974->2730 2975->2730 2976->2810 2977->2810 2978->2733 2979->2733
                                                                    APIs
                                                                    • UnregisterWaitUntilOOBECompleted.KERNEL32 ref: 05EDCB78
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDCE6F
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser$CompletedInitializeThunkUnregisterUntilWait
                                                                    • String ID:
                                                                    • API String ID: 906585097-0
                                                                    • Opcode ID: a12851a454f880b1cc69c4aa684bf0e835fb0fcc1e1158e71f63c582cc3134e0
                                                                    • Instruction ID: 740f4a75b90ccb5edfd7e681d15a19ed5b5fed72b63c524195a41fdce7106fa6
                                                                    • Opcode Fuzzy Hash: a12851a454f880b1cc69c4aa684bf0e835fb0fcc1e1158e71f63c582cc3134e0
                                                                    • Instruction Fuzzy Hash: 29421674A00228CFCB64DF74D958799BBB6BF48306F1081EAD50AA3340DB35AE86CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00F66B4B Relevance: 6.1, APIs: 4, Instructions: 122threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 2980 f66b4b-f66bc1 GetCurrentProcess 2981 f66bc3-f66bc9 2980->2981 2982 f66bca-f66bfe GetCurrentThread 2980->2982 2981->2982 2983 f66c07-f66c3b GetCurrentProcess 2982->2983 2984 f66c00-f66c06 2982->2984 2986 f66c44-f66c5f call f66d0c 2983->2986 2987 f66c3d-f66c43 2983->2987 2984->2983 2990 f66c65-f66c94 GetCurrentThreadId 2986->2990 2987->2986 2991 f66c96-f66c9c 2990->2991 2992 f66c9d-f66cff 2990->2992 2991->2992
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32 ref: 00F66BB0
                                                                    • GetCurrentThread.KERNEL32 ref: 00F66BED
                                                                    • GetCurrentProcess.KERNEL32 ref: 00F66C2A
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00F66C83
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.509334433.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_f60000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: Current$ProcessThread
                                                                    • String ID:
                                                                    • API String ID: 2063062207-0
                                                                    • Opcode ID: f6b275466ba29718611d7f84ace4926137455baa670d93e1ac8f876efa46acef
                                                                    • Instruction ID: 66348653632f3d690a0533767deae1a4593b7e5bb1511892bd919c2605c10bdc
                                                                    • Opcode Fuzzy Hash: f6b275466ba29718611d7f84ace4926137455baa670d93e1ac8f876efa46acef
                                                                    • Instruction Fuzzy Hash: E55133B0D046488FDB18CFA9D648B9EBBF0FF88314F208559E459A7390D7746984CB61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00F66B50 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 2999 f66b50-f66bc1 GetCurrentProcess 3000 f66bc3-f66bc9 2999->3000 3001 f66bca-f66bfe GetCurrentThread 2999->3001 3000->3001 3002 f66c07-f66c3b GetCurrentProcess 3001->3002 3003 f66c00-f66c06 3001->3003 3005 f66c44-f66c5f call f66d0c 3002->3005 3006 f66c3d-f66c43 3002->3006 3003->3002 3009 f66c65-f66c94 GetCurrentThreadId 3005->3009 3006->3005 3010 f66c96-f66c9c 3009->3010 3011 f66c9d-f66cff 3009->3011 3010->3011
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32 ref: 00F66BB0
                                                                    • GetCurrentThread.KERNEL32 ref: 00F66BED
                                                                    • GetCurrentProcess.KERNEL32 ref: 00F66C2A
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00F66C83
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.509334433.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_f60000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: Current$ProcessThread
                                                                    • String ID:
                                                                    • API String ID: 2063062207-0
                                                                    • Opcode ID: adad3a29bd50000de4e53bfd96a0b6fb5dacd7ea8fc773270e3296aaad37d0ba
                                                                    • Instruction ID: 56bd2e33495e550d3e5714f231403f380ccc403386f172fcf4aa56d741e3e941
                                                                    • Opcode Fuzzy Hash: adad3a29bd50000de4e53bfd96a0b6fb5dacd7ea8fc773270e3296aaad37d0ba
                                                                    • Instruction Fuzzy Hash: BC5122B0E046488FDB14CFAAD648B9EBBF0FB88314F208459E459B7390D7746984CBA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDCB99 Relevance: 5.1, APIs: 3, Instructions: 560libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 3131 5edcb99-5edd45c call 5edbc18 call 5edbda8 KiUserExceptionDispatcher * 2 3460 5edd45c call e20040 3131->3460 3461 5edd45c call e20548 3131->3461 3462 5edd45c call e20449 3131->3462 3463 5edd45c call e2003c 3131->3463 3230 5edd462-5edd4a4 3464 5edd4a4 call e208aa 3230->3464 3465 5edd4a4 call e20908 3230->3465 3233 5edd4aa-5edd4ec 3468 5edd4ec call e22290 3233->3468 3469 5edd4ec call e2227f 3233->3469 3236 5edd4f2-5edd534 3470 5edd534 call e229e0 3236->3470 3471 5edd534 call e229a8 3236->3471 3472 5edd534 call e22d58 3236->3472 3239 5edd53a-5edd5b3 3473 5edd5b9 call e2a515 3239->3473 3474 5edd5b9 call e2a448 3239->3474 3475 5edd5b9 call e2a438 3239->3475 3246 5edd5bf-5edd70d call e2a5e0 * 5 LdrInitializeThunk 3267 5edda2f-5edda39 3246->3267 3268 5edd713-5edd737 3246->3268 3269 5eddd2d-5eddd3e 3267->3269 3270 5edda3f-5edda62 3267->3270 3282 5edd73d 3268->3282 3283 5edd890-5edd8b4 3268->3283 3274 5eddd44-5eddd4b 3269->3274 3275 5ede0a3-5ede0aa 3269->3275 3287 5edda68-5eddada 3270->3287 3288 5eddd15-5eddd2a 3270->3288 3277 5eddd51-5eddd5f 3274->3277 3278 5eddde2-5eddde9 3274->3278 3280 5ede12c-5ede147 3275->3280 3281 5ede0b0-5ede121 3275->3281 3466 5eddd65 call e2afe0 3277->3466 3467 5eddd65 call e2aff0 3277->3467 3285 5edddef-5eddf34 call 5edb2d0 call 5edaed8 3278->3285 3286 5eddf59-5eddf60 3278->3286 3281->3280 3282->3283 3284 5edd743-5edd88b 3282->3284 3304 5edd8ba-5edd8bc 3283->3304 3305 5edd8b6 3283->3305 3284->3267 3285->3275 3286->3275 3292 5eddf66-5ede086 call 5edb2d0 call 5edaed8 call 5edaf20 3286->3292 3327 5eddcfd-5eddd0f 3287->3327 3328 5eddae0-5eddae7 3287->3328 3302 5eddd2b 3288->3302 3292->3275 3302->3302 3311 5edd8c3-5edd8ed 3304->3311 3309 5edd8be 3305->3309 3310 5edd8b8 3305->3310 3309->3311 3310->3304 3336 5edd8ef 3311->3336 3337 5edd8f3-5edd8f5 3311->3337 3313 5eddd6b-5eddda5 3478 5edddab call e2d438 3313->3478 3479 5edddab call e2d798 3313->3479 3480 5edddab call e2d429 3313->3480 3327->3287 3327->3288 3333 5eddaed-5eddbfb 3328->3333 3334 5eddc00-5eddc2b 3328->3334 3333->3327 3334->3327 3342 5eddc31-5eddcd4 3334->3342 3344 5edd8f7 3336->3344 3345 5edd8f1 3336->3345 3338 5edd8fc-5edd902 3337->3338 3338->3267 3347 5edd908-5edda06 3338->3347 3340 5edddb1 3340->3275 3342->3327 3344->3338 3345->3337 3347->3267 3460->3230 3461->3230 3462->3230 3463->3230 3464->3233 3465->3233 3466->3313 3467->3313 3468->3236 3469->3236 3470->3239 3471->3239 3472->3239 3473->3246 3474->3246 3475->3246 3478->3340 3479->3340 3480->3340
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDCE6F
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2638914809-0
                                                                    • Opcode ID: 3042ef0ab616cc2614b95d7f872bae8d5ebedf5eade29f3f5831b95e25d6c343
                                                                    • Instruction ID: c9715715776037d2123de2a3050970b467de2d039b5a7731498e60a502241ef4
                                                                    • Opcode Fuzzy Hash: 3042ef0ab616cc2614b95d7f872bae8d5ebedf5eade29f3f5831b95e25d6c343
                                                                    • Instruction Fuzzy Hash: D4421774A00228CFCB64DF64DD58799BBB6BF48306F1091EAD50AA3350DB35AE86CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDCBDE Relevance: 5.1, APIs: 3, Instructions: 553libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 3483 5edcbde-5edd45c call 5edbc18 call 5edbda8 KiUserExceptionDispatcher * 2 3809 5edd45c call e20040 3483->3809 3810 5edd45c call e20548 3483->3810 3811 5edd45c call e20449 3483->3811 3812 5edd45c call e2003c 3483->3812 3579 5edd462-5edd4a4 3813 5edd4a4 call e208aa 3579->3813 3814 5edd4a4 call e20908 3579->3814 3582 5edd4aa-5edd4ec 3817 5edd4ec call e22290 3582->3817 3818 5edd4ec call e2227f 3582->3818 3585 5edd4f2-5edd534 3819 5edd534 call e229e0 3585->3819 3820 5edd534 call e229a8 3585->3820 3821 5edd534 call e22d58 3585->3821 3588 5edd53a-5edd5b3 3822 5edd5b9 call e2a515 3588->3822 3823 5edd5b9 call e2a448 3588->3823 3824 5edd5b9 call e2a438 3588->3824 3595 5edd5bf-5edd70d call e2a5e0 * 5 LdrInitializeThunk 3616 5edda2f-5edda39 3595->3616 3617 5edd713-5edd737 3595->3617 3618 5eddd2d-5eddd3e 3616->3618 3619 5edda3f-5edda62 3616->3619 3631 5edd73d 3617->3631 3632 5edd890-5edd8b4 3617->3632 3623 5eddd44-5eddd4b 3618->3623 3624 5ede0a3-5ede0aa 3618->3624 3636 5edda68-5eddada 3619->3636 3637 5eddd15-5eddd2a 3619->3637 3626 5eddd51-5eddd5f 3623->3626 3627 5eddde2-5eddde9 3623->3627 3629 5ede12c-5ede147 3624->3629 3630 5ede0b0-5ede121 3624->3630 3815 5eddd65 call e2afe0 3626->3815 3816 5eddd65 call e2aff0 3626->3816 3634 5edddef-5eddf34 call 5edb2d0 call 5edaed8 3627->3634 3635 5eddf59-5eddf60 3627->3635 3630->3629 3631->3632 3633 5edd743-5edd88b 3631->3633 3653 5edd8ba-5edd8bc 3632->3653 3654 5edd8b6 3632->3654 3633->3616 3634->3624 3635->3624 3641 5eddf66-5ede086 call 5edb2d0 call 5edaed8 call 5edaf20 3635->3641 3676 5eddcfd-5eddd0f 3636->3676 3677 5eddae0-5eddae7 3636->3677 3651 5eddd2b 3637->3651 3641->3624 3651->3651 3660 5edd8c3-5edd8ed 3653->3660 3658 5edd8be 3654->3658 3659 5edd8b8 3654->3659 3658->3660 3659->3653 3685 5edd8ef 3660->3685 3686 5edd8f3-5edd8f5 3660->3686 3662 5eddd6b-5eddda5 3827 5edddab call e2d438 3662->3827 3828 5edddab call e2d798 3662->3828 3829 5edddab call e2d429 3662->3829 3676->3636 3676->3637 3682 5eddaed-5eddbfb 3677->3682 3683 5eddc00-5eddc2b 3677->3683 3682->3676 3683->3676 3691 5eddc31-5eddcd4 3683->3691 3693 5edd8f7 3685->3693 3694 5edd8f1 3685->3694 3687 5edd8fc-5edd902 3686->3687 3687->3616 3696 5edd908-5edda06 3687->3696 3689 5edddb1 3689->3624 3691->3676 3693->3687 3694->3686 3696->3616 3809->3579 3810->3579 3811->3579 3812->3579 3813->3582 3814->3582 3815->3662 3816->3662 3817->3585 3818->3585 3819->3588 3820->3588 3821->3588 3822->3595 3823->3595 3824->3595 3827->3689 3828->3689 3829->3689
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDCE6F
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2638914809-0
                                                                    • Opcode ID: a32fa2dea78b21d82442fa5535d169f5ec9854062da74bf3dcddd8a9f43f972f
                                                                    • Instruction ID: 75ee5edffae21b382e0034b4443713f2efbde52ea42ba44f625b7144d862c0b4
                                                                    • Opcode Fuzzy Hash: a32fa2dea78b21d82442fa5535d169f5ec9854062da74bf3dcddd8a9f43f972f
                                                                    • Instruction Fuzzy Hash: 03421774A00229CFCB64DF64DD58799BBB6BF48306F1081EAD50AA3350DB35AE86CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDCC23 Relevance: 5.0, APIs: 3, Instructions: 546libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDCE6F
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2638914809-0
                                                                    • Opcode ID: 568b8057801e438bd81a1f44c830fe66e89d39f4555b88032953534f308263ca
                                                                    • Instruction ID: e884a2d16e80f019eb21f8da5ed37cb49023d7eb5a7241b8d72a72d1e529e709
                                                                    • Opcode Fuzzy Hash: 568b8057801e438bd81a1f44c830fe66e89d39f4555b88032953534f308263ca
                                                                    • Instruction Fuzzy Hash: 4F421874A00229CFCB64DF64DD58799BBB6BF48306F1081EAD50AA3350DB35AE86CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDCC68 Relevance: 5.0, APIs: 3, Instructions: 539libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDCE6F
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2638914809-0
                                                                    • Opcode ID: b9e61f8e881874d5a29d262e4849b632978fa6939763214118c81d64dbc45e3a
                                                                    • Instruction ID: 860485c0a748661c678d53aa346674d0bb4ea7dbf7e8847da8ff3815306794b1
                                                                    • Opcode Fuzzy Hash: b9e61f8e881874d5a29d262e4849b632978fa6939763214118c81d64dbc45e3a
                                                                    • Instruction Fuzzy Hash: CA422774A00229CFCB24DF64D958799B7B6BF48306F1081EAD50AA3340DB35AE86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDCCAD Relevance: 5.0, APIs: 3, Instructions: 532libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDCE6F
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2638914809-0
                                                                    • Opcode ID: 54cb62f286a226ab87104bac7e83c8237a0885256c86332d28d97c6edd978ff8
                                                                    • Instruction ID: 95dd38eadb8115bade0169dad36b3715d8b709dd1b53eafe3c1eb73119e5bee4
                                                                    • Opcode Fuzzy Hash: 54cb62f286a226ab87104bac7e83c8237a0885256c86332d28d97c6edd978ff8
                                                                    • Instruction Fuzzy Hash: E7421774A00229CFCB64DF64D958B9DB7B6BF88305F1081EAD50AA3350DB35AE86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDCCF2 Relevance: 5.0, APIs: 3, Instructions: 525libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDCE6F
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2638914809-0
                                                                    • Opcode ID: 7e9c2f3f485abff2bf6b8c2987a752652143d6ddfee0d4a1f9974747117d175b
                                                                    • Instruction ID: a576fb969a2b80aa8eeb331f815630e7d56b86af24c058e62eafd5cf0b35661a
                                                                    • Opcode Fuzzy Hash: 7e9c2f3f485abff2bf6b8c2987a752652143d6ddfee0d4a1f9974747117d175b
                                                                    • Instruction Fuzzy Hash: 5F321874A01229CFCB24DF64D95879DB7B6BF48305F1081EAD50AA3350DB35AE86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDCD37 Relevance: 5.0, APIs: 3, Instructions: 518libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDCE6F
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2638914809-0
                                                                    • Opcode ID: 975cfcabb83cb6a28e73972086b92e44665c111c4a219c929a390c352a2aef34
                                                                    • Instruction ID: 31ae458bc0073ab51b554f4c9a330dc51c2bd919ef144fadeddcb09021f7c630
                                                                    • Opcode Fuzzy Hash: 975cfcabb83cb6a28e73972086b92e44665c111c4a219c929a390c352a2aef34
                                                                    • Instruction Fuzzy Hash: EB321774A00229CFCB24DF64D958B9DB7B6BF88305F1081EAD54AA3350DB35AE86CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDCD7C Relevance: 5.0, APIs: 3, Instructions: 511libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDCE6F
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2638914809-0
                                                                    • Opcode ID: d01a8f9331bb6b7e6b8024571de6762bd4788962ea04ce47e1f5307b5461c5e3
                                                                    • Instruction ID: d2b8711b8c378d332bb5234c2f628cc22b239e8aa832e33ae5f78ffcdd0b3a7f
                                                                    • Opcode Fuzzy Hash: d01a8f9331bb6b7e6b8024571de6762bd4788962ea04ce47e1f5307b5461c5e3
                                                                    • Instruction Fuzzy Hash: 00321774A00229CFCB24EF64DD58799B7B6BF88305F1081EAD54AA3350DB359E86CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDCDC1 Relevance: 5.0, APIs: 3, Instructions: 504libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDCE6F
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2638914809-0
                                                                    • Opcode ID: dbebfc11cebcd746db2b8265cdd14050e38abede4f7a72009e1801593f7de3d1
                                                                    • Instruction ID: 0cc61aa16378c2484820cf7777c939ab302eb4d6254b938bf3351f6ecab58fa2
                                                                    • Opcode Fuzzy Hash: dbebfc11cebcd746db2b8265cdd14050e38abede4f7a72009e1801593f7de3d1
                                                                    • Instruction Fuzzy Hash: 8E322774A00229CFCB64EF64DD58B99B7B6BF88305F1081EAD54AA3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDCE06 Relevance: 5.0, APIs: 3, Instructions: 497libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDCE6F
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2638914809-0
                                                                    • Opcode ID: 7f4c3b58cde0313274c8f31f63505f1723f92bf0b09e35d43e3b605079dc2aeb
                                                                    • Instruction ID: 3e28c483db71951a53e5f4448c7196375952c4d73cd45dc45925db22fdd31538
                                                                    • Opcode Fuzzy Hash: 7f4c3b58cde0313274c8f31f63505f1723f92bf0b09e35d43e3b605079dc2aeb
                                                                    • Instruction Fuzzy Hash: 0F322774A00229CFCB24EF64DD58B99B7B6BF88305F1081EAD54AA3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDCE4B Relevance: 5.0, APIs: 3, Instructions: 490libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDCE6F
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2638914809-0
                                                                    • Opcode ID: ff41852841ad195a166ad875e65e777b4688dba4217683c020a3aa2e7612ec28
                                                                    • Instruction ID: b4d1720ee4e1e1a4fc0de5db81ad51f760cdc984911be4912e1db0fde39c6e1d
                                                                    • Opcode Fuzzy Hash: ff41852841ad195a166ad875e65e777b4688dba4217683c020a3aa2e7612ec28
                                                                    • Instruction Fuzzy Hash: 4F321674A04229CFCB24EF64DD58B99B7B6BF88305F1081EAD50AA3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDCEA6 Relevance: 3.5, APIs: 2, Instructions: 479libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionInitializeThunkUser
                                                                    • String ID:
                                                                    • API String ID: 243558500-0
                                                                    • Opcode ID: bda2af4159a5623202ea0907a6a052a4576aa36cc059cdd6541d76406039cf32
                                                                    • Instruction ID: 703305d44af96ad6f207822ed0a027d9c67c95ea8651ca184a2730e9259382cd
                                                                    • Opcode Fuzzy Hash: bda2af4159a5623202ea0907a6a052a4576aa36cc059cdd6541d76406039cf32
                                                                    • Instruction Fuzzy Hash: 9F220674A05229CFCB24EF64DD58B99B7B6BF88305F1081EAD50AA3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDCEEB Relevance: 3.5, APIs: 2, Instructions: 472libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionInitializeThunkUser
                                                                    • String ID:
                                                                    • API String ID: 243558500-0
                                                                    • Opcode ID: 9a46806e410d421c07b8fc7f0242447df26819f0308ba05f4668206c743ac2b9
                                                                    • Instruction ID: f29de36e27983900728d55f06625225063d7f8fd4ad36f4f487c1f2539ddfa3a
                                                                    • Opcode Fuzzy Hash: 9a46806e410d421c07b8fc7f0242447df26819f0308ba05f4668206c743ac2b9
                                                                    • Instruction Fuzzy Hash: 79221674A05229CFCB24EF64DD58B99B7B6BF88305F1081EAD50AA3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDCF30 Relevance: 3.5, APIs: 2, Instructions: 465libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionInitializeThunkUser
                                                                    • String ID:
                                                                    • API String ID: 243558500-0
                                                                    • Opcode ID: 44f1aa35453239d46b79cde12a542a7b1d590b72b9224e49fa4ff43eb16936c8
                                                                    • Instruction ID: 57e8077c681730a206f653d105c5f1f7103a5eefd763df82fe3c897db5bb9811
                                                                    • Opcode Fuzzy Hash: 44f1aa35453239d46b79cde12a542a7b1d590b72b9224e49fa4ff43eb16936c8
                                                                    • Instruction Fuzzy Hash: 94220674A05229CFCB24EF64DD58B99B7B6BF88305F1081EAD50AA3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDCF8B Relevance: 3.5, APIs: 2, Instructions: 454libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionInitializeThunkUser
                                                                    • String ID:
                                                                    • API String ID: 243558500-0
                                                                    • Opcode ID: d1c42f6cf7ca24de4b61cb236617620f24eb0818bd605af636cd4d80abe1afbf
                                                                    • Instruction ID: 2265c7d0d4fe2067ea9688560068e8881032967e93b33f742e776e6115d1df91
                                                                    • Opcode Fuzzy Hash: d1c42f6cf7ca24de4b61cb236617620f24eb0818bd605af636cd4d80abe1afbf
                                                                    • Instruction Fuzzy Hash: 44220674A05229CFCB24EF64DD58B99B7B6BF88305F1081EAD50AA3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDCFD0 Relevance: 3.4, APIs: 2, Instructions: 447libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionInitializeThunkUser
                                                                    • String ID:
                                                                    • API String ID: 243558500-0
                                                                    • Opcode ID: 5b43faf2913a1c38e86fdbf3f7ef44de347bebfa9c0a3ad38ed3b14809d0fa0c
                                                                    • Instruction ID: 2b66b17f24ce5e84b731fe3affbe35bd5163d75dd7ffc10931706aa7d6660605
                                                                    • Opcode Fuzzy Hash: 5b43faf2913a1c38e86fdbf3f7ef44de347bebfa9c0a3ad38ed3b14809d0fa0c
                                                                    • Instruction Fuzzy Hash: 89220674A05229CFCB24EF64DD58B9DB7B6BF88205F1081EAD50AA3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDD015 Relevance: 3.4, APIs: 2, Instructions: 440libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionInitializeThunkUser
                                                                    • String ID:
                                                                    • API String ID: 243558500-0
                                                                    • Opcode ID: 720156ce244e2dd9b2220c4bd8e920c9a85f3c3ee3850e60b132318f516d92e6
                                                                    • Instruction ID: 23be2d87192b5d4ebc11103f752fb65d148095ed84091e253969e1ba9f9934cb
                                                                    • Opcode Fuzzy Hash: 720156ce244e2dd9b2220c4bd8e920c9a85f3c3ee3850e60b132318f516d92e6
                                                                    • Instruction Fuzzy Hash: 66120674A05229CFCB24EF64DD58B9DB7B6BF88205F1081EAD50AA3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDD05D Relevance: 3.4, APIs: 2, Instructions: 433libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionInitializeThunkUser
                                                                    • String ID:
                                                                    • API String ID: 243558500-0
                                                                    • Opcode ID: 6f42b011b47fba841d67552033f7803b3728a5c5ca348ff7d1ad09839e9e3ce7
                                                                    • Instruction ID: cf21217f0b13a72773fc4f30c83f06eb74cba11b89d774f9c5e0add5c2b637ab
                                                                    • Opcode Fuzzy Hash: 6f42b011b47fba841d67552033f7803b3728a5c5ca348ff7d1ad09839e9e3ce7
                                                                    • Instruction Fuzzy Hash: 10121674A052298FCB24EF74DD58B9DB7B6BF88205F1081EAD50AA3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDD0A5 Relevance: 3.4, APIs: 2, Instructions: 426libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionInitializeThunkUser
                                                                    • String ID:
                                                                    • API String ID: 243558500-0
                                                                    • Opcode ID: e5ffda2302f99704334cf7f16120e8ae3b0b33305501919108b5e4af352cc8ed
                                                                    • Instruction ID: 9f030f423a38c0c5f9d8d794daad5a2438e816991f6913264bbb93a6a9f4dcc4
                                                                    • Opcode Fuzzy Hash: e5ffda2302f99704334cf7f16120e8ae3b0b33305501919108b5e4af352cc8ed
                                                                    • Instruction Fuzzy Hash: 72121674A042298FCB24EF64DD58B9DB7B6BF88205F1085EAD50AA3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDD0ED Relevance: 3.4, APIs: 2, Instructions: 419libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionInitializeThunkUser
                                                                    • String ID:
                                                                    • API String ID: 243558500-0
                                                                    • Opcode ID: fd530e407c845340a2168e1d616def8e65a0b6bfa4b77531d8c7e0152451392b
                                                                    • Instruction ID: 686e92f0cc74fb761027d951fc9616e77c75a1189427e757132c45bfebb2615f
                                                                    • Opcode Fuzzy Hash: fd530e407c845340a2168e1d616def8e65a0b6bfa4b77531d8c7e0152451392b
                                                                    • Instruction Fuzzy Hash: C8122774A052298FCB24EF74DD58B9DB7B6BF88205F1081EAD50AA3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDD135 Relevance: 3.4, APIs: 2, Instructions: 412libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionInitializeThunkUser
                                                                    • String ID:
                                                                    • API String ID: 243558500-0
                                                                    • Opcode ID: 03636e62400a466aab750926860b5e1b66bb102959bdd919868a26e8bf690807
                                                                    • Instruction ID: 7b3361de8e1aa8ef63620d293efd89653efb03711a34f87df152445af9ef79fe
                                                                    • Opcode Fuzzy Hash: 03636e62400a466aab750926860b5e1b66bb102959bdd919868a26e8bf690807
                                                                    • Instruction Fuzzy Hash: 70122774A042298FCB24EB74DD58B9DB7B6BF88205F1081EAD50AA3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDD17D Relevance: 3.4, APIs: 2, Instructions: 405libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionInitializeThunkUser
                                                                    • String ID:
                                                                    • API String ID: 243558500-0
                                                                    • Opcode ID: eb854942bf2a412dd486bb1206ece55cc16c5f214cedb841994a1b80e35d8ea0
                                                                    • Instruction ID: 083d43a77c009fd01eab38311e8db7f859a73e12b0f4ba9071c197276e9c7462
                                                                    • Opcode Fuzzy Hash: eb854942bf2a412dd486bb1206ece55cc16c5f214cedb841994a1b80e35d8ea0
                                                                    • Instruction Fuzzy Hash: BF021774A042298FCB24EB74DD58B9DB7B6BF88205F1085EAD50AE3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDD1C5 Relevance: 3.4, APIs: 2, Instructions: 396libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05EDD1E0
                                                                    • LdrInitializeThunk.NTDLL ref: 05EDD6A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionInitializeThunkUser
                                                                    • String ID:
                                                                    • API String ID: 243558500-0
                                                                    • Opcode ID: 67e240c7782cc0dd18d218b151a1c0773e0bb58980c7ad129b265642a58a0222
                                                                    • Instruction ID: 9e007656a0ee2136337d0061bad8061c7d299e7478777369c7aca4bca05e4e1f
                                                                    • Opcode Fuzzy Hash: 67e240c7782cc0dd18d218b151a1c0773e0bb58980c7ad129b265642a58a0222
                                                                    • Instruction Fuzzy Hash: 0E0217B4A042298FCB24EB74DD58B9DB7B6BF88205F1085E9D50AE3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDD201 Relevance: 1.9, APIs: 1, Instructions: 391libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 24bfa28fcca1b1d0f339ca3d177e695e93708aa57fbd3a3c079483246b5a51ae
                                                                    • Instruction ID: 36fda570ff51985c4dd07962200f1d9d8fae2e2d4eaa151a64fb27f06b1c38ce
                                                                    • Opcode Fuzzy Hash: 24bfa28fcca1b1d0f339ca3d177e695e93708aa57fbd3a3c079483246b5a51ae
                                                                    • Instruction Fuzzy Hash: 130226B4A042298FCB24EB74DD58B9DB7B6AF88205F1085E9D50AE3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDD249 Relevance: 1.9, APIs: 1, Instructions: 384libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 1e40514c291eeffd3284526e345680a654d77c6c7f4af980dafb0b666467b83a
                                                                    • Instruction ID: 268740ba2cdb05fd120b24a19e35d10f3ab36c6507ebe7a5ec7756e797135a98
                                                                    • Opcode Fuzzy Hash: 1e40514c291eeffd3284526e345680a654d77c6c7f4af980dafb0b666467b83a
                                                                    • Instruction Fuzzy Hash: 850226B4A042298FCB24EF74DD58B9DB7B6AF88205F1085E9D50AE3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDD291 Relevance: 1.9, APIs: 1, Instructions: 377libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 09486536a25d47e1929a8e49fc6413ba2e156bdee1ff5b80abc56827f65197b5
                                                                    • Instruction ID: 26e918b1d138297d9eaac8870668df19e82d428cd195cb5ab272e74832d5b875
                                                                    • Opcode Fuzzy Hash: 09486536a25d47e1929a8e49fc6413ba2e156bdee1ff5b80abc56827f65197b5
                                                                    • Instruction Fuzzy Hash: 1BF136B4A042298FCB24EF74DD58B9DB7B6AF88205F1085E9D50AE3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDD2D9 Relevance: 1.9, APIs: 1, Instructions: 370libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 6776fd1aafc4515a7d14a44d14d84e90546ae8b56eef124d3f7cb1292f703a6d
                                                                    • Instruction ID: a6c50a1d9dfcc4b36a2919adc71a19e865e3d3b5c33e530bdd8f9d909213477c
                                                                    • Opcode Fuzzy Hash: 6776fd1aafc4515a7d14a44d14d84e90546ae8b56eef124d3f7cb1292f703a6d
                                                                    • Instruction Fuzzy Hash: 64F127B4A042298FCB24EB75DD58B9DB7B6BF88205F1084E9D50AE3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDD321 Relevance: 1.9, APIs: 1, Instructions: 363libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 1b06e4fecfdefc4bbb1717b29a9e76f8731ae6a39d27fbe52327c6615891d0f0
                                                                    • Instruction ID: 2aeddaa8593027c8702d6eba130aa4c038edec04658cd3d891ac9fcc685ff97d
                                                                    • Opcode Fuzzy Hash: 1b06e4fecfdefc4bbb1717b29a9e76f8731ae6a39d27fbe52327c6615891d0f0
                                                                    • Instruction Fuzzy Hash: 6DF137B4A042298FCB24EF75DD58B9DB7B6AF88205F1084E9D50AE3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDD369 Relevance: 1.9, APIs: 1, Instructions: 356libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 014a84c450d2c312e1a795f3a40e938bb0d74109b031236ff714b1e1ee40de31
                                                                    • Instruction ID: 27e70db8256a87315e0ea50a72559e28a32b2f593889043849ef61c43595fe4f
                                                                    • Opcode Fuzzy Hash: 014a84c450d2c312e1a795f3a40e938bb0d74109b031236ff714b1e1ee40de31
                                                                    • Instruction Fuzzy Hash: 79F137B4A042298FCB24EF75DD58B9DB7B6AF88205F1084E9D50AE3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDD3B1 Relevance: 1.8, APIs: 1, Instructions: 347libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 03c86120d2821520d24f3fc6e4b7940873c9599647ace659f096e5e3b208dbb5
                                                                    • Instruction ID: 2ccf3711a7590497c6de57d94797ad2af759274a3e07d1268c22fef4a8e695d9
                                                                    • Opcode Fuzzy Hash: 03c86120d2821520d24f3fc6e4b7940873c9599647ace659f096e5e3b208dbb5
                                                                    • Instruction Fuzzy Hash: C3E148B0A042298FCB24EB75DD58B9DB7B6BF88205F1084E9D50AE3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDD3ED Relevance: 1.8, APIs: 1, Instructions: 342libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 1b2483faacb24e567dee66de4697e78e3d4bb0c50d294944d2542c3a5695c962
                                                                    • Instruction ID: 46f2029c77e5b64046b5b22770456a21aaf9cad108748f34c05ec79e042065d2
                                                                    • Opcode Fuzzy Hash: 1b2483faacb24e567dee66de4697e78e3d4bb0c50d294944d2542c3a5695c962
                                                                    • Instruction Fuzzy Hash: 31E139B4A042298FCB24EB75DD58B9DB7B6BF88205F1084E9D50AE3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDD435 Relevance: 1.8, APIs: 1, Instructions: 335libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: d8ff225bd5e434b27d6897471d766aaf64866d88c82f2e6fe5a71c1ac2321d89
                                                                    • Instruction ID: 6b5b3dcaabb03fee240bb6c3bd0be8436dde14b5ba3684124daa1cc58870732e
                                                                    • Opcode Fuzzy Hash: d8ff225bd5e434b27d6897471d766aaf64866d88c82f2e6fe5a71c1ac2321d89
                                                                    • Instruction Fuzzy Hash: BDE139B4A042298FCB24EB75DC58B9DB7B6BF88205F1084E9D54AE3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDD47D Relevance: 1.8, APIs: 1, Instructions: 328libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 9f0ac8ecb4b71695d07d393b6ecb39b8df71cbff175a6b12674f3593bc7ac5a6
                                                                    • Instruction ID: f43cab67b098cb9a2dcedb771e52b9459cecaead2b3d38bc37fd2aae6a6755a0
                                                                    • Opcode Fuzzy Hash: 9f0ac8ecb4b71695d07d393b6ecb39b8df71cbff175a6b12674f3593bc7ac5a6
                                                                    • Instruction Fuzzy Hash: 0BE13AB4A042298FCB24EB75DC58B9DB7B6BF88205F1084E9D54AE3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDD4C5 Relevance: 1.8, APIs: 1, Instructions: 321libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: cd60426d1d703bc0730787883198a2a771e311b9fe55be094e51d69c2e395899
                                                                    • Instruction ID: 02fd5676a511186f50cf0d00f5302f6b458edeae87ce1528eed804aed88e8068
                                                                    • Opcode Fuzzy Hash: cd60426d1d703bc0730787883198a2a771e311b9fe55be094e51d69c2e395899
                                                                    • Instruction Fuzzy Hash: 2DD14CB4A042298FCB24EB75DC58B9DB7B6BF88205F1084E9D54AE3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDD50D Relevance: 1.8, APIs: 1, Instructions: 314libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: ba644953381ac29f92987282eed4853960c2678c647591e7b0e7b120da9d5a2b
                                                                    • Instruction ID: 2fed95cb6de76ae4c52dbe350b2cb957058d4ec1e5ff32db4d2e17b8b5453a9a
                                                                    • Opcode Fuzzy Hash: ba644953381ac29f92987282eed4853960c2678c647591e7b0e7b120da9d5a2b
                                                                    • Instruction Fuzzy Hash: 55D13BB5A042298FCB24EB75DC58B9DB7B6BF88205F1084E5D50AE3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDD555 Relevance: 1.8, APIs: 1, Instructions: 307libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 48e8964ee1a6b5bbd41eb1f4336a5f351f3590a0ad8d8e91ccbd7782e359556b
                                                                    • Instruction ID: e07e559f195647d5919fc59961dea01effb875548de31acdf9a367f9f802211e
                                                                    • Opcode Fuzzy Hash: 48e8964ee1a6b5bbd41eb1f4336a5f351f3590a0ad8d8e91ccbd7782e359556b
                                                                    • Instruction Fuzzy Hash: 48D13BB5A052298FCB24EF75DC58B9DB6B6BF88205F1084E5E40AE3350DB359E86CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00F6D4B8 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstVolumeMountPointW.KERNEL32 ref: 00F6D5EC
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.509334433.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_f60000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: FindFirstMountPointVolume
                                                                    • String ID:
                                                                    • API String ID: 1565321653-0
                                                                    • Opcode ID: 60152c354b29d3693f4c5b3c90b4072db4884f24749e38515e7287fb32667c72
                                                                    • Instruction ID: 2559a8e9adaf18149e103d921c71ac5e5e58ae378959c6145d3f6853d358a40b
                                                                    • Opcode Fuzzy Hash: 60152c354b29d3693f4c5b3c90b4072db4884f24749e38515e7287fb32667c72
                                                                    • Instruction Fuzzy Hash: 88413532F083504FDB294A79886027E37E6AB85368F2D407AD807CB795DF75CC09A752
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05EDB0C7 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetUserNameW.ADVAPI32(00000000,00000000), ref: 05EDB20B
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: NameUser
                                                                    • String ID:
                                                                    • API String ID: 2645101109-0
                                                                    • Opcode ID: 3e7dc0685b1d096ec7f7cc0ed5b1987245c5a28fc65d9fb466b6b4552db193ae
                                                                    • Instruction ID: 895e8c8972c1c00ead0fee81fb5fb64e26e5d0e8db7698e3bedb9134a9d12fe9
                                                                    • Opcode Fuzzy Hash: 3e7dc0685b1d096ec7f7cc0ed5b1987245c5a28fc65d9fb466b6b4552db193ae
                                                                    • Instruction Fuzzy Hash: 585132B5D002188FDB08CFA9D885BDDFBB5BF48318F15942AD819AB354E7749845CFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05ED8E0C Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetUserNameW.ADVAPI32(00000000,00000000), ref: 05EDB20B
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: NameUser
                                                                    • String ID:
                                                                    • API String ID: 2645101109-0
                                                                    • Opcode ID: 9f4944ccd661fcbce19e1c3fd2ee8c4abcd1b1d0862196f56b333542d20421b2
                                                                    • Instruction ID: 2221b261de965d2b4b8f1ab26abf2957c6cbcac87481ea0101b299c48b03ace9
                                                                    • Opcode Fuzzy Hash: 9f4944ccd661fcbce19e1c3fd2ee8c4abcd1b1d0862196f56b333542d20421b2
                                                                    • Instruction Fuzzy Hash: 5A5100B1E002188FDB18CFA9C888B9DFBB5BF48314F159529E855AB390E7749845CFA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00E2C748 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.509028836.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_e20000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d0a81a9a106e5393cf7f0af42e81fc55ec243b6f8c01c224c03da5796b6a3273
                                                                    • Instruction ID: cfd70fe2ca0d13ffd4e11a848897e59d55771e3833a1825d640e5dbdc0ccb91f
                                                                    • Opcode Fuzzy Hash: d0a81a9a106e5393cf7f0af42e81fc55ec243b6f8c01c224c03da5796b6a3273
                                                                    • Instruction Fuzzy Hash: 4A411372D083598FCB04CB79D8006AEBBF1AF8A214F1585ABD508E7381DB749885CBD1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00F65184 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00F652A2
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.509334433.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_f60000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: 3bb27aca5cefeaa647199d9cb66ca1a5b1d884fd3b20b99020fff055d2aa1cfd
                                                                    • Instruction ID: af9ccf308700372fe674cdb50f900d590e7c7cdf890b1008b7806990ec8c4567
                                                                    • Opcode Fuzzy Hash: 3bb27aca5cefeaa647199d9cb66ca1a5b1d884fd3b20b99020fff055d2aa1cfd
                                                                    • Instruction Fuzzy Hash: 1051CEB1D10309DFDB14CF99D884ADEBBB5BF88714F24812AE819AB210D7749985CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00F65190 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00F652A2
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.509334433.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_f60000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: 15b68c8238855d89442934bf2f269a8eadb878633352016ff3f88c9157a7b502
                                                                    • Instruction ID: 3146717b0eb9a5178ad864e45cef07ed0b9b7422d34401c7ae5d7fb61c94e934
                                                                    • Opcode Fuzzy Hash: 15b68c8238855d89442934bf2f269a8eadb878633352016ff3f88c9157a7b502
                                                                    • Instruction Fuzzy Hash: E241CDB1D10309DFDF14CF99D984ADEBBB5BF88714F24812AE819AB210D774A885CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00F66964 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 00F67D01
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.509334433.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_f60000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: CallProcWindow
                                                                    • String ID:
                                                                    • API String ID: 2714655100-0
                                                                    • Opcode ID: 1592dc7ff11ec913390877aea4338453c63862d94ccd0d037c916ca4eb97e199
                                                                    • Instruction ID: c372499b1c07b5c619a0fc114fc9dbc1035865653ec2d43528448b225e4017be
                                                                    • Opcode Fuzzy Hash: 1592dc7ff11ec913390877aea4338453c63862d94ccd0d037c916ca4eb97e199
                                                                    • Instruction Fuzzy Hash: 1C411AB5A04309CFCB14DF59C448AAABBF5FF88328F24C459E519AB325D774A841DFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05ED3D77 Relevance: 1.6, APIs: 1, Instructions: 87libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNELBASE(?), ref: 05ED3E4A
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: d1353b2e1be3a84843ad80c48d63506f8d59d17da1166409e864fd0f0a5d51e4
                                                                    • Instruction ID: 179bc73c3834799f10caac227dc5d925cb6ec7181f5476cfe4156ed16ffce7b3
                                                                    • Opcode Fuzzy Hash: d1353b2e1be3a84843ad80c48d63506f8d59d17da1166409e864fd0f0a5d51e4
                                                                    • Instruction Fuzzy Hash: 943125B0D043489FDB14CFA9D98579EFBB1FB08314F148929E855AB380D7749886CFA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05ED3D80 Relevance: 1.6, APIs: 1, Instructions: 86libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNELBASE(?), ref: 05ED3E4A
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.513339420.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5ed0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: cc72e64f9af7dadf7c3153ee38562a09bd35a4757b783368433543972f12bbd6
                                                                    • Instruction ID: b656d99f5587861945671dccdd71e3a9e2d985907dd73365cac8a9dab4bb7f01
                                                                    • Opcode Fuzzy Hash: cc72e64f9af7dadf7c3153ee38562a09bd35a4757b783368433543972f12bbd6
                                                                    • Instruction Fuzzy Hash: FC3134B0D043489FDB14CFA9D885B9EFBF1BB08314F108929E855A7380D7749886CFA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00F66D75 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F66DFF
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.509334433.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_f60000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: dfc741340650e44a0ef4206579fe33c410c2653d890e5147c0e4ab929a42c88f
                                                                    • Instruction ID: 5b695e06c7562fff9a6650c2c77eb75ef727bee01ccf026ca95b48a6a16576a2
                                                                    • Opcode Fuzzy Hash: dfc741340650e44a0ef4206579fe33c410c2653d890e5147c0e4ab929a42c88f
                                                                    • Instruction Fuzzy Hash: 1F2114B59012489FCB00CFA9D984ADEFBF4FB48324F14841AE914A7310D374A954DFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00F66D78 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F66DFF
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.509334433.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_f60000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: 0205c8556c7d280a13bfa0be19008bd630437721b0abc46b7d25362c93534aa2
                                                                    • Instruction ID: 6fb325b7934a9788e2da662eccd7cde181fce0af2216417b71a259f589ed74cc
                                                                    • Opcode Fuzzy Hash: 0205c8556c7d280a13bfa0be19008bd630437721b0abc46b7d25362c93534aa2
                                                                    • Instruction Fuzzy Hash: D021E2B59002089FDB10CFAAD984ADEFBF8FB48324F14841AE914A7310D374A954DFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00F6BDE8 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlEncodePointer.NTDLL(00000000), ref: 00F6BE72
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.509334433.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_f60000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: EncodePointer
                                                                    • String ID:
                                                                    • API String ID: 2118026453-0
                                                                    • Opcode ID: 7cbad59786956657b6abf441abc002fc2848c8691de1e12a8feb1c76cbf1d7bc
                                                                    • Instruction ID: 5c8d60312c71b2393bc1945d4fe0a6cb9e077e9c950fe13dc2aef687f6cf69b8
                                                                    • Opcode Fuzzy Hash: 7cbad59786956657b6abf441abc002fc2848c8691de1e12a8feb1c76cbf1d7bc
                                                                    • Instruction Fuzzy Hash: FC21A7B19053458FCB20DFA9C8483EEBFF0EB1A314F24856AD448E7282C7395588CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00E2299C Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,00E2C79A), ref: 00E2C887
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.509028836.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_e20000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: GlobalMemoryStatus
                                                                    • String ID:
                                                                    • API String ID: 1890195054-0
                                                                    • Opcode ID: 998cccbe539df9a1eb675cec116031bbe5bdcfe1ec5abc36e09b39d5bcd37422
                                                                    • Instruction ID: c45d750ad9930709e94e3aeb81795a9e86c3888805b498048e8b4c23e647d782
                                                                    • Opcode Fuzzy Hash: 998cccbe539df9a1eb675cec116031bbe5bdcfe1ec5abc36e09b39d5bcd37422
                                                                    • Instruction Fuzzy Hash: DE1133B1C046699BCB04CF9AD544BDEFBF4EB48324F15856AE818B7240D378A944CFE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00F6BDF8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlEncodePointer.NTDLL(00000000), ref: 00F6BE72
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.509334433.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_f60000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: EncodePointer
                                                                    • String ID:
                                                                    • API String ID: 2118026453-0
                                                                    • Opcode ID: f9f196f753674cf4f4af9e21810b85640b6f3c74334e37e3b37a0af50510c6f2
                                                                    • Instruction ID: cd955609e102542f6bc7f2dfa8d3abd7885dd7b5bd9080f142ff9159447bd78c
                                                                    • Opcode Fuzzy Hash: f9f196f753674cf4f4af9e21810b85640b6f3c74334e37e3b37a0af50510c6f2
                                                                    • Instruction Fuzzy Hash: DC1164B1D013098FDB20DFAAD5087DEBBF4EB59324F208529D508A3285C7796988CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00E2C818 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,00E2C79A), ref: 00E2C887
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.509028836.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_e20000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: GlobalMemoryStatus
                                                                    • String ID:
                                                                    • API String ID: 1890195054-0
                                                                    • Opcode ID: beceacabecfbd58bdefc6a0e6d8750fcbd868114a5f82d158377d5031a2d8f6c
                                                                    • Instruction ID: 4996ce2fe4c3f9d990529a02bd3523c3362f25d923cc5959f06d087c38a51a48
                                                                    • Opcode Fuzzy Hash: beceacabecfbd58bdefc6a0e6d8750fcbd868114a5f82d158377d5031a2d8f6c
                                                                    • Instruction Fuzzy Hash: ED1130B1C046698BCB04CFAAD544BDEFBF0AF48324F15856AD418B7240D378AA45CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00E22D58 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateDirectoryTransactedW.KERNEL32(00000000), ref: 00E22D9D
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.509028836.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_e20000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: CreateDirectoryTransacted
                                                                    • String ID:
                                                                    • API String ID: 3398158531-0
                                                                    • Opcode ID: 840d9ec30d512339012eff748739f3386fd0bff5e32257b8ef532efd032c2f00
                                                                    • Instruction ID: 448eba09aa78e0beabc26f43608bf2cba29860299f246ccaf58d7c058d2c978f
                                                                    • Opcode Fuzzy Hash: 840d9ec30d512339012eff748739f3386fd0bff5e32257b8ef532efd032c2f00
                                                                    • Instruction Fuzzy Hash: F7F01275F042295F8B40ABB9581979F7AF5EF8C651B1005B5D90AF3300EF348E068BD1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00EBD53C Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.509123793.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_ebd000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d86c451369d0d7f198914572d3b82a7258c4783645eea095cbd219e514bd094d
                                                                    • Instruction ID: 4189256c6594c3f7c8594206722606ecfdb9443bfc8b7f66054fc8caa958fcb5
                                                                    • Opcode Fuzzy Hash: d86c451369d0d7f198914572d3b82a7258c4783645eea095cbd219e514bd094d
                                                                    • Instruction Fuzzy Hash: C32142B1508204EFCF15DF00DDC0BA7BF65FB98328F248569E8099B246D336D856DBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00ECD01C Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.509156648.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_ecd000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5eeb47979e2f73f6b61c444d690d8be606b1e748822f904828bdd28344caeb0d
                                                                    • Instruction ID: 598aa88e8011b429bad3f01c3c4367cc8f5c4e81f910604959e05fe3caec32c1
                                                                    • Opcode Fuzzy Hash: 5eeb47979e2f73f6b61c444d690d8be606b1e748822f904828bdd28344caeb0d
                                                                    • Instruction Fuzzy Hash: 7A21F171608204DFCB10CF18DAC1F26BB66EB84318F20C57DD8095B246C337D847DA61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00ECD005 Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.509156648.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_ecd000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 12d7e1106d78a82ce141b49852bcac295aabd7447e911728946c9b2957634ecc
                                                                    • Instruction ID: f1d6195ecd295762ba5abb9e3b6285abbc812848e7db4904492cc54b5ff23fd3
                                                                    • Opcode Fuzzy Hash: 12d7e1106d78a82ce141b49852bcac295aabd7447e911728946c9b2957634ecc
                                                                    • Instruction Fuzzy Hash: 90217F7550D3808FDB02CF24D990B15BF71EB46214F28C5EAD8498B697C33B980BCB62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00EBD537 Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.509123793.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_ebd000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: af74d119f5eccf0fc27d3fcee38edaf6600dc4b2768a2458d5ce5b639dbddb0b
                                                                    • Instruction ID: 24ec64c860ff128cb1776eb393c0c627a34bf2a3f0aa0d8d47ac41aa25c5fda0
                                                                    • Opcode Fuzzy Hash: af74d119f5eccf0fc27d3fcee38edaf6600dc4b2768a2458d5ce5b639dbddb0b
                                                                    • Instruction Fuzzy Hash: 94113872408284CFCF12CF00D9C0B56BF72FB94328F24C6A9D8084B61AC336D85ACBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 00F67878 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.509334433.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_f60000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c3ad32dd9d5889660feb6a1211e124e2a6a2d66c2cfdcb1b8e63be527a005329
                                                                    • Instruction ID: 135baa6c7eb97bb29702d466cf3714ce1ac6c202780ef24b2d912fa75a1b9894
                                                                    • Opcode Fuzzy Hash: c3ad32dd9d5889660feb6a1211e124e2a6a2d66c2cfdcb1b8e63be527a005329
                                                                    • Instruction Fuzzy Hash: 80D05E3544C2445FC7039B6098008847FB5AF4B30031440ABB500CB5B3D26A4539D700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%