Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Suspicious.Win32.Save.a.5066.21910

Overview

General Information

Sample Name:SecuriteInfo.com.Suspicious.Win32.Save.a.5066.21910 (renamed file extension from 21910 to exe)
Analysis ID:680462
MD5:836deaf4e5b11b7ed1a46fea5850b33a
SHA1:4ef5dd4bde33a08e5c17da867ee4d14090673317
SHA256:a83b4422cdae1748849530513cad3dae8e7ccee4f1117e696a4542156f1ae9e7
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
.NET source code references suspicious native API functions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe (PID: 6008 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe" MD5: 836DEAF4E5B11B7ED1A46FEA5850B33A)
    • cvtres.exe (PID: 6052 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "sylvainbaril@ocpi.com.my", "Password": "9v91sGq7r9M$", "Host": "mail.ocpi.com.my"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x2f830:$a13: get_DnsResolver
      • 0x2e057:$a20: get_LastAccessed
      • 0x301c2:$a27: set_InternalServerPort
      • 0x304db:$a30: set_GuidMasterKey
      • 0x2e15e:$a33: get_Clipboard
      • 0x2e16c:$a34: get_Keyboard
      • 0x2f463:$a35: get_ShiftKeyDown
      • 0x2f474:$a36: get_AltKeyDown
      • 0x2e179:$a37: get_Password
      • 0x2ec13:$a38: get_PasswordHash
      • 0x2fc30:$a39: get_DefaultCredentials
      00000001.00000000.244725171.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000000.244725171.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          Click to see the 20 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x304f4:$s10: logins
              • 0x2ff5b:$s11: credential
              • 0x2c55e:$g1: get_Clipboard
              • 0x2c56c:$g2: get_Keyboard
              • 0x2c579:$g3: get_Password
              • 0x2d853:$g4: get_CtrlKeyDown
              • 0x2d863:$g5: get_ShiftKeyDown
              • 0x2d874:$g6: get_AltKeyDown
              1.0.cvtres.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                1.0.cvtres.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  Click to see the 27 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeVirustotal: Detection: 25%Perma Link
                  Antivirus / Scanner detection for submitted sample
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: http://mail.ocpi.com.myAvira URL Cloud: Label: malware
                  Machine Learning detection for sample
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeJoe Sandbox ML: detected
                  Source: 1.0.cvtres.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 1.0.cvtres.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                  Source: 1.2.cvtres.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 1.0.cvtres.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                  Source: 1.0.cvtres.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                  Source: 1.0.cvtres.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                  Source: 1.0.cvtres.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "sylvainbaril@ocpi.com.my", "Password": "9v91sGq7r9M$", "Host": "mail.ocpi.com.my"}
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: KDJFKRKNM.pdb source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
                  Source: Joe Sandbox ViewIP Address: 220.158.200.104 220.158.200.104
                  Source: Joe Sandbox ViewIP Address: 220.158.200.104 220.158.200.104
                  Source: global trafficTCP traffic: 192.168.2.3:49693 -> 220.158.200.104:587
                  Source: global trafficTCP traffic: 192.168.2.3:49693 -> 220.158.200.104:587
                  Source: cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DPVGsz.com
                  Source: cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeString found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeString found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeString found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
                  Source: cvtres.exe, 00000001.00000002.512904675.0000000006C3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.ocpi.com.my
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeString found in binary or memory: http://ocsp.thawte.com0
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeString found in binary or memory: http://www.mozilla.com/0
                  Source: cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                  Source: cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%%startupfolder%
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeString found in binary or memory: https://www.thawte.com/cps0
                  Source: cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                  Source: unknownDNS traffic detected: queries for: mail.ocpi.com.my

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000001.00000000.244725171.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000001.00000000.245291051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000001.00000002.509237498.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000001.00000000.244974805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: Process Memory Space: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe PID: 6008, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: Process Memory Space: cvtres.exe PID: 6052, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  .NET source code contains very large array initializations
                  Source: 1.0.cvtres.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b849CCF59u002d1BE4u002d4855u002dBBC1u002d20E03C66EAF1u007d/u00391D53450u002d0C90u002d4FFBu002dABF1u002d6E4C372E332A.csLarge array initialization: .cctor: array initializer size 11620
                  Source: 1.0.cvtres.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007b849CCF59u002d1BE4u002d4855u002dBBC1u002d20E03C66EAF1u007d/u00391D53450u002d0C90u002d4FFBu002dABF1u002d6E4C372E332A.csLarge array initialization: .cctor: array initializer size 11620
                  Source: 1.2.cvtres.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b849CCF59u002d1BE4u002d4855u002dBBC1u002d20E03C66EAF1u007d/u00391D53450u002d0C90u002d4FFBu002dABF1u002d6E4C372E332A.csLarge array initialization: .cctor: array initializer size 11620
                  Source: 1.0.cvtres.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b849CCF59u002d1BE4u002d4855u002dBBC1u002d20E03C66EAF1u007d/u00391D53450u002d0C90u002d4FFBu002dABF1u002d6E4C372E332A.csLarge array initialization: .cctor: array initializer size 11620
                  Source: 1.0.cvtres.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007b849CCF59u002d1BE4u002d4855u002dBBC1u002d20E03C66EAF1u007d/u00391D53450u002d0C90u002d4FFBu002dABF1u002d6E4C372E332A.csLarge array initialization: .cctor: array initializer size 11620
                  Source: 1.0.cvtres.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b849CCF59u002d1BE4u002d4855u002dBBC1u002d20E03C66EAF1u007d/u00391D53450u002d0C90u002d4FFBu002dABF1u002d6E4C372E332A.csLarge array initialization: .cctor: array initializer size 11620
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000001.00000000.244725171.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000001.00000000.245291051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000001.00000002.509237498.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000001.00000000.244974805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: Process Memory Space: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe PID: 6008, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: Process Memory Space: cvtres.exe PID: 6052, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E6A2800_2_02E6A280
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E61B910_2_02E61B91
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E673400_2_02E67340
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E68F180_2_02E68F18
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E670C80_2_02E670C8
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E634A80_2_02E634A8
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E625810_2_02E62581
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E642C90_2_02E642C9
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E642D80_2_02E642D8
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E656A80_2_02E656A8
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E662B00_2_02E662B0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E656B80_2_02E656B8
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E6A2700_2_02E6A270
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E68E4B0_2_02E68E4B
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E662500_2_02E66250
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E67E290_2_02E67E29
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E633A70_2_02E633A7
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E633710_2_02E63371
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E673310_2_02E67331
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E68F110_2_02E68F11
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E654C00_2_02E654C0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E654B90_2_02E654B9
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E670B90_2_02E670B9
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E604480_2_02E60448
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E675710_2_02E67571
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_04EEF0801_2_04EEF080
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_04EE61201_2_04EE6120
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_04EE02C21_2_04EE02C2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_04EEF3C81_2_04EEF3C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_04EEF3BD1_2_04EEF3BD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_092FB8801_2_092FB880
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_092F2A581_2_092F2A58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_092F00401_2_092F0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0A124A781_2_0A124A78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0A1278901_2_0A127890
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0A12A3E01_2_0A12A3E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0A12C6601_2_0A12C660
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0A1231791_2_0A123179
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, 00000000.00000000.241242875.0000000000B42000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameKDJFKRKNM.exe4 vs SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, 00000000.00000002.247124284.00000000030E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEyKexzPXsluZXTkVHsPL.exe4 vs SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEyKexzPXsluZXTkVHsPL.exe4 vs SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeBinary or memory string: OriginalFilenameKDJFKRKNM.exe4 vs SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic PE information: invalid certificate
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeVirustotal: Detection: 25%
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe "C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe"
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.logJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: 1.0.cvtres.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 1.0.cvtres.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 1.0.cvtres.exe.400000.3.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 1.0.cvtres.exe.400000.3.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 1.2.cvtres.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 1.2.cvtres.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: KDJFKRKNM.pdb source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeCode function: 0_2_02E63049 push BD9C45C7h; iretd 0_2_02E6304F
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeStatic PE information: real checksum: 0x484c1 should be: 0x41179
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.743635131824094
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe TID: 6032Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 6128Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 6132Thread sleep count: 9572 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWindow / User API: threadDelayed 9572Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ADsCAAB2AAARFhMLONYAAAAAEQsfCf4BLAYWKh8KEwsAEQsZ/gEsBgQUURoTCwARCxj+ASwGAxRRGRMLABELGv4BLA4gACAAAI0vAAABCxsTCwARCxv+ASwGFhMEHBMLABELHP4BLAkgACAAAAwdEwsAEQse/gEsFQIgAAAAgCjzAgAGKOoAAAYmHwkTCwARCxf+ASwDGBMLABELHwr+ASwgEQQNAgd0DAAAGxEECBZvuQEAChMGEQYWMzAWKh8LEwsAEQsd/gEsBwgWM9QeEwsAEQsW/gEsAxcTCwARCx8L/gEsAisFOCX///8RBBEG1hMECBEG2gwHdAwAABsWCRnaKLoBAAoRBBIAKM8AAAYsuAMoowAACgd0DAAAGxYGb9sAAApREQQGOxQBAAARBAbaEwcEEQcX2hfWjS8AAAFRFNCCAAABKBQAAAooVQIABhuNBwAAARMIEQgWBygRAAAKohEIFwaMUQAAAaIRCBgEUKIRCBkWjFEAAAGiEQgaEQeMUQAAAaIRCBM
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, 00000000.00000002.247647159.00000000048D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %GiEQgaEQeMUQ
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %kWjFEAAAGiEQgaEQeMUQAAAaIRC
                  Source: cvtres.exe, 00000001.00000003.271596448.0000000009DB3000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.514945881.0000000009DA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 402000Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 436000Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 438000Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 6E4008Jump to behavior
                  .NET source code references suspicious native API functions
                  Source: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe, u200f????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'GetProcAddress@kernel32'), ('?????????????????????????????????????????', 'LoadLibraryA@kernel32')
                  Source: 0.0.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.b40000.0.unpack, u200f????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'GetProcAddress@kernel32'), ('?????????????????????????????????????????', 'LoadLibraryA@kernel32')
                  Source: 1.0.cvtres.exe.400000.0.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                  Source: 1.0.cvtres.exe.400000.3.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                  Source: 1.2.cvtres.exe.400000.0.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                  Source: 1.0.cvtres.exe.400000.4.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                  Source: 1.0.cvtres.exe.400000.2.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                  Source: 1.0.cvtres.exe.400000.1.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 protect: page execute and read and writeJump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.244725171.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.245291051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.509237498.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.244974805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe PID: 6008, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 6052, type: MEMORYSTR
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: Yara matchFile source: 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 6052, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.4f8d790.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.244725171.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.245291051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.509237498.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.244974805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe PID: 6008, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 6052, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts211
                  Windows Management Instrumentation                  		Path Interception311
                  Process Injection                  		1
                  Masquerading                  		1
                  OS Credential Dumping                  		111
                  Security Software Discovery                  		Remote Services1
                  Email Collection                  		Exfiltration Over Other Network Medium1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts1
                  Native API                  		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop Protocol11
                  Archive Collected Data                  		Exfiltration Over Bluetooth1
                  Non-Standard Port                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                  Virtualization/Sandbox Evasion                  		Security Account Manager131
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin Shares1
                  Data from Local System                  		Automated Exfiltration1
                  Non-Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)311
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput CaptureScheduled Transfer11
                  Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  Remote System Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common2
                  Obfuscated Files or Information                  		Cached Domain Credentials114
                  System Information Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items3
                  Software Packing                  		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe25%VirustotalBrowse
                  SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe100%AviraTR/Dropper.MSIL.Gen
                  SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  1.0.cvtres.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                  1.0.cvtres.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File
                  1.2.cvtres.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                  1.0.cvtres.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                  0.0.SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.b40000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  1.0.cvtres.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                  1.0.cvtres.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  SourceDetectionScannerLabelLink
                  mail.ocpi.com.my1%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://mail.ocpi.com.my1%VirustotalBrowse
                  http://mail.ocpi.com.my100%Avira URL Cloudmalware
                  http://ocsp.thawte.com00%URL Reputationsafe
                  http://DPVGsz.com0%Avira URL Cloudsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                  http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                  https://api.ipify.org%%startupfolder%0%URL Reputationsafe
                  https://api.ipify.org%0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  mail.ocpi.com.my
                  		220.158.200.104
                  		truefalseunknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://127.0.0.1:HTTP/1.1cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://mail.ocpi.com.mycvtres.exe, 00000001.00000002.512904675.0000000006C3F000.00000004.00000800.00020000.00000000.sdmptrue
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  http://cs-g2-crl.thawte.com/ThawteCSG2.crl0SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exefalse
                    		high
                    http://crl.thawte.com/ThawteTimestampingCA.crl0SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exefalse
                      		high
                      http://crl.thawte.com/ThawtePCA.crl0SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exefalse
                        		high
                        http://ocsp.thawte.com0SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exefalse
                        • URL Reputation: safe
                        		unknown
                        http://DPVGsz.comcvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwcvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://DynDns.comDynDNSnamejidpasswordPsi/Psicvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.ipify.org%%startupfolder%cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		low
                        http://crl.thawte.com/ThawtePremiumServerCA.crl0SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exefalse
                          		high
                          https://www.thawte.com/cps0SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exefalse
                            		high
                            https://api.ipify.org%cvtres.exe, 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		low
                            http://www.mozilla.com/0SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exefalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              220.158.200.104
                              		mail.ocpi.com.myMalaysia
                              		55720GIGABIT-MYGigabitHostingSdnBhdMYfalse

                              General Information

                              Joe Sandbox Version:35.0.0 Citrine
                              Analysis ID:680462
                              Start date and time: 08/08/202216:34:082022-08-08 16:34:08 +02:00
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 7m 4s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Sample file name:SecuriteInfo.com.Suspicious.Win32.Save.a.5066.21910 (renamed file extension from 21910 to exe)
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:12
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HDC Information:Failed
                              HCA Information:
                              • Successful, ratio: 98%
                              • Number of executed functions: 72
                              • Number of non-executed functions: 11
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              16:35:10API Interceptor1x Sleep call for process: SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe modified
                              16:35:13API Interceptor797x Sleep call for process: cvtres.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              220.158.200.104430#U0437.jsGet hashmaliciousBrowse
                              • terracnc.com/wp-content/themes/twentyseventeen/assets/css/sserv.jpg
                              430#U0437.jsGet hashmaliciousBrowse
                              • terracnc.com/wp-content/themes/twentyseventeen/assets/css/sserv.jpg
                              430#U0437.jsGet hashmaliciousBrowse
                              • terracnc.com/wp-content/themes/twentyseventeen/assets/css/sserv.jpg
                              430#U0437.jsGet hashmaliciousBrowse
                              • terracnc.com/wp-content/themes/twentyseventeen/assets/css/sserv.jpg
                              3copy2.exeGet hashmaliciousBrowse
                              • www.sampahmenyampah.com/sb/?7nT=zskgiH0Bx7gXIR5lnSSOpVLkKRY6hcvrJWjwa+KwCapa+maz34hvlNfuZs6dEIKVDwBx3ECtQuBhDmCZfzyC1Q==&3fu4=pJeDbt2xRRpdaBY

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              GIGABIT-MYGigabitHostingSdnBhdMY6J5KIrxl6aGet hashmaliciousBrowse
                              • 103.71.179.224
                              New order requirements.exeGet hashmaliciousBrowse
                              • 172.93.165.201
                              P0-6737657208042022DOCX.exeGet hashmaliciousBrowse
                              • 172.93.189.122
                              tI5YtOU0GC.exeGet hashmaliciousBrowse
                              • 172.93.165.161
                              neworder.docGet hashmaliciousBrowse
                              • 172.93.165.161
                              PO-303494.exeGet hashmaliciousBrowse
                              • 172.93.165.166
                              7e6Xyoys8V.dllGet hashmaliciousBrowse
                              • 103.205.210.23
                              JY23PmszXw.dllGet hashmaliciousBrowse
                              • 103.15.104.250
                              PO-ORDER90374747567.exeGet hashmaliciousBrowse
                              • 172.93.165.156
                              Order specification.exeGet hashmaliciousBrowse
                              • 172.93.165.201
                              i2Get hashmaliciousBrowse
                              • 103.71.179.246
                              4MFtS7taNzGet hashmaliciousBrowse
                              • 43.231.4.7
                              po676867.exeGet hashmaliciousBrowse
                              • 172.93.188.64
                              Xgdfju.exeGet hashmaliciousBrowse
                              • 172.93.165.156
                              SOA-INV2234748343.exeGet hashmaliciousBrowse
                              • 172.93.165.156
                              AO0eqaiAibfXamB.exeGet hashmaliciousBrowse
                              • 103.27.74.99
                              07.F-FS-catalogue.exeGet hashmaliciousBrowse
                              • 103.27.74.205
                              Swift 95000USD pdf.exeGet hashmaliciousBrowse
                              • 103.27.74.99
                              fuZcDWJRoP.exeGet hashmaliciousBrowse
                              • 43.231.4.7
                              SWIFT_Copy.exeGet hashmaliciousBrowse
                              • 103.27.74.205

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe.log

                              Download File
                              Process:C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):226
                              Entropy (8bit):5.3467126928258955
                              Encrypted:false
                              SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2LDY3U21v:Q3La/KDLI4MWuPk21v
                              MD5:DD8B7A943A5D834CEEAB90A6BBBF4781
                              SHA1:2BED8D47DF1C0FF76B40811E5F11298BD2D06389
                              SHA-256:E1D0A304B16BE51AE361E392A678D887AB0B76630B42A12D252EDC0484F0333B
                              SHA-512:24167174EA259CAF57F65B9B9B9C113DD944FC957DB444C2F66BC656EC2E6565EFE4B4354660A5BE85CE4847434B3BDD4F7E05A9E9D61F4CC99FF0284DAA1C87
                              Malicious:true
                              Reputation:moderate, very likely benign file
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.610837446996928
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                              • Win32 Executable (generic) a (10002005/4) 49.97%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              • DOS Executable Generic (2002/1) 0.01%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
                              File size:252208
                              MD5:836deaf4e5b11b7ed1a46fea5850b33a
                              SHA1:4ef5dd4bde33a08e5c17da867ee4d14090673317
                              SHA256:a83b4422cdae1748849530513cad3dae8e7ccee4f1117e696a4542156f1ae9e7
                              SHA512:23bc084df7cf3e6ca758b2787f5cb08ed9f4b63c6e7025461e41840a441f9f61e429570fadafb6247571c42c59634f2e7c8226974a4ae9ede80adc5c82d76bec
                              SSDEEP:6144:xi8lykGCl8Wymm0GcqwDhgBx2mtJwy7Aj:Nw5CPRGcqsgBx2cJwy7C
                              TLSH:93349CF8765375CFC50BC8728AA84C64AA607CB7570BD103E45336DEAD5DA9B8F090A3
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............0..X...D......Nw... ........@.. ....................................`................................

                              File Icon

                              Icon Hash:74ecc4d0f0e8ccc4

                              Static PE Info

                              General

                              Entrypoint:0x43774e
                              Entrypoint Section:.text
                              Digitally signed:true
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0x62F0CDFE [Mon Aug 8 08:49:02 2022 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Authenticode Signature

                              Signature Valid:false
                              Signature Issuer:CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
                              Signature Validation Error:The digital signature of the object did not verify
                              Error Number:-2146869232
                              Not Before, Not After
                              • 10/17/2012 5:00:00 PM 10/18/2013 4:59:59 PM
                              Subject Chain
                              • CN=Mozilla Corporation, OU=Release Engineering, O=Mozilla Corporation, L=Mountain View, S=California, C=US
                              Version:3
                              Thumbprint MD5:D686ED3797F476F0769F99DF2B0BCE73
                              Thumbprint SHA-1:CAC47DBF634D24E9DC93072FE3C8EA6DC3946E89
                              Thumbprint SHA-256:046B93E2298C5D45FB097329D2A7778302298B842664E3EBA261FF617D586F37
                              Serial:3DA9386C2076F738EE246BB8E313A4D4

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x376f40x57.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x418e.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x3bb980x1d98
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x3e0000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x376b00x1c.text
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000x357540x35800False0.8646548262266355data7.743635131824094IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0x380000x418e0x4200False0.1376065340909091data3.022311948175261IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x3e0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              RT_ICON0x381a00x468GLS_BINARY_LSB_FIRST
                              RT_ICON0x386080x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                              RT_ICON0x396b00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                              RT_GROUP_ICON0x3bc580x30data
                              RT_VERSION0x3bc880x31cdata
                              RT_MANIFEST0x3bfa40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Aug 8, 2022 16:35:19.212708950 CEST49693587192.168.2.3220.158.200.104
                              Aug 8, 2022 16:35:19.480614901 CEST58749693220.158.200.104192.168.2.3
                              Aug 8, 2022 16:35:19.480779886 CEST49693587192.168.2.3220.158.200.104
                              Aug 8, 2022 16:35:20.197417021 CEST58749693220.158.200.104192.168.2.3
                              Aug 8, 2022 16:35:20.197813034 CEST49693587192.168.2.3220.158.200.104
                              Aug 8, 2022 16:35:20.465657949 CEST58749693220.158.200.104192.168.2.3
                              Aug 8, 2022 16:35:20.477567911 CEST49693587192.168.2.3220.158.200.104
                              Aug 8, 2022 16:35:20.745781898 CEST58749693220.158.200.104192.168.2.3
                              Aug 8, 2022 16:35:20.746294022 CEST49693587192.168.2.3220.158.200.104
                              Aug 8, 2022 16:35:21.053112984 CEST58749693220.158.200.104192.168.2.3
                              Aug 8, 2022 16:35:23.238497972 CEST58749693220.158.200.104192.168.2.3
                              Aug 8, 2022 16:35:23.292165995 CEST49693587192.168.2.3220.158.200.104
                              Aug 8, 2022 16:35:23.400872946 CEST49693587192.168.2.3220.158.200.104
                              Aug 8, 2022 16:35:23.668661118 CEST58749693220.158.200.104192.168.2.3
                              Aug 8, 2022 16:35:23.668735027 CEST58749693220.158.200.104192.168.2.3
                              Aug 8, 2022 16:35:23.669408083 CEST58749693220.158.200.104192.168.2.3
                              Aug 8, 2022 16:35:23.669513941 CEST49693587192.168.2.3220.158.200.104
                              Aug 8, 2022 16:35:23.692826986 CEST49693587192.168.2.3220.158.200.104
                              Aug 8, 2022 16:35:23.960593939 CEST58749693220.158.200.104192.168.2.3

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Aug 8, 2022 16:35:19.148879051 CEST5157853192.168.2.38.8.8.8
                              Aug 8, 2022 16:35:19.171308994 CEST53515788.8.8.8192.168.2.3

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                              Aug 8, 2022 16:35:19.148879051 CEST192.168.2.38.8.8.80x937bStandard query (0)mail.ocpi.com.myA (IP address)IN (0x0001)

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                              Aug 8, 2022 16:35:19.171308994 CEST8.8.8.8192.168.2.30x937bNo error (0)mail.ocpi.com.my220.158.200.104A (IP address)IN (0x0001)

                              SMTP Packets

                              TimestampSource PortDest PortSource IPDest IPCommands
                              Aug 8, 2022 16:35:20.197417021 CEST58749693220.158.200.104192.168.2.3220-lion2.sfdns.net ESMTP Exim 4.95 #2 Mon, 08 Aug 2022 22:35:20 +0800
                              220-We do not authorize the use of this system to transport unsolicited,
                              220 and/or bulk e-mail.
                              Aug 8, 2022 16:35:20.197813034 CEST49693587192.168.2.3220.158.200.104EHLO 358075
                              Aug 8, 2022 16:35:20.465657949 CEST58749693220.158.200.104192.168.2.3250-lion2.sfdns.net Hello 358075 [102.129.143.3]
                              250-SIZE 104857600
                              250-8BITMIME
                              250-PIPELINING
                              250-PIPE_CONNECT
                              250-AUTH PLAIN LOGIN
                              250-STARTTLS
                              250 HELP
                              Aug 8, 2022 16:35:20.477567911 CEST49693587192.168.2.3220.158.200.104AUTH login c3lsdmFpbmJhcmlsQG9jcGkuY29tLm15
                              Aug 8, 2022 16:35:20.745781898 CEST58749693220.158.200.104192.168.2.3334 UGFzc3dvcmQ6
                              Aug 8, 2022 16:35:23.238497972 CEST58749693220.158.200.104192.168.2.3535 Incorrect authentication data
                              Aug 8, 2022 16:35:23.400872946 CEST49693587192.168.2.3220.158.200.104MAIL FROM:<sylvainbaril@ocpi.com.my>
                              Aug 8, 2022 16:35:23.668735027 CEST58749693220.158.200.104192.168.2.3550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:16:35:09
                              Start date:08/08/2022
                              Path:C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Suspicious.Win32.Save.a.5066.exe"
                              Imagebase:0xb40000
                              File size:252208 bytes
                              MD5 hash:836DEAF4E5B11B7ED1A46FEA5850B33A
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.248323120.0000000004AAA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              Reputation:low

                              General

                              Target ID:1
                              Start time:16:35:10
                              Start date:08/08/2022
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                              Imagebase:0xa60000
                              File size:43176 bytes
                              MD5 hash:C09985AE74F0882F208D75DE27770DFA
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000000.245549949.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.244725171.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.244725171.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000000.244725171.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.245291051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.245291051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000000.245291051.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.509237498.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.509237498.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000002.509237498.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.244974805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.244974805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000000.244974805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.511164792.0000000006921000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:moderate

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:26.2%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:12.3%
                                Total number of Nodes:65
                                Total number of Limit Nodes:1
                                execution_graph 3080 2e6b996 3081 2e6b99e 3080->3081 3083 2e69a61 WriteProcessMemory 3081->3083 3084 2e69a68 WriteProcessMemory 3081->3084 3082 2e6ba38 3083->3082 3084->3082 3042 2e6b247 3043 2e6b251 3042->3043 3047 2e69941 3043->3047 3051 2e69948 3043->3051 3044 2e6b2fa 3048 2e69947 VirtualAllocEx 3047->3048 3050 2e69a04 3048->3050 3050->3044 3052 2e6998c VirtualAllocEx 3051->3052 3054 2e69a04 3052->3054 3054->3044 3085 2e6a977 3089 2e69818 3085->3089 3093 2e69820 3085->3093 3086 2e6a991 3090 2e69869 SetThreadContext 3089->3090 3092 2e698e1 3090->3092 3092->3086 3094 2e69869 SetThreadContext 3093->3094 3096 2e698e1 3094->3096 3096->3086 3097 2e6bd54 3099 2e69a61 WriteProcessMemory 3097->3099 3100 2e69a68 WriteProcessMemory 3097->3100 3098 2e6bd6c 3099->3098 3100->3098 3101 2e6b7b5 3105 2e69729 3101->3105 3109 2e69730 3101->3109 3102 2e6b7ca 3106 2e6972f ResumeThread 3105->3106 3108 2e697c0 3106->3108 3108->3102 3110 2e69774 ResumeThread 3109->3110 3112 2e697c0 3110->3112 3112->3102 3055 2e6a280 3056 2e6a2a2 3055->3056 3057 2e6a75d 3056->3057 3060 2e69de5 3056->3060 3064 2e69df0 3056->3064 3061 2e69deb CreateProcessA 3060->3061 3063 2e6a0cc 3061->3063 3063->3063 3065 2e69e77 CreateProcessA 3064->3065 3067 2e6a0cc 3065->3067 3067->3067 3126 2e6a270 3127 2e6a277 3126->3127 3128 2e6a75d 3127->3128 3129 2e69de5 CreateProcessA 3127->3129 3130 2e69df0 CreateProcessA 3127->3130 3129->3128 3130->3128 3068 2e6aa2e 3072 2e69a61 3068->3072 3076 2e69a68 3068->3076 3069 2e6aa5c 3073 2e69a67 WriteProcessMemory 3072->3073 3075 2e69b4d 3073->3075 3075->3069 3077 2e69ab4 WriteProcessMemory 3076->3077 3079 2e69b4d 3077->3079 3079->3069 3113 2e6aaba 3114 2e6aac4 3113->3114 3118 2e69bc0 3114->3118 3122 2e69bb9 3114->3122 3115 2e6abd6 3119 2e69c0c ReadProcessMemory 3118->3119 3121 2e69c84 3119->3121 3121->3115 3123 2e69bbf ReadProcessMemory 3122->3123 3125 2e69c84 3123->3125 3125->3115

                                Executed Functions

                                Function 02E68E4B Relevance: 4.1, Strings: 3, Instructions: 305COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 2e68e4b-2e68ea3 1 2e68ea5-2e68eb4 0->1 2 2e68eb6-2e68ebd 1->2 3 2e68f35-2e68f40 1->3 2->1 4 2e68ebf-2e68f0f call 2e68f11 2->4 5 2e68f47-2e68f58 3->5 6 2e68f42 3->6 4->3 7 2e68f5b 5->7 6->5 9 2e68f62-2e68f7e 7->9 11 2e68f87-2e68f88 9->11 12 2e68f80 9->12 18 2e68f8d-2e68f99 11->18 21 2e6928b-2e692a0 11->21 12->7 13 2e69186-2e69192 12->13 14 2e690c7-2e690d3 12->14 15 2e69202-2e69206 12->15 16 2e69060-2e6906c 12->16 17 2e691ec-2e691f3 12->17 12->18 19 2e691ca-2e691e7 12->19 20 2e6910b-2e69117 12->20 12->21 22 2e68fe9-2e68ff5 12->22 23 2e69049-2e6905b 12->23 24 2e69156-2e6916b 12->24 25 2e69232-2e69240 12->25 26 2e69193 12->26 27 2e69170-2e69177 12->27 28 2e69011-2e69016 12->28 29 2e690b1-2e690b8 12->29 40 2e690d5 14->40 41 2e690da-2e690df 14->41 35 2e69208-2e69217 15->35 36 2e69219-2e69220 15->36 32 2e69073-2e69092 16->32 33 2e6906e 16->33 17->17 34 2e691f5-2e691fd 17->34 44 2e68fa0-2e68fbf 18->44 45 2e68f9b 18->45 19->9 42 2e6911e-2e69123 20->42 43 2e69119 20->43 47 2e68ff7 22->47 48 2e68ffc-2e6900c 22->48 23->9 24->9 37 2e69247-2e69261 25->37 38 2e69242 25->38 63 2e69198-2e691ad 26->63 27->27 46 2e69179-2e69181 27->46 30 2e69018-2e69027 28->30 31 2e69029-2e69030 28->31 29->29 39 2e690ba-2e690c2 29->39 49 2e69037-2e69044 30->49 31->49 51 2e69094 32->51 52 2e69099-2e690ac 32->52 33->32 34->9 53 2e69227-2e6922d 35->53 36->53 54 2e69263 37->54 55 2e69268-2e69286 37->55 38->37 39->9 40->41 56 2e690f2-2e690f9 41->56 57 2e690e1-2e690f0 41->57 59 2e69136-2e6913d 42->59 60 2e69125-2e69134 42->60 43->42 61 2e68fc6-2e68fe4 44->61 62 2e68fc1 44->62 45->44 46->9 47->48 48->9 49->9 51->52 52->9 53->9 54->55 55->9 64 2e69100-2e69106 56->64 57->64 65 2e69144-2e69151 59->65 60->65 61->9 62->61 66 2e691b3-2e691c5 63->66 64->9 65->9 66->9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: <JtD$<JtD$Hh%
                                • API String ID: 0-890187626
                                • Opcode ID: 80ab3893628f51298f72e51c328d02cdb52364795b921408575ef8035da3aaf5
                                • Instruction ID: 4eeb6c2b4f0756fce64e3902809a1a0ddc6ea4b5c9f4c9130f269cda3509830a
                                • Opcode Fuzzy Hash: 80ab3893628f51298f72e51c328d02cdb52364795b921408575ef8035da3aaf5
                                • Instruction Fuzzy Hash: C1C1DB70D88159CFDB00CFA5C8895FEFBB2FF49394B18A659C454AB212D339894ACF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E68F18 Relevance: 4.0, Strings: 3, Instructions: 251COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 67 2e68f18-2e68f40 68 2e68f47-2e68f58 67->68 69 2e68f42 67->69 70 2e68f5b 68->70 69->68 71 2e68f62-2e68f7e 70->71 72 2e68f87-2e68f88 71->72 73 2e68f80 71->73 79 2e68f8d-2e68f99 72->79 82 2e6928b-2e692a0 72->82 73->70 74 2e69186-2e69192 73->74 75 2e690c7-2e690d3 73->75 76 2e69202-2e69206 73->76 77 2e69060-2e6906c 73->77 78 2e691ec-2e691f3 73->78 73->79 80 2e691ca-2e691e7 73->80 81 2e6910b-2e69117 73->81 73->82 83 2e68fe9-2e68ff5 73->83 84 2e69049-2e6905b 73->84 85 2e69156-2e6916b 73->85 86 2e69232-2e69240 73->86 87 2e69193-2e691ad 73->87 88 2e69170-2e69177 73->88 89 2e69011-2e69016 73->89 90 2e690b1-2e690b8 73->90 101 2e690d5 75->101 102 2e690da-2e690df 75->102 96 2e69208-2e69217 76->96 97 2e69219-2e69220 76->97 93 2e69073-2e69092 77->93 94 2e6906e 77->94 78->78 95 2e691f5-2e691fd 78->95 105 2e68fa0-2e68fbf 79->105 106 2e68f9b 79->106 80->71 103 2e6911e-2e69123 81->103 104 2e69119 81->104 108 2e68ff7 83->108 109 2e68ffc-2e6900c 83->109 84->71 85->71 98 2e69247-2e69261 86->98 99 2e69242 86->99 127 2e691b3-2e691c5 87->127 88->88 107 2e69179-2e69181 88->107 91 2e69018-2e69027 89->91 92 2e69029-2e69030 89->92 90->90 100 2e690ba-2e690c2 90->100 110 2e69037-2e69044 91->110 92->110 112 2e69094 93->112 113 2e69099-2e690ac 93->113 94->93 95->71 114 2e69227-2e6922d 96->114 97->114 115 2e69263 98->115 116 2e69268-2e69286 98->116 99->98 100->71 101->102 117 2e690f2-2e690f9 102->117 118 2e690e1-2e690f0 102->118 120 2e69136-2e6913d 103->120 121 2e69125-2e69134 103->121 104->103 122 2e68fc6-2e68fe4 105->122 123 2e68fc1 105->123 106->105 107->71 108->109 109->71 110->71 112->113 113->71 114->71 115->116 116->71 125 2e69100-2e69106 117->125 118->125 126 2e69144-2e69151 120->126 121->126 122->71 123->122 125->71 126->71 127->71
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: <JtD$<JtD$Hh%
                                • API String ID: 0-890187626
                                • Opcode ID: b59a2fb3506edefb8fc55e24ffce1cf33f4ca1ac4402165fbd15b1dbf80424aa
                                • Instruction ID: c0c5b57bf89ceab52d354fa5dc4b232e35597f9c4d0df698791f8f758e57dc29
                                • Opcode Fuzzy Hash: b59a2fb3506edefb8fc55e24ffce1cf33f4ca1ac4402165fbd15b1dbf80424aa
                                • Instruction Fuzzy Hash: 96B148B0D8421A8FCB00CFA5D8859EEFBB2FB49394F14E615D425BB251C3389985CFA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E68F11 Relevance: 4.0, Strings: 3, Instructions: 243COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 128 2e68f11-2e68f40 130 2e68f47-2e68f58 128->130 131 2e68f42 128->131 132 2e68f5b 130->132 131->130 133 2e68f62-2e68f7e 132->133 134 2e68f87-2e68f88 133->134 135 2e68f80 133->135 141 2e68f8d-2e68f99 134->141 144 2e6928b-2e692a0 134->144 135->132 136 2e69186-2e69192 135->136 137 2e690c7-2e690d3 135->137 138 2e69202-2e69206 135->138 139 2e69060-2e6906c 135->139 140 2e691ec-2e691f3 135->140 135->141 142 2e691ca-2e691e7 135->142 143 2e6910b-2e69117 135->143 135->144 145 2e68fe9-2e68ff5 135->145 146 2e69049-2e6905b 135->146 147 2e69156-2e6916b 135->147 148 2e69232-2e69240 135->148 149 2e69193 135->149 150 2e69170-2e69177 135->150 151 2e69011-2e69016 135->151 152 2e690b1-2e690b8 135->152 163 2e690d5 137->163 164 2e690da-2e690df 137->164 158 2e69208-2e69217 138->158 159 2e69219-2e69220 138->159 155 2e69073-2e69092 139->155 156 2e6906e 139->156 140->140 157 2e691f5-2e691fd 140->157 167 2e68fa0-2e68fbf 141->167 168 2e68f9b 141->168 142->133 165 2e6911e-2e69123 143->165 166 2e69119 143->166 170 2e68ff7 145->170 171 2e68ffc-2e6900c 145->171 146->133 147->133 160 2e69247-2e69261 148->160 161 2e69242 148->161 186 2e69198-2e691ad 149->186 150->150 169 2e69179-2e69181 150->169 153 2e69018-2e69027 151->153 154 2e69029-2e69030 151->154 152->152 162 2e690ba-2e690c2 152->162 172 2e69037-2e69044 153->172 154->172 174 2e69094 155->174 175 2e69099-2e690ac 155->175 156->155 157->133 176 2e69227-2e6922d 158->176 159->176 177 2e69263 160->177 178 2e69268-2e69286 160->178 161->160 162->133 163->164 179 2e690f2-2e690f9 164->179 180 2e690e1-2e690f0 164->180 182 2e69136-2e6913d 165->182 183 2e69125-2e69134 165->183 166->165 184 2e68fc6-2e68fe4 167->184 185 2e68fc1 167->185 168->167 169->133 170->171 171->133 172->133 174->175 175->133 176->133 177->178 178->133 187 2e69100-2e69106 179->187 180->187 188 2e69144-2e69151 182->188 183->188 184->133 185->184 189 2e691b3-2e691c5 186->189 187->133 188->133 189->133
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: <JtD$<JtD$Hh%
                                • API String ID: 0-890187626
                                • Opcode ID: ca7a15a3f150f345987e4e3aeaeb8bca532ddffaaa7e420e35e32bc3e50a5008
                                • Instruction ID: 30c1a10d404763f71513aa9a88a893cf2e85acbb9aafd20a3206444da8d483a1
                                • Opcode Fuzzy Hash: ca7a15a3f150f345987e4e3aeaeb8bca532ddffaaa7e420e35e32bc3e50a5008
                                • Instruction Fuzzy Hash: 75A159B0D8421A8FCB00CFA5D8859EEFBB2FB49354F14E615D461BB251C338D986CBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E6A280 Relevance: 2.9, Strings: 2, Instructions: 366COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 190 2e6a280-2e6a2a0 191 2e6a2a7-2e6a2e8 190->191 192 2e6a2a2 190->192 193 2e6a2e9 191->193 192->191 194 2e6a2f3-2e6a318 193->194 195 2e6a321-2e6a322 194->195 196 2e6a31a 194->196 203 2e6a66c-2e6a758 195->203 196->193 196->195 197 2e6a327-2e6a359 196->197 198 2e6a5e2-2e6a63b call 2e68f18 196->198 199 2e6a640-2e6a667 196->199 200 2e6a361-2e6a36d 196->200 201 2e6a3fe-2e6a417 196->201 202 2e6a36f-2e6a380 196->202 196->203 204 2e6a41c-2e6a5a7 call 2e68f18 * 11 196->204 205 2e6a35b-2e6a35c 196->205 206 2e6a3a8-2e6a3f9 196->206 197->194 198->194 199->194 200->194 201->194 221 2e6a38b-2e6a3a3 202->221 269 2e6a75b call 2e69de5 203->269 270 2e6a75b call 2e69df0 203->270 268 2e6a5b2-2e6a5dd 204->268 207 2e6c14f-2e6c18c 205->207 206->194 220 2e6c0f4-2e6c119 207->220 223 2e6c122-2e6c123 220->223 224 2e6c11b 220->224 221->194 226 2e6c1e3-2e6c1e9 223->226 224->207 224->223 224->226 227 2e6c191-2e6c1c5 224->227 228 2e6c1ca-2e6c1d1 224->228 229 2e6c0ea 224->229 230 2e6c128-2e6c12f 224->230 227->220 228->228 235 2e6c1d3-2e6c1de 228->235 229->220 230->200 234 2e6c135-2e6c14d 230->234 234->220 235->220 245 2e6a75d-2e6a7bc 252 2e6a7c5-2e6c0e5 245->252 253 2e6a7be 245->253 252->226 253->252 268->194 269->245 270->245
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: no$U;D
                                • API String ID: 0-4097780906
                                • Opcode ID: c9667d95eaf9ecb14b5ee7157d456009e9c82080942a31e80916816dca034a7a
                                • Instruction ID: 9a500826418b2f0480e0ff4debeea5230feee20680e2ebb9b46e51faf4fab9f5
                                • Opcode Fuzzy Hash: c9667d95eaf9ecb14b5ee7157d456009e9c82080942a31e80916816dca034a7a
                                • Instruction Fuzzy Hash: 5DF113B0E842298BCB64CF65D844BEEB7B6AB89300F10E5EAD509B7340DB755E818F54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E6A270 Relevance: 2.9, Strings: 2, Instructions: 359COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 271 2e6a270-2e6a2a0 274 2e6a2a7-2e6a2e8 271->274 275 2e6a2a2 271->275 276 2e6a2e9 274->276 275->274 277 2e6a2f3-2e6a318 276->277 278 2e6a321-2e6a322 277->278 279 2e6a31a 277->279 286 2e6a66c-2e6a70e 278->286 279->276 279->278 280 2e6a327-2e6a359 279->280 281 2e6a5e2-2e6a63b call 2e68f18 279->281 282 2e6a640-2e6a667 279->282 283 2e6a361-2e6a36d 279->283 284 2e6a3fe-2e6a417 279->284 285 2e6a36f-2e6a380 279->285 279->286 287 2e6a41c-2e6a426 call 2e68f18 279->287 288 2e6a35b-2e6a35c 279->288 289 2e6a3a8-2e6a3f9 279->289 280->277 281->277 282->277 283->277 284->277 304 2e6a38b-2e6a3a3 285->304 326 2e6a719-2e6a758 286->326 297 2e6a42b-2e6a452 call 2e68f18 * 2 287->297 290 2e6c14f-2e6c18c 288->290 289->277 303 2e6c0f4-2e6c119 290->303 314 2e6a457-2e6a46a 297->314 306 2e6c122-2e6c123 303->306 307 2e6c11b 303->307 304->277 309 2e6c1e3-2e6c1e9 306->309 307->290 307->306 307->309 310 2e6c191-2e6c1c5 307->310 311 2e6c1ca-2e6c1d1 307->311 312 2e6c0ea 307->312 313 2e6c128-2e6c12f 307->313 310->303 311->311 318 2e6c1d3-2e6c1de 311->318 312->303 313->283 317 2e6c135-2e6c14d 313->317 319 2e6a475-2e6a49a call 2e68f18 * 2 314->319 317->303 318->303 327 2e6a49f-2e6a4b7 319->327 352 2e6a75b call 2e69de5 326->352 353 2e6a75b call 2e69df0 326->353 329 2e6a4be-2e6a4e4 call 2e68f18 * 2 327->329 328 2e6a75d-2e6a7bc 335 2e6a7c5-2e6c0e5 328->335 336 2e6a7be 328->336 337 2e6a4e9-2e6a502 329->337 335->309 336->335 339 2e6a509-2e6a530 call 2e68f18 * 2 337->339 344 2e6a535-2e6a54e 339->344 345 2e6a555-2e6a57b call 2e68f18 * 2 344->345 349 2e6a580-2e6a5a7 345->349 351 2e6a5b2-2e6a5dd 349->351 351->277 352->328 353->328
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: no$U;D
                                • API String ID: 0-4097780906
                                • Opcode ID: f2c8dfd5bfd7e362e69f2a566626af3602ae4aac3ba55b466a65425c84a933b5
                                • Instruction ID: f53e65ae12c01f446f405d347f143b49f694fd7915efcab3ac1d3f411836dd85
                                • Opcode Fuzzy Hash: f2c8dfd5bfd7e362e69f2a566626af3602ae4aac3ba55b466a65425c84a933b5
                                • Instruction Fuzzy Hash: 1DF123B0E842698BCB65CF65D844BEEB7B2BB89300F10E5EAD509B7340DB754E818F54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E67331 Relevance: 1.4, Strings: 1, Instructions: 151COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: o3-
                                • API String ID: 0-4199267001
                                • Opcode ID: 049480e611c23439bd0c1a07a968d8f6952b0bd5aeb22b956057b08e003930b3
                                • Instruction ID: 4701a7528a9bfaa0cba960fd581a53065218b9b285330aa4bc14289ef8145f73
                                • Opcode Fuzzy Hash: 049480e611c23439bd0c1a07a968d8f6952b0bd5aeb22b956057b08e003930b3
                                • Instruction Fuzzy Hash: BD513674E842099FCB04CFA5D5889EEFBB2EF89354F14E46AD811A7324D7349A01CF64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E67340 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: o3-
                                • API String ID: 0-4199267001
                                • Opcode ID: b06d392103c4cfbfcd0d02f390d21d6bb47403a3c69186802d904a7d9fa74001
                                • Instruction ID: fcf276ac9b7993382861e6cdac0b09645e61b7db3ccfece94ee0e52c835ac257
                                • Opcode Fuzzy Hash: b06d392103c4cfbfcd0d02f390d21d6bb47403a3c69186802d904a7d9fa74001
                                • Instruction Fuzzy Hash: 15512374E842099FCB04CFA5E5849EEFBB2EB89254F24E46AD811B7324D7349A00CF65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E61B91 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: <q
                                • API String ID: 0-3978521995
                                • Opcode ID: ce04c7fdbe47ac87aabf593a5b5b974396573721247977db978b5eed387c35b5
                                • Instruction ID: 0c615abc96dec8749c4dc5dd10953d28b3772c74820a685b63fb1bb894738337
                                • Opcode Fuzzy Hash: ce04c7fdbe47ac87aabf593a5b5b974396573721247977db978b5eed387c35b5
                                • Instruction Fuzzy Hash: 5F5105B0E452098FCB09CFAAC5446EEFBF2EB89341F14D46AD419AB354D7348A41CF64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E63371 Relevance: .4, Instructions: 386COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b4039667acb1b54e70393759d20abe0d74c75565446745df9f1ce660930abaff
                                • Instruction ID: 8681293bfc1e8034b1e943021cf2d12395a4e19a31b3591d5d703b8e992d7719
                                • Opcode Fuzzy Hash: b4039667acb1b54e70393759d20abe0d74c75565446745df9f1ce660930abaff
                                • Instruction Fuzzy Hash: 47F1CE70D88246CFCB04CFA5C4894EEFBB2FF89340B14E599C916A7216D739A946CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E633A7 Relevance: .4, Instructions: 383COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ee825a558fc3142add8669429a5705d0ea0e8fe62341920c15e03a71ccb001da
                                • Instruction ID: aa81d7c96720014d382403849bad65423ef4c7b81d266415147898897d98dca6
                                • Opcode Fuzzy Hash: ee825a558fc3142add8669429a5705d0ea0e8fe62341920c15e03a71ccb001da
                                • Instruction Fuzzy Hash: 33F1CF70D88246CFCB04CFA5C4894EEFBB2FF89740B14E599C906A7216D735A946CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E634A8 Relevance: .3, Instructions: 290COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 621cc61cdb29969b281aaa25ff4f0294c047c40e38bcbe2885138055819623d4
                                • Instruction ID: b8069c1fb6dca4f2f1ee6b441aa96332ef48065cd066dfe3c2dc6abbe01dad6a
                                • Opcode Fuzzy Hash: 621cc61cdb29969b281aaa25ff4f0294c047c40e38bcbe2885138055819623d4
                                • Instruction Fuzzy Hash: 1ED148B4D8420ADFCB04CF95C4888AEFBB2FF89740B14E599C516AB355D734AA42CF94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E670C8 Relevance: .2, Instructions: 150COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1b0aaaaa10aed83709ceab61ed66795ba75332c48fa68c28002407683171fe10
                                • Instruction ID: 5e37f82c9c61dde536b4e5740fbd4e2a86e9f20e391711ab9bdfc193b838e2d2
                                • Opcode Fuzzy Hash: 1b0aaaaa10aed83709ceab61ed66795ba75332c48fa68c28002407683171fe10
                                • Instruction Fuzzy Hash: 8D5124B0D95219CFCB14CFA5C4496EEFBB2FF48348F10A82AD416AB254DB745A46CF60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E670B9 Relevance: .1, Instructions: 145COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 915985452d0146fc0e208c5c7fbcea1bcac0bbd3fb264122a6fb18c6b7b68f2a
                                • Instruction ID: a78cebba8fcff4141a43bbf42e20c6340e7c68f8dfb2d9ccd26dff2aa8315eca
                                • Opcode Fuzzy Hash: 915985452d0146fc0e208c5c7fbcea1bcac0bbd3fb264122a6fb18c6b7b68f2a
                                • Instruction Fuzzy Hash: 0F5138B0D95219CFCB14CFA5C4486EEFBB2FF45348F10A82AD416AB254DB785A46CF60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E62581 Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 825f764b58d3332ed11b94e0e4753d4e6c7fc1a1eb2003e4f2281ad49171e7ea
                                • Instruction ID: 11d2107e72e265d65336fa9c56a32c1441e5a21b44b3c98e99393aa503b3fa0d
                                • Opcode Fuzzy Hash: 825f764b58d3332ed11b94e0e4753d4e6c7fc1a1eb2003e4f2281ad49171e7ea
                                • Instruction Fuzzy Hash: 1F31F6B1E006188BDB18CFA6D8543DEBBB2EFC9314F14C06AD809AA254DB751A56CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E69DE5 Relevance: 1.8, APIs: 1, Instructions: 325processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 354 2e69de5-2e69e89 357 2e69ed2-2e69efa 354->357 358 2e69e8b-2e69ea2 354->358 362 2e69f40-2e69f96 357->362 363 2e69efc-2e69f10 357->363 358->357 361 2e69ea4-2e69ea9 358->361 364 2e69ecc-2e69ecf 361->364 365 2e69eab-2e69eb5 361->365 371 2e69fdc-2e6a0ca CreateProcessA 362->371 372 2e69f98-2e69fac 362->372 363->362 373 2e69f12-2e69f17 363->373 364->357 366 2e69eb7 365->366 367 2e69eb9-2e69ec8 365->367 366->367 367->367 370 2e69eca 367->370 370->364 391 2e6a0d3-2e6a1b8 371->391 392 2e6a0cc-2e6a0d2 371->392 372->371 381 2e69fae-2e69fb3 372->381 374 2e69f3a-2e69f3d 373->374 375 2e69f19-2e69f23 373->375 374->362 376 2e69f27-2e69f36 375->376 377 2e69f25 375->377 376->376 380 2e69f38 376->380 377->376 380->374 383 2e69fd6-2e69fd9 381->383 384 2e69fb5-2e69fbf 381->384 383->371 385 2e69fc3-2e69fd2 384->385 386 2e69fc1 384->386 385->385 388 2e69fd4 385->388 386->385 388->383 404 2e6a1ba-2e6a1be 391->404 405 2e6a1c8-2e6a1cc 391->405 392->391 404->405 406 2e6a1c0 404->406 407 2e6a1ce-2e6a1d2 405->407 408 2e6a1dc-2e6a1e0 405->408 406->405 407->408 409 2e6a1d4 407->409 410 2e6a1e2-2e6a1e6 408->410 411 2e6a1f0-2e6a1f4 408->411 409->408 410->411 412 2e6a1e8 410->412 413 2e6a1f6-2e6a21f 411->413 414 2e6a22a-2e6a235 411->414 412->411 413->414 418 2e6a236 414->418 418->418
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02E6A0B7
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: d8239299d3a67a946bad329d3a0d86584350df52bb35753d46a4d895474e6319
                                • Instruction ID: e94c0d2df3bd02083ffa42e9eedb7eeec7c2f32d8372cef8deaab890115c88da
                                • Opcode Fuzzy Hash: d8239299d3a67a946bad329d3a0d86584350df52bb35753d46a4d895474e6319
                                • Instruction Fuzzy Hash: DEC13771D402698FDF20CFA4C845BEDBBB1BF49308F04A5A9E419B7250DB749A89CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E69DF0 Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 419 2e69df0-2e69e89 421 2e69ed2-2e69efa 419->421 422 2e69e8b-2e69ea2 419->422 426 2e69f40-2e69f96 421->426 427 2e69efc-2e69f10 421->427 422->421 425 2e69ea4-2e69ea9 422->425 428 2e69ecc-2e69ecf 425->428 429 2e69eab-2e69eb5 425->429 435 2e69fdc-2e6a0ca CreateProcessA 426->435 436 2e69f98-2e69fac 426->436 427->426 437 2e69f12-2e69f17 427->437 428->421 430 2e69eb7 429->430 431 2e69eb9-2e69ec8 429->431 430->431 431->431 434 2e69eca 431->434 434->428 455 2e6a0d3-2e6a1b8 435->455 456 2e6a0cc-2e6a0d2 435->456 436->435 445 2e69fae-2e69fb3 436->445 438 2e69f3a-2e69f3d 437->438 439 2e69f19-2e69f23 437->439 438->426 440 2e69f27-2e69f36 439->440 441 2e69f25 439->441 440->440 444 2e69f38 440->444 441->440 444->438 447 2e69fd6-2e69fd9 445->447 448 2e69fb5-2e69fbf 445->448 447->435 449 2e69fc3-2e69fd2 448->449 450 2e69fc1 448->450 449->449 452 2e69fd4 449->452 450->449 452->447 468 2e6a1ba-2e6a1be 455->468 469 2e6a1c8-2e6a1cc 455->469 456->455 468->469 470 2e6a1c0 468->470 471 2e6a1ce-2e6a1d2 469->471 472 2e6a1dc-2e6a1e0 469->472 470->469 471->472 473 2e6a1d4 471->473 474 2e6a1e2-2e6a1e6 472->474 475 2e6a1f0-2e6a1f4 472->475 473->472 474->475 476 2e6a1e8 474->476 477 2e6a1f6-2e6a21f 475->477 478 2e6a22a-2e6a235 475->478 476->475 477->478 482 2e6a236 478->482 482->482
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02E6A0B7
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: a6d0110c08f8aa3d0eec8e51b80251ac3c972526d8ac757cd94ca21e19fc97f3
                                • Instruction ID: 89fec3d77029930111a1bb307975441f21123f3a05575d9c2c9eaefe43f918fc
                                • Opcode Fuzzy Hash: a6d0110c08f8aa3d0eec8e51b80251ac3c972526d8ac757cd94ca21e19fc97f3
                                • Instruction Fuzzy Hash: D8C11771D4026D8FDB20CFA4C845BEEBBB1BF49308F04A5A9E419B7250DB745A89CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E69A61 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 483 2e69a61-2e69ad3 486 2e69ad5-2e69ae7 483->486 487 2e69aea-2e69b4b WriteProcessMemory 483->487 486->487 489 2e69b54-2e69ba6 487->489 490 2e69b4d-2e69b53 487->490 490->489
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02E69B3B
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: 4df2412ed4eaca4a052bcee9da10e86cbd1227a89a0b35d19ea16892ae88e7ef
                                • Instruction ID: e017f077803019089b11b1815dde758ad4bdbd88fec3dbc05eb56d82d938ea54
                                • Opcode Fuzzy Hash: 4df2412ed4eaca4a052bcee9da10e86cbd1227a89a0b35d19ea16892ae88e7ef
                                • Instruction Fuzzy Hash: CA41AAB5D002589FCF00CFA9D984AEEFBF1BB49314F14912AE814B7250D739AA46CF64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E69A68 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 495 2e69a68-2e69ad3 497 2e69ad5-2e69ae7 495->497 498 2e69aea-2e69b4b WriteProcessMemory 495->498 497->498 500 2e69b54-2e69ba6 498->500 501 2e69b4d-2e69b53 498->501 501->500
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02E69B3B
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: 0e136d9a82fac43ef739332322ae98384a5610f2e6695299fcb2c2597f4ec552
                                • Instruction ID: 1e4518f2c9e49b8b7a5fa7baa67a505a7083121c428ad723718871e2b4c1db8b
                                • Opcode Fuzzy Hash: 0e136d9a82fac43ef739332322ae98384a5610f2e6695299fcb2c2597f4ec552
                                • Instruction Fuzzy Hash: D84198B5D012589FCF00CFA9D984AEEFBF1BB49314F14902AE818B7210D779AA45CF64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E69BB9 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 506 2e69bb9-2e69c82 ReadProcessMemory 510 2e69c84-2e69c8a 506->510 511 2e69c8b-2e69cdd 506->511 510->511
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02E69C72
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 0201f87897410067604bc54052007ea189d7fe0f21e6c1d66973d3e3650542ff
                                • Instruction ID: 76ae379658d554fb1f99f917a5c93752e12714ae6e4556fa5b905b2841ec2189
                                • Opcode Fuzzy Hash: 0201f87897410067604bc54052007ea189d7fe0f21e6c1d66973d3e3650542ff
                                • Instruction Fuzzy Hash: F241CAB5D00258DFCF10CFA9D884AEEFBB1BB49324F14912AE814B7240D735A946CF64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E69BC0 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 516 2e69bc0-2e69c82 ReadProcessMemory 519 2e69c84-2e69c8a 516->519 520 2e69c8b-2e69cdd 516->520 519->520
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02E69C72
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 5e8af021188ba67118811bd16feee2067ed0fc9ae8c8539b0737c82d786d3258
                                • Instruction ID: 4d45ef3392373c632d50b17629b18ddcd720eebaf9d0c88cb03327ba7ce596e4
                                • Opcode Fuzzy Hash: 5e8af021188ba67118811bd16feee2067ed0fc9ae8c8539b0737c82d786d3258
                                • Instruction Fuzzy Hash: D041A9B5D00258DFCF00CFA9D984AEEFBB5BB49314F14A42AE815B7210D735A945CF64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E69941 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 525 2e69941-2e69a02 VirtualAllocEx 529 2e69a04-2e69a0a 525->529 530 2e69a0b-2e69a55 525->530 529->530
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02E699F2
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 4713d14573a39c3f0346bfd0f4832849abeedfd3129531bb256d04788968be38
                                • Instruction ID: dd3b8e74e5f2716f5286fc53f421df64b44b78807c53463f0fa171872e69db19
                                • Opcode Fuzzy Hash: 4713d14573a39c3f0346bfd0f4832849abeedfd3129531bb256d04788968be38
                                • Instruction Fuzzy Hash: 8A31BAB5D002589FCF10CFA9D984AEEFBB1BB59324F14A12AE814B7310D735A946CF54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E69948 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 535 2e69948-2e69a02 VirtualAllocEx 538 2e69a04-2e69a0a 535->538 539 2e69a0b-2e69a55 535->539 538->539
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02E699F2
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 324c8cc884dfcde82e5857d9ec2cc854489466e0e17c174cdee435718b704386
                                • Instruction ID: 0d2d3ce4dd0d8e0d0566831cc17bdea198ce090df2a682a5c5e409ba4b3aa2d8
                                • Opcode Fuzzy Hash: 324c8cc884dfcde82e5857d9ec2cc854489466e0e17c174cdee435718b704386
                                • Instruction Fuzzy Hash: 4B31A7B9D002589FCF10CFA9D984AEEFBB5BB49314F10A02AE814B7310D735A946CF64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E69818 Relevance: 1.6, APIs: 1, Instructions: 96threadinjectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 544 2e69818-2e69880 546 2e69897-2e698df SetThreadContext 544->546 547 2e69882-2e69894 544->547 549 2e698e1-2e698e7 546->549 550 2e698e8-2e69934 546->550 547->546 549->550
                                APIs
                                • SetThreadContext.KERNELBASE(?,?), ref: 02E698CF
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: ContextThread
                                • String ID:
                                • API String ID: 1591575202-0
                                • Opcode ID: 997e816172d04b84c79a0c859f9a551e34750fcdbe03b52dc641f54ddf04a425
                                • Instruction ID: e72ecb2c8b19e58cd9fd88eb05c2e11c2c4706c5926618e245ea35d6cf0fea51
                                • Opcode Fuzzy Hash: 997e816172d04b84c79a0c859f9a551e34750fcdbe03b52dc641f54ddf04a425
                                • Instruction Fuzzy Hash: 1D41BBB5D002589FCB14CFA9D885AEEFBF1BF49314F14902AE418B7240D778A94ACF64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E69820 Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 555 2e69820-2e69880 557 2e69897-2e698df SetThreadContext 555->557 558 2e69882-2e69894 555->558 560 2e698e1-2e698e7 557->560 561 2e698e8-2e69934 557->561 558->557 560->561
                                APIs
                                • SetThreadContext.KERNELBASE(?,?), ref: 02E698CF
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: ContextThread
                                • String ID:
                                • API String ID: 1591575202-0
                                • Opcode ID: e5594f86b6e69a01e46ea60a9e84887754e76dd4dcacb5ea28856786befc39f3
                                • Instruction ID: 1f44e9a6cf6928bddb1c2d8cb9eb3dbdd4c6711f2b227d6acffd7c8fd43d2e8f
                                • Opcode Fuzzy Hash: e5594f86b6e69a01e46ea60a9e84887754e76dd4dcacb5ea28856786befc39f3
                                • Instruction Fuzzy Hash: E631ABB5D002589FCB14CFA9D984AEEFBF1BF49314F14902AE414B7240D778A949CFA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E69729 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                Download Yara Rule
                                APIs
                                • ResumeThread.KERNELBASE(?), ref: 02E697AE
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 1bac48a6db6cba2c0d569bc99ce4c17988569c117e0668e7b53ef2ef1012f205
                                • Instruction ID: 3ac44e6d81590a81ed78ab7b78666ca7cf34d75cd61b1ebfa2dcb6702e47ba84
                                • Opcode Fuzzy Hash: 1bac48a6db6cba2c0d569bc99ce4c17988569c117e0668e7b53ef2ef1012f205
                                • Instruction Fuzzy Hash: 8931DCB4D002589FCB10CFA9D984AEEFBB0AF49324F14952AE814B7340D734A905CF94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E69730 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                Download Yara Rule
                                APIs
                                • ResumeThread.KERNELBASE(?), ref: 02E697AE
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: c71b8c7bbca251b1e5a03e28d5b2962c7d3624bc8cac6ef5cf9f49d9a5c4ff9f
                                • Instruction ID: 148a0afc4c636f09ac54b5fd9e63b1139b0944e5de2983d0a7d993cce188a8b4
                                • Opcode Fuzzy Hash: c71b8c7bbca251b1e5a03e28d5b2962c7d3624bc8cac6ef5cf9f49d9a5c4ff9f
                                • Instruction Fuzzy Hash: A231C9B4D002589FCB10CFA9E984AEEFBB4BB49314F14942AE814B7300DB34A905CFA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 02E642D8 Relevance: 2.7, Strings: 2, Instructions: 162COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: -T $-T
                                • API String ID: 0-797756653
                                • Opcode ID: 67f0cb980ad4fe046c5ded238f07229b4b319aa9e06b35b5aadbe7a70b2e8832
                                • Instruction ID: 4e2202e62c4cf70d46b68ea14e00cabcd7bb96aaa78e28d11aace81448b7ca8d
                                • Opcode Fuzzy Hash: 67f0cb980ad4fe046c5ded238f07229b4b319aa9e06b35b5aadbe7a70b2e8832
                                • Instruction Fuzzy Hash: C471E074E812099FCB54CF99E5849AEFBF1FF88350F14D55AE429AB260D730AA41CF50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E642C9 Relevance: 2.7, Strings: 2, Instructions: 161COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: -T $6
                                • API String ID: 0-1632519073
                                • Opcode ID: b1318fdfc0076169ef4f38a4ff2549b1c68b72c7c059766cbe232b04163c2430
                                • Instruction ID: 703c55dbf392a93bcb2d216ca355f908dd1c8929e1ace3482e9ea0734106a335
                                • Opcode Fuzzy Hash: b1318fdfc0076169ef4f38a4ff2549b1c68b72c7c059766cbe232b04163c2430
                                • Instruction Fuzzy Hash: EC71E034E412099FCB54CFA9E5849AEFBF1FF89350F18D55AE429AB260D730AA41CF50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E66250 Relevance: 2.6, Strings: 2, Instructions: 125COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: K@$$d?(
                                • API String ID: 0-3569548972
                                • Opcode ID: fa3829ebb9a87af5be1c6ba5c2111f684607b6e5aee0eb0768763f6abd606317
                                • Instruction ID: da3a78422b43abd3dbc2f19e2a3cf5ac7f8406d23a0168378f71036422c403af
                                • Opcode Fuzzy Hash: fa3829ebb9a87af5be1c6ba5c2111f684607b6e5aee0eb0768763f6abd606317
                                • Instruction Fuzzy Hash: B6411171D58284CFDB05CFBAD8855EDFFB2AF86224F18C56AD408AB212EB344816CF45
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E662B0 Relevance: 2.6, Strings: 2, Instructions: 89COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: K@$$d?(
                                • API String ID: 0-3569548972
                                • Opcode ID: 2541bfe51ee7388370b9be988b2da3b709fb65f7ed68c65ec5f06980a449ddb9
                                • Instruction ID: 1ed464870f36d3d000824e29915d3c4a516fcc2da9734b4a7990818a298e8098
                                • Opcode Fuzzy Hash: 2541bfe51ee7388370b9be988b2da3b709fb65f7ed68c65ec5f06980a449ddb9
                                • Instruction Fuzzy Hash: F1312574E512189BDB08CFAAD9845EEFBB6AFC8304F14D52AD504AB224DB348941CB44
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E656B8 Relevance: .1, Instructions: 114COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6c8bf9c35f98945272df2e5ba18117de4e9f85700c6bc591a0f6fcb9a142b03e
                                • Instruction ID: 35d2f25b66333b628dd5b937885c9ed2511703a6828464e0cec8647d1b7bade7
                                • Opcode Fuzzy Hash: 6c8bf9c35f98945272df2e5ba18117de4e9f85700c6bc591a0f6fcb9a142b03e
                                • Instruction Fuzzy Hash: 084114B4E90218DBCB18CFAAD9859EEFBF2BF89354F64D62AD414AB214D7305941CF40
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E654C0 Relevance: .1, Instructions: 113COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 57e0912f365becb3a1cb6f1b19e7675b0d414af91cfaf08f670368b9953eadfa
                                • Instruction ID: 08cd0b7787da03abc27152c94029cc7190b64407a3593cce857ed6d0120fae98
                                • Opcode Fuzzy Hash: 57e0912f365becb3a1cb6f1b19e7675b0d414af91cfaf08f670368b9953eadfa
                                • Instruction Fuzzy Hash: F141D774E4460A9FCB44CFAAC5855EEFBF2BF88340F64E42AC415A7214D7349A41CF95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E654B9 Relevance: .1, Instructions: 110COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 44e40bb242eda6ff7af960d408761acd7d347b63f8e51f86a71ac8c57b8274a5
                                • Instruction ID: 0410f81d68b1d17d66420cc991f7ff9030163ac08a01ed4c015ebcd516d1fd8e
                                • Opcode Fuzzy Hash: 44e40bb242eda6ff7af960d408761acd7d347b63f8e51f86a71ac8c57b8274a5
                                • Instruction Fuzzy Hash: 1E41D574E4460A9FCB48CFAAC5895EEFBF2BF88340F64D42AC415A7214D7349A42CF95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E656A8 Relevance: .1, Instructions: 108COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8df21f31d0d4ed53acd91919ec4e23e9047dc88f544f97d4721be812a77c9533
                                • Instruction ID: 28d62c8000798486964c88e0f075cf59c6f3e75082d60d6ff9248ce9ec44cfb6
                                • Opcode Fuzzy Hash: 8df21f31d0d4ed53acd91919ec4e23e9047dc88f544f97d4721be812a77c9533
                                • Instruction Fuzzy Hash: BC413AB0E95218CFCB18CFAAD9849EEBBF2BF89340F64D52AD414AB215D7345942CF40
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E67E29 Relevance: .1, Instructions: 105COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b53a65bd2b4e4c836072851bad73b295d3c2b0443a309b64c7af2c6f8d946225
                                • Instruction ID: 9a063016d00527f66182a3eb15718dc611feaa11b2af205045d0fbaa059fc083
                                • Opcode Fuzzy Hash: b53a65bd2b4e4c836072851bad73b295d3c2b0443a309b64c7af2c6f8d946225
                                • Instruction Fuzzy Hash: 71419671E446188BDB19CF6BD8546DAFBF3AFC9300F04C1AAD818A7264EB355986CF50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E67571 Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 491997bf2ac5e44d0ca84bd92792dd41e664706d4b268021315ab1a2db7060a7
                                • Instruction ID: 713b43e55d68388e27ba1ae89addd41c50d7f10e7ebfba3f00f3f9847dde130b
                                • Opcode Fuzzy Hash: 491997bf2ac5e44d0ca84bd92792dd41e664706d4b268021315ab1a2db7060a7
                                • Instruction Fuzzy Hash: A221C374E406189BDB18CFAAD984AEEBBF2FF88318F24C17AD509A7214DB344941CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02E60448 Relevance: .1, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.246786471.0000000002E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2e60000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: aa61dabbb4086db87fa772b2d74abae4811306e63c5193c1649a1c5cba1b8a51
                                • Instruction ID: a0cf173078fa0882318c1068bdcf05c830266a0bab074933244b1fcc98543ae2
                                • Opcode Fuzzy Hash: aa61dabbb4086db87fa772b2d74abae4811306e63c5193c1649a1c5cba1b8a51
                                • Instruction Fuzzy Hash: 1511DA71E416199BEB1CCFABD9446EEFAF3BFC8340F14D076D918A6224EB3015568E14
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Execution Graph

                                Execution Coverage:8.1%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:45
                                Total number of Limit Nodes:0
                                execution_graph 33446 4ee4540 33447 4ee4554 33446->33447 33450 4ee478a 33447->33450 33448 4ee455d 33453 4ee4793 33450->33453 33456 4ee485f 33450->33456 33461 4ee4870 33450->33461 33466 4ee4986 33450->33466 33471 4ee496c 33450->33471 33453->33448 33457 4ee4871 33456->33457 33458 4ee49ab 33457->33458 33476 4ee4c78 33457->33476 33481 4ee4c67 33457->33481 33462 4ee48b4 33461->33462 33463 4ee49ab 33462->33463 33464 4ee4c78 2 API calls 33462->33464 33465 4ee4c67 2 API calls 33462->33465 33464->33463 33465->33463 33467 4ee4999 33466->33467 33468 4ee49ab 33466->33468 33469 4ee4c78 2 API calls 33467->33469 33470 4ee4c67 2 API calls 33467->33470 33469->33468 33470->33468 33472 4ee491f 33471->33472 33473 4ee49ab 33472->33473 33474 4ee4c78 2 API calls 33472->33474 33475 4ee4c67 2 API calls 33472->33475 33474->33473 33475->33473 33477 4ee4c86 33476->33477 33486 4ee4cbb 33477->33486 33490 4ee4cc8 33477->33490 33478 4ee4c96 33478->33458 33482 4ee4c86 33481->33482 33484 4ee4cbb RtlEncodePointer 33482->33484 33485 4ee4cc8 RtlEncodePointer 33482->33485 33483 4ee4c96 33483->33458 33484->33483 33485->33483 33487 4ee4d02 33486->33487 33488 4ee4d2c RtlEncodePointer 33487->33488 33489 4ee4d55 33487->33489 33488->33489 33489->33478 33491 4ee4d02 33490->33491 33492 4ee4d2c RtlEncodePointer 33491->33492 33493 4ee4d55 33491->33493 33492->33493 33493->33478 33494 4eeadd0 33495 4eeadee 33494->33495 33498 4ee9dc0 33495->33498 33497 4eeae25 33499 4eec8f0 LoadLibraryA 33498->33499 33501 4eec9cc 33499->33501

                                Executed Functions

                                Function 0A12A3E0 Relevance: 1.6, Instructions: 1625COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 67ab3bd400b4c2c4f9bcae7a2ffb113bd1317a57707a6a491c8cc41562a1cd1b
                                • Instruction ID: 2b119a48a6af1f8bb072021872c10a949da2c486fe733a1aae7b3730598ec744
                                • Opcode Fuzzy Hash: 67ab3bd400b4c2c4f9bcae7a2ffb113bd1317a57707a6a491c8cc41562a1cd1b
                                • Instruction Fuzzy Hash: 0DD21730B091969BE7119F2488743EBFFF2AF8A364F5A48A9D5819F242E738DC55C740
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A12C660 Relevance: .8, Instructions: 775COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1714 a12c660-a12c66c 1715 a12c691-a12c6da call a12c660 1714->1715 1716 a12c66e-a12c678 1714->1716 1725 a12c6e3-a12c6f5 1715->1725 1726 a12c6dc-a12c6e1 1715->1726 1717 a12c67a-a12c68b 1716->1717 1718 a12c68d-a12c690 1716->1718 1717->1718 1731 a12c733-a12c738 1725->1731 1732 a12c6f7-a12c709 1725->1732 1727 a12c750-a12c7ca call a12a2b0 1726->1727 1743 a12c7d0-a12c7dd 1727->1743 1744 a12caf1-a12cb3d 1727->1744 1731->1727 1732->1731 1738 a12c70b-a12c71d 1732->1738 1738->1731 1746 a12c71f-a12c731 1738->1746 1743->1744 1749 a12c7e3-a12c7f2 1743->1749 1750 a12cb3f-a12cb42 1744->1750 1746->1731 1764 a12c73a-a12c74d 1746->1764 1749->1744 1762 a12c7f8-a12c80e 1749->1762 1752 a12cb44-a12cb61 1750->1752 1753 a12cb7b-a12cb7e 1750->1753 1766 a12cb67-a12cb76 1752->1766 1767 a12cc2a 1752->1767 1754 a12cb80-a12cb83 1753->1754 1755 a12cb8f-a12cb92 1753->1755 1758 a12cb85 1754->1758 1759 a12cb8a-a12cb8d 1754->1759 1760 a12cbb7-a12cbf3 1755->1760 1761 a12cb94 1755->1761 1758->1759 1759->1755 1765 a12cb99-a12cb9c 1759->1765 1773 a12cc2f-a12cc7e 1760->1773 1790 a12cbf5-a12cbf9 1760->1790 1761->1765 1762->1744 1785 a12c814-a12c823 1762->1785 1769 a12cbb2-a12cbb5 1765->1769 1770 a12cb9e-a12cba4 1765->1770 1766->1753 1767->1773 1769->1760 1775 a12cbfe-a12cc01 1769->1775 1770->1767 1774 a12cbaa-a12cbaf 1770->1774 1788 a12cc80-a12cca6 1773->1788 1789 a12cca9-a12ccae 1773->1789 1774->1769 1777 a12cc03-a12cc06 1775->1777 1778 a12cc0d-a12cc0f 1775->1778 1777->1767 1781 a12cc08 1777->1781 1782 a12cc11 1778->1782 1783 a12cc16-a12cc19 1778->1783 1781->1778 1782->1783 1783->1750 1787 a12cc1f-a12cc29 1783->1787 1785->1744 1795 a12c829-a12c839 1785->1795 1792 a12ccb4-a12ccfb 1789->1792 1793 a12ce1f-a12ce32 1789->1793 1790->1775 1811 a12ccfd-a12cd0c 1792->1811 1795->1744 1800 a12c83f-a12c84e 1795->1800 1800->1744 1805 a12c854-a12c859 1800->1805 1805->1744 1806 a12c85f-a12c862 1805->1806 1806->1744 1808 a12c868-a12c887 1806->1808 1808->1744 1814 a12c88d-a12c89a 1808->1814 1815 a12cd12-a12cd28 1811->1815 1816 a12ce47-a12ce6c 1811->1816 1814->1744 1823 a12c8a0-a12c8a2 1814->1823 1815->1816 1820 a12cd2e-a12cd35 1815->1820 1821 a12ce91-a12cecb 1816->1821 1822 a12ce6e-a12ce78 1816->1822 1824 a12ce42 1820->1824 1825 a12cd3b-a12cd3e 1820->1825 1834 a12ced1-a12cf43 1821->1834 1835 a12cf6f-a12cf74 1821->1835 1826 a12ce7a-a12ce8b 1822->1826 1827 a12ce8d-a12ce90 1822->1827 1823->1744 1828 a12c8a8-a12c8b8 1823->1828 1824->1816 1825->1811 1829 a12cd40-a12cd46 1825->1829 1826->1827 1828->1744 1836 a12c8be-a12c8cb 1828->1836 1829->1824 1832 a12cd4c-a12cd50 1829->1832 1837 a12cd52-a12cd55 1832->1837 1838 a12cdb8-a12ce08 call a129a38 1832->1838 1849 a12d00c-a12d013 1834->1849 1839 a12cff6-a12d009 1835->1839 1840 a12cf7a-a12cff3 1835->1840 1836->1744 1850 a12c8d1-a12c8de 1836->1850 1837->1816 1841 a12cd5b-a12cd66 1837->1841 1875 a12ce13 1838->1875 1876 a12ce0a 1838->1876 1839->1849 1841->1816 1846 a12cd6c-a12cd76 1841->1846 1846->1816 1851 a12cd7c-a12cd86 1846->1851 1850->1744 1860 a12c8e4-a12c8e6 1850->1860 1851->1816 1853 a12cd8c-a12cda1 1851->1853 1853->1816 1857 a12cda7-a12cdae 1853->1857 1857->1824 1861 a12cdb4-a12cdb6 1857->1861 1860->1744 1863 a12c8ec-a12c8fc 1860->1863 1861->1837 1861->1838 1863->1744 1871 a12c902-a12c907 1863->1871 1871->1744 1874 a12c90d-a12c910 1871->1874 1874->1744 1878 a12c916-a12c945 1874->1878 1875->1793 1876->1875 1888 a12cad1-a12cae4 1878->1888 1889 a12c94b-a12c952 1878->1889 1890 a12ca25-a12ca2c 1889->1890 1891 a12c958-a12c9a3 1889->1891 1890->1888 1893 a12ca32-a12ca7d 1890->1893 1902 a12c9a5-a12c9e4 1891->1902 1903 a12ca0a-a12ca20 1891->1903 1904 a12cabb-a12cacc 1893->1904 1905 a12ca7f-a12cab9 1893->1905 1923 a12c9e6-a12c9f3 1902->1923 1924 a12c9f8-a12c9fd 1902->1924 1903->1888 1904->1888 1922 a12cae7-a12caee 1905->1922 1923->1922 1926 a12ca05 1924->1926 1926->1922
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2a4cb5db34e24ccd935bc166f0fcc0efff0828f13b5f206f4d3d5dbc23b4cae5
                                • Instruction ID: f08d78bcba5bc36fc45ceb015839f28f10297b093ada1d1950985406202aaf58
                                • Opcode Fuzzy Hash: 2a4cb5db34e24ccd935bc166f0fcc0efff0828f13b5f206f4d3d5dbc23b4cae5
                                • Instruction Fuzzy Hash: EA42E430B042548FEB04EBB8D8546AEBBB2EF85354F15806AD606EB391EB35DC15CBD1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A127890 Relevance: .7, Instructions: 656COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2e72917ea5851579d5e38acfd29e4cf56b8cda3e9273e279cd90c08f57040cf3
                                • Instruction ID: 04614db6658f18e3f44e2b8e4c0e7de735c25c691730abe8c1c15a1cc213798a
                                • Opcode Fuzzy Hash: 2e72917ea5851579d5e38acfd29e4cf56b8cda3e9273e279cd90c08f57040cf3
                                • Instruction Fuzzy Hash: 7D42AE229181E25BE7278F7884243F6BFB2AFC7254F8D40D8CAC15F156D726D8A5CB80
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A124A78 Relevance: .6, Instructions: 608COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2155 a124a78-a124a99 2156 a124a9b-a124a9e 2155->2156 2157 a124aa0-a124aa7 2156->2157 2158 a124abd-a124ac0 2156->2158 2159 a12531d-a125327 2157->2159 2160 a124aad-a124ab8 2157->2160 2161 a124ac2-a124ac6 2158->2161 2162 a124adb-a124ade 2158->2162 2160->2158 2161->2159 2163 a124acc-a124ad0 2161->2163 2164 a124ae0-a124b12 2162->2164 2165 a124b17-a124b1a 2162->2165 2170 a124ad6 2163->2170 2171 a124e6b-a124e6f 2163->2171 2164->2165 2167 a124b31-a124b34 2165->2167 2168 a124b1c-a124b20 2165->2168 2173 a124b36-a124b59 2167->2173 2174 a124b5e-a124b61 2167->2174 2168->2159 2172 a124b26-a124b2a 2168->2172 2170->2162 2171->2159 2175 a124e75-a124e79 2171->2175 2172->2173 2179 a124b2c 2172->2179 2173->2174 2177 a124b63-a124b75 2174->2177 2178 a124b7a-a124b7d 2174->2178 2180 a124b99-a124ba4 2175->2180 2181 a124e7f 2175->2181 2177->2178 2182 a124b94-a124b97 2178->2182 2183 a124b7f-a124b82 2178->2183 2179->2167 2188 a124ba9-a124bac 2180->2188 2185 a124e84-a124e87 2181->2185 2182->2180 2182->2188 2196 a124b8c-a124b8f 2183->2196 2190 a124ea2-a124ea5 2185->2190 2191 a124e89-a124e8d 2185->2191 2197 a124c0b-a124c0e 2188->2197 2198 a124bae-a124bf1 call a1225e8 * 2 call a1237b0 2188->2198 2194 a124eab-a124f6e 2190->2194 2195 a124fcd-a124fd0 2190->2195 2191->2159 2192 a124e93-a124e97 2191->2192 2200 a124d00-a124d04 2192->2200 2201 a124e9d 2192->2201 2194->2159 2329 a124f74-a124f7c 2194->2329 2202 a125012-a125015 2195->2202 2203 a124fd2-a124fd9 2195->2203 2196->2182 2204 a124c14-a124c64 2197->2204 2205 a124cfb-a124cfe 2197->2205 2277 a124bf7-a124c06 2198->2277 2278 a125318 2198->2278 2200->2159 2206 a124d0a-a124d0e 2200->2206 2201->2190 2207 a125017-a12501e 2202->2207 2208 a125034-a125037 2202->2208 2203->2159 2211 a124fdf-a12500d 2203->2211 2261 a124c6c-a124cf6 2204->2261 2205->2200 2214 a124d19-a124d1c 2205->2214 2215 a125112-a12512e 2206->2215 2216 a124d14 2206->2216 2207->2159 2217 a125024-a12502f 2207->2217 2220 a125039-a125059 2208->2220 2221 a1250ac-a1250af 2208->2221 2211->2202 2218 a124d3b-a124d3e 2214->2218 2219 a124d1e-a124d25 2214->2219 2240 a125133-a125136 2215->2240 2216->2214 2217->2208 2226 a124e66-a124e69 2218->2226 2227 a124d44-a124e07 2218->2227 2219->2159 2224 a124d2b-a124d36 2219->2224 2220->2159 2256 a12505f-a12507d 2220->2256 2228 a1250b1-a1250c3 2221->2228 2229 a1250c8-a1250cb 2221->2229 2224->2218 2226->2171 2226->2185 2227->2159 2338 a124e0d-a124e15 2227->2338 2228->2229 2235 a12510d-a125110 2229->2235 2236 a1250cd-a1250d4 2229->2236 2235->2215 2235->2240 2236->2159 2245 a1250da-a125108 2236->2245 2250 a125138 2240->2250 2251 a12513d-a125140 2240->2251 2245->2235 2250->2251 2252 a125142-a125146 2251->2252 2253 a12515b-a12515e 2251->2253 2252->2159 2260 a12514c-a125150 2252->2260 2262 a125160-a125164 2253->2262 2263 a125175-a125178 2253->2263 2301 a125090-a12509f 2256->2301 2302 a12507f-a12508e 2256->2302 2260->2168 2265 a125156 2260->2265 2261->2205 2262->2159 2267 a12516a-a12516e 2262->2267 2269 a125197-a12519a 2263->2269 2270 a12517a-a125181 2263->2270 2265->2253 2267->2252 2276 a125170 2267->2276 2280 a1251a0-a12524f 2269->2280 2281 a1252d6-a1252d8 2269->2281 2270->2159 2279 a125187-a125192 2270->2279 2276->2263 2277->2197 2278->2159 2279->2269 2358 a125251 call 4ee2de0 2280->2358 2359 a125251 call 4ee2dd0 2280->2359 2284 a1252da 2281->2284 2285 a1252df-a1252e2 2281->2285 2284->2285 2285->2156 2290 a1252e8-a1252ec 2285->2290 2297 a1252ee-a1252f7 2290->2297 2298 a12530d 2290->2298 2304 a1252f9-a1252fc 2297->2304 2305 a1252fe-a125301 2297->2305 2300 a125310-a125317 2298->2300 2311 a1250a7 2301->2311 2302->2311 2308 a12530b 2304->2308 2305->2308 2308->2300 2311->2221 2329->2159 2331 a124f82-a124f8a 2329->2331 2331->2159 2332 a124f90-a124f98 2331->2332 2332->2159 2334 a124f9e-a124fa6 2332->2334 2334->2159 2337 a124fac-a124fc1 2334->2337 2341 a124fc8 2337->2341 2338->2159 2339 a124e1b-a124e23 2338->2339 2339->2159 2342 a124e29-a124e31 2339->2342 2341->2195 2342->2159 2343 a124e37-a124e3f 2342->2343 2343->2159 2345 a124e45-a124e61 2343->2345 2345->2226 2348 a125256-a125286 2348->2159 2352 a12528c-a125294 2348->2352 2352->2159 2353 a12529a-a1252a2 2352->2353 2353->2159 2354 a1252a4-a1252ac 2353->2354 2354->2159 2355 a1252ae-a1252b6 2354->2355 2355->2159 2356 a1252b8-a1252d1 2355->2356 2356->2281 2358->2348 2359->2348
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: acf1b7127675d2eabac0fae5be980cc0b6f40ae07886f73c1280fd56f18e35a9
                                • Instruction ID: 53b7e94602fcc17a70e31b7498b6a3b88b3ced7a72b2c9a811cbfdd3806bf31b
                                • Opcode Fuzzy Hash: acf1b7127675d2eabac0fae5be980cc0b6f40ae07886f73c1280fd56f18e35a9
                                • Instruction Fuzzy Hash: 7F326F30E002588FEB24DBB8C4947ADBBB2AF85314F15C569D40AAF385EB79D885CF51
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04EE9DC0 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 413 4ee9dc0-4eec947 415 4eec949-4eec953 413->415 416 4eec980-4eec9ca LoadLibraryA 413->416 415->416 417 4eec955-4eec957 415->417 423 4eec9cc-4eec9d2 416->423 424 4eec9d3-4eeca04 416->424 418 4eec97a-4eec97d 417->418 419 4eec959-4eec963 417->419 418->416 421 4eec967-4eec976 419->421 422 4eec965 419->422 421->421 426 4eec978 421->426 422->421 423->424 428 4eeca06-4eeca0a 424->428 429 4eeca14 424->429 426->418 428->429 430 4eeca0c 428->430 431 4eeca15 429->431 430->429 431->431
                                APIs
                                • LoadLibraryA.KERNELBASE(?), ref: 04EEC9BA
                                Memory Dump Source
                                • Source File: 00000001.00000002.510720770.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_4ee0000_cvtres.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 4c083027f3b6b05326a3247a0c71ee739dd7d0e97bacd82b72f91127d6d1ffdd
                                • Instruction ID: 12dc8e6c3146b35371f5978e2e50f99b0d58556707a739afcc6cac47b8436141
                                • Opcode Fuzzy Hash: 4c083027f3b6b05326a3247a0c71ee739dd7d0e97bacd82b72f91127d6d1ffdd
                                • Instruction Fuzzy Hash: 6F3157B1D042499FDB14CFAAC445BEEBBF5FB08314F248529E81AA7380D775A481CF95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04EEC8ED Relevance: 1.6, APIs: 1, Instructions: 88libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 432 4eec8ed-4eec947 434 4eec949-4eec953 432->434 435 4eec980-4eec9ca LoadLibraryA 432->435 434->435 436 4eec955-4eec957 434->436 442 4eec9cc-4eec9d2 435->442 443 4eec9d3-4eeca04 435->443 437 4eec97a-4eec97d 436->437 438 4eec959-4eec963 436->438 437->435 440 4eec967-4eec976 438->440 441 4eec965 438->441 440->440 445 4eec978 440->445 441->440 442->443 447 4eeca06-4eeca0a 443->447 448 4eeca14 443->448 445->437 447->448 449 4eeca0c 447->449 450 4eeca15 448->450 449->448 450->450
                                APIs
                                • LoadLibraryA.KERNELBASE(?), ref: 04EEC9BA
                                Memory Dump Source
                                • Source File: 00000001.00000002.510720770.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_4ee0000_cvtres.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 92cf4809709508f32fb69dbac8275ce688cdef50bfb4e1e809e46309ccf953a0
                                • Instruction ID: b890e4787c136286054f38ba4847eb18021fce5d7c80f92625a0f829b63c73d3
                                • Opcode Fuzzy Hash: 92cf4809709508f32fb69dbac8275ce688cdef50bfb4e1e809e46309ccf953a0
                                • Instruction Fuzzy Hash: 8A3148B1D002599FDB14CFA9C845BEEBBF5FB08714F248529E816A7380D775A481CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04EE4CBB Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1070 4ee4cbb-4ee4d0a 1073 4ee4d0c-4ee4d0e 1070->1073 1074 4ee4d10 1070->1074 1075 4ee4d15-4ee4d20 1073->1075 1074->1075 1076 4ee4d22-4ee4d53 RtlEncodePointer 1075->1076 1077 4ee4d81-4ee4d8e 1075->1077 1079 4ee4d5c-4ee4d7c 1076->1079 1080 4ee4d55-4ee4d5b 1076->1080 1079->1077 1080->1079
                                APIs
                                • RtlEncodePointer.NTDLL(00000000), ref: 04EE4D42
                                Memory Dump Source
                                • Source File: 00000001.00000002.510720770.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_4ee0000_cvtres.jbxd
                                Similarity
                                • API ID: EncodePointer
                                • String ID:
                                • API String ID: 2118026453-0
                                • Opcode ID: 19b62f665fb280c941741bdb3e225a3f217b2bf2e96b2e22afe7c8275a105f7e
                                • Instruction ID: 7496be6759b6adcd7877f3c890f27aa2399ce6513c03b587701d2f592e4d2238
                                • Opcode Fuzzy Hash: 19b62f665fb280c941741bdb3e225a3f217b2bf2e96b2e22afe7c8275a105f7e
                                • Instruction Fuzzy Hash: E3219A709057498FCB10DFAAD5087EEBBF4EB45314F14852AD405A3682D339A548CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04EE4CC8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1082 4ee4cc8-4ee4d0a 1085 4ee4d0c-4ee4d0e 1082->1085 1086 4ee4d10 1082->1086 1087 4ee4d15-4ee4d20 1085->1087 1086->1087 1088 4ee4d22-4ee4d53 RtlEncodePointer 1087->1088 1089 4ee4d81-4ee4d8e 1087->1089 1091 4ee4d5c-4ee4d7c 1088->1091 1092 4ee4d55-4ee4d5b 1088->1092 1091->1089 1092->1091
                                APIs
                                • RtlEncodePointer.NTDLL(00000000), ref: 04EE4D42
                                Memory Dump Source
                                • Source File: 00000001.00000002.510720770.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_4ee0000_cvtres.jbxd
                                Similarity
                                • API ID: EncodePointer
                                • String ID:
                                • API String ID: 2118026453-0
                                • Opcode ID: 56646716ab0670412b07bcfc465f04fe5ef1968a5b5f33cadf8e216cc1f7e685
                                • Instruction ID: a3c46eb6cffbd2bb1de1efe5a8a4c788cb4cb41fea9ecb7b267fe3fcd086a837
                                • Opcode Fuzzy Hash: 56646716ab0670412b07bcfc465f04fe5ef1968a5b5f33cadf8e216cc1f7e685
                                • Instruction Fuzzy Hash: 5E11A9B0D00749CFDB10EFAAD5087EEBBF8EB49318F108429D404A3681D779A548CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A12D028 Relevance: .5, Instructions: 527COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c6289377330858638c308f47ef3bd3df5a7e8bc520308559bc5144cf91297ad3
                                • Instruction ID: 1fd64701bf5b703b6895811fabd998e24bdd79a89137538360a9a70469a63791
                                • Opcode Fuzzy Hash: c6289377330858638c308f47ef3bd3df5a7e8bc520308559bc5144cf91297ad3
                                • Instruction Fuzzy Hash: 17020670F005244FFF709A78E4947AD77B6DB8A254F214836E406EB390EB79DC528B92
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A124168 Relevance: .4, Instructions: 400COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2592 a124168-a12417f 2736 a124182 call a124206 2592->2736 2737 a124182 call a124168 2592->2737 2593 a124188-a1241bb 2597 a1241c1-a1241ca 2593->2597 2598 a124456-a124460 2593->2598 2599 a1241d0-a1241e3 2597->2599 2600 a124468-a124497 2597->2600 2603 a1241e5 2599->2603 2604 a1241ea-a1241f8 2599->2604 2607 a124499-a12449c 2600->2607 2606 a124441-a124445 2603->2606 2734 a1241fb call a12d808 2604->2734 2735 a1241fb call a12d908 2604->2735 2608 a124463 2606->2608 2609 a124447-a124450 2606->2609 2611 a1244be-a1244c1 2607->2611 2612 a12449e-a1244b9 2607->2612 2608->2600 2609->2597 2609->2598 2613 a1244c3-a1244c5 2611->2613 2614 a1244c8-a1244cb 2611->2614 2612->2611 2613->2614 2617 a1244ed-a1244f0 2614->2617 2618 a1244cd-a1244e8 2614->2618 2615 a124201-a12421e 2628 a124227-a124229 2615->2628 2619 a1244f2-a1244f5 2617->2619 2620 a124500-a124503 2617->2620 2618->2617 2622 a124621 2619->2622 2623 a1244fb 2619->2623 2625 a124526-a124529 2620->2625 2626 a124505-a12451f 2620->2626 2636 a124626-a12464f 2622->2636 2623->2620 2629 a1245bb-a1245c1 2625->2629 2630 a12452f-a124532 2625->2630 2626->2619 2654 a124521 2626->2654 2628->2606 2633 a12422f-a12423a 2628->2633 2631 a1245c7 2629->2631 2632 a12453d-a124543 2629->2632 2637 a124617-a124620 2630->2637 2638 a124538-a12453b 2630->2638 2640 a1245cc-a1245cf 2631->2640 2632->2636 2642 a124549-a12454d 2632->2642 2633->2608 2653 a124240-a12424a 2633->2653 2655 a124651-a12465b 2636->2655 2656 a124674-a124680 2636->2656 2638->2632 2641 a124552-a124555 2638->2641 2645 a1245f0-a1245f3 2640->2645 2646 a1245d1-a1245eb 2640->2646 2643 a124557-a124566 2641->2643 2644 a12456d-a124570 2641->2644 2642->2641 2663 a12457c-a124598 2643->2663 2670 a124568 2643->2670 2651 a124572 2644->2651 2652 a124577-a12457a 2644->2652 2657 a124605-a124607 2645->2657 2658 a1245f5 2645->2658 2646->2645 2651->2652 2662 a124599-a12459c 2652->2662 2652->2663 2653->2606 2665 a124250-a1242b6 2653->2665 2654->2625 2666 a124670-a124673 2655->2666 2667 a12465d-a12466e 2655->2667 2660 a124609 2657->2660 2661 a12460e-a124611 2657->2661 2668 a1245fd-a124600 2658->2668 2660->2661 2661->2607 2661->2637 2671 a1245b6-a1245b9 2662->2671 2672 a12459e-a1245b1 2662->2672 2690 a124386-a1243a1 2665->2690 2691 a1242bc-a12430d 2665->2691 2667->2666 2668->2657 2670->2644 2671->2629 2671->2640 2672->2671 2698 a1243a3-a1243a7 2690->2698 2712 a12430f-a12432b 2691->2712 2713 a12432d-a124350 2691->2713 2700 a1243b8 2698->2700 2701 a1243a9-a1243b6 2698->2701 2702 a1243bd-a1243bf 2700->2702 2701->2702 2703 a1243c1-a1243c3 2702->2703 2704 a12442f-a124433 2702->2704 2706 a1243d1 2703->2706 2707 a1243c5-a1243cf 2703->2707 2704->2608 2708 a124435-a12443b 2704->2708 2709 a1243d6-a1243d8 2706->2709 2707->2709 2708->2606 2708->2665 2709->2704 2711 a1243da-a1243dc 2709->2711 2711->2704 2714 a1243de-a12441c 2711->2714 2723 a124352-a124384 2712->2723 2713->2723 2714->2704 2723->2698 2734->2615 2735->2615 2736->2593 2737->2593
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: be1dec67432d5ae49dfa82025b0e8cd312fb5619bd8c2f8e6e8b50e0b590a431
                                • Instruction ID: 2258485eac49195a06b0a3f9de2e38c579b14a032cc847f8c4ef1afd7db375f7
                                • Opcode Fuzzy Hash: be1dec67432d5ae49dfa82025b0e8cd312fb5619bd8c2f8e6e8b50e0b590a431
                                • Instruction Fuzzy Hash: A5E1E230B002648FEB14DBB4E4956AEBBF2EF89304F154469E406DB351EB39DC56CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 092FE088 Relevance: .4, Instructions: 397COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2738 92fe088-92fe097 2739 92fe09f-92fe0b2 2738->2739 2740 92fe09a call 92fe030 2738->2740 2742 92fe17b 2739->2742 2743 92fe0b8-92fe0bd 2739->2743 2740->2739 2745 92fe180-92fe1a6 2742->2745 2743->2742 2744 92fe0c3-92fe0e2 2743->2744 2748 92fe12b-92fe130 2744->2748 2749 92fe0e4-92fe0ec 2744->2749 2752 92fe1a8-92fe1cf 2745->2752 2753 92fe133-92fe13f 2745->2753 2857 92fe132 call 92fe079 2748->2857 2858 92fe132 call 92fe198 2748->2858 2859 92fe132 call 92fe088 2748->2859 2749->2742 2751 92fe0f2-92fe0f5 2749->2751 2751->2742 2755 92fe0fb-92fe11a 2751->2755 2760 92fe237-92fe23e 2752->2760 2761 92fe1d1-92fe1d7 2752->2761 2757 92fe16e-92fe178 2753->2757 2758 92fe141-92fe147 2753->2758 2754 92fe138-92fe13f 2754->2757 2754->2758 2755->2742 2774 92fe11c-92fe122 2755->2774 2758->2745 2759 92fe149-92fe166 2758->2759 2759->2757 2763 92fe244-92fe24b 2760->2763 2764 92fe343-92fe34c 2760->2764 2761->2760 2765 92fe1d9-92fe1df 2761->2765 2767 92fe2fa-92fe300 2763->2767 2768 92fe251-92fe259 2763->2768 2772 92fe34e-92fe354 2764->2772 2773 92fe356-92fe359 2764->2773 2770 92fe469-92fe49f 2765->2770 2771 92fe1e5-92fe1f2 2765->2771 2767->2770 2775 92fe306-92fe310 2767->2775 2776 92fe25f-92fe268 2768->2776 2777 92fe464 2768->2777 2803 92fe4ae-92fe4b2 2770->2803 2804 92fe4a1-92fe4ac 2770->2804 2771->2770 2778 92fe1f8-92fe209 2771->2778 2772->2773 2779 92fe370-92fe374 2772->2779 2773->2777 2780 92fe35f-92fe36d 2773->2780 2774->2745 2781 92fe124-92fe128 2774->2781 2775->2770 2785 92fe316-92fe332 2775->2785 2776->2770 2786 92fe26e-92fe2a1 2776->2786 2777->2770 2853 92fe20c call 92fe079 2778->2853 2854 92fe20c call 92fe198 2778->2854 2855 92fe20c call 92fe088 2778->2855 2856 92fe20c call 92fe480 2778->2856 2783 92fe37a-92fe383 2779->2783 2784 92fe3f7-92fe3fb 2779->2784 2780->2779 2781->2748 2783->2784 2792 92fe385-92fe38b 2783->2792 2789 92fe3fd-92fe406 2784->2789 2790 92fe45a-92fe461 2784->2790 2813 92fe33a-92fe33d 2785->2813 2824 92fe2eb-92fe2f8 2786->2824 2825 92fe2a3 2786->2825 2789->2777 2794 92fe408-92fe40f 2789->2794 2792->2770 2795 92fe391-92fe39b 2792->2795 2794->2790 2798 92fe411 2794->2798 2795->2770 2800 92fe3a1-92fe3ae 2795->2800 2802 92fe414-92fe41c 2798->2802 2800->2770 2805 92fe3b4-92fe3df 2800->2805 2801 92fe212-92fe220 2801->2777 2814 92fe226-92fe229 2801->2814 2809 92fe41e-92fe42a 2802->2809 2810 92fe450-92fe453 2802->2810 2811 92fe4c4 2803->2811 2812 92fe4b4-92fe4c2 2803->2812 2804->2803 2805->2770 2843 92fe3e5-92fe3ed 2805->2843 2809->2770 2815 92fe42c-92fe448 2809->2815 2810->2777 2819 92fe455-92fe458 2810->2819 2818 92fe4c6-92fe4c8 2811->2818 2812->2818 2813->2764 2813->2777 2814->2777 2821 92fe22f-92fe235 2814->2821 2815->2810 2822 92fe4ce-92fe4d6 2818->2822 2823 92fe4ca-92fe4cc 2818->2823 2819->2790 2819->2802 2821->2760 2821->2761 2826 92fe4f9-92fe4fb 2822->2826 2827 92fe4d8-92fe4ea 2822->2827 2823->2822 2824->2813 2828 92fe2a6-92fe2ac 2825->2828 2832 92fe4fd-92fe50a call 92fcb38 2826->2832 2833 92fe529-92fe52d 2826->2833 2827->2826 2840 92fe4ec-92fe4f7 2827->2840 2828->2770 2831 92fe2b2-92fe2d3 2828->2831 2831->2777 2848 92fe2d9-92fe2dd 2831->2848 2832->2833 2844 92fe50c-92fe51b 2832->2844 2839 92fe535-92fe53a 2833->2839 2840->2826 2843->2777 2845 92fe3ef-92fe3f5 2843->2845 2844->2833 2851 92fe51d-92fe527 2844->2851 2845->2784 2845->2792 2848->2777 2850 92fe2e3-92fe2e9 2848->2850 2850->2824 2850->2828 2851->2833 2853->2801 2854->2801 2855->2801 2856->2801 2857->2754 2858->2754 2859->2754
                                Memory Dump Source
                                • Source File: 00000001.00000002.514810797.00000000092F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_92f0000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 463532937fe2a0b1773d2c6fa4ed3294b5424557311e9dc390bdd92fcdffd9e1
                                • Instruction ID: 446214465ad2a75729029a3e5fa9a95a8081f73e90b81072a4cce37af0c30981
                                • Opcode Fuzzy Hash: 463532937fe2a0b1773d2c6fa4ed3294b5424557311e9dc390bdd92fcdffd9e1
                                • Instruction Fuzzy Hash: 8CF12A71A102158FCB15CF69D5A49AEF7F6FF88710B1A8069E619AB372CB30EC45CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A125E90 Relevance: .3, Instructions: 317COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3090 a125e90-a125e9d 3091 a125ea9-a125eb5 3090->3091 3092 a125e9f-a125ea4 3090->3092 3095 a125eb7-a125eb9 3091->3095 3096 a125ec5-a125eca 3091->3096 3093 a12623e-a126243 3092->3093 3097 a125ec1-a125ec3 3095->3097 3096->3093 3097->3096 3098 a125ecf-a125edb 3097->3098 3100 a125eeb-a125ef0 3098->3100 3101 a125edd-a125ee9 3098->3101 3100->3093 3101->3100 3103 a125ef5-a125f00 3101->3103 3105 a125f06-a125f11 3103->3105 3106 a125faa-a125fb5 3103->3106 3111 a125f13-a125f25 3105->3111 3112 a125f27 3105->3112 3109 a125fbb-a125fca 3106->3109 3110 a126058-a126064 3106->3110 3121 a125fdb-a125fea 3109->3121 3122 a125fcc-a125fd6 3109->3122 3119 a126066-a126072 3110->3119 3120 a126074-a126086 3110->3120 3113 a125f2c-a125f2e 3111->3113 3112->3113 3117 a125f30-a125f3f 3113->3117 3118 a125f4e-a125f53 3113->3118 3117->3118 3124 a125f41-a125f4c 3117->3124 3118->3093 3119->3120 3129 a1260b4-a1260bf 3119->3129 3138 a1260aa-a1260af 3120->3138 3139 a126088-a126094 3120->3139 3130 a12600e-a126017 3121->3130 3131 a125fec-a125ff8 3121->3131 3122->3093 3124->3118 3136 a125f58-a125f61 3124->3136 3142 a1261a1-a1261ac 3129->3142 3143 a1260c5-a1260ce 3129->3143 3144 a126019-a12602b 3130->3144 3145 a12602d 3130->3145 3140 a126004-a126009 3131->3140 3141 a125ffa-a125fff 3131->3141 3150 a125f63-a125f68 3136->3150 3151 a125f6d-a125f7c 3136->3151 3138->3093 3155 a1260a0-a1260a5 3139->3155 3156 a126096-a12609b 3139->3156 3140->3093 3141->3093 3159 a1261d6-a1261e5 3142->3159 3160 a1261ae-a1261b8 3142->3160 3157 a1260d0-a1260e2 3143->3157 3158 a1260e4 3143->3158 3147 a126032-a126034 3144->3147 3145->3147 3147->3110 3153 a126036-a126042 3147->3153 3150->3093 3169 a125fa0-a125fa5 3151->3169 3170 a125f7e-a125f8a 3151->3170 3171 a126044-a126049 3153->3171 3172 a12604e-a126053 3153->3172 3155->3093 3156->3093 3161 a1260e9-a1260eb 3157->3161 3158->3161 3176 a1261e7-a1261f6 3159->3176 3177 a126239 3159->3177 3174 a1261ba-a1261c6 3160->3174 3175 a1261cf-a1261d4 3160->3175 3167 a1260fb 3161->3167 3168 a1260ed-a1260f9 3161->3168 3173 a126100-a126102 3167->3173 3168->3173 3169->3093 3184 a125f96-a125f9b 3170->3184 3185 a125f8c-a125f91 3170->3185 3171->3093 3172->3093 3178 a126104-a126109 3173->3178 3179 a12610e-a126121 3173->3179 3174->3175 3187 a1261c8-a1261cd 3174->3187 3175->3093 3176->3177 3188 a1261f8-a126210 3176->3188 3177->3093 3178->3093 3189 a126123 3179->3189 3190 a126159-a126163 3179->3190 3184->3093 3185->3093 3187->3093 3198 a126232-a126237 3188->3198 3199 a126212-a126230 3188->3199 3191 a126126-a126137 3189->3191 3194 a126182-a12618e 3190->3194 3195 a126165-a126171 3190->3195 3200 a126139-a12613c 3191->3200 3201 a12613e-a126143 3191->3201 3208 a126190-a126195 3194->3208 3209 a126197 3194->3209 3205 a126173-a126176 3195->3205 3206 a126178-a12617d 3195->3206 3198->3093 3199->3093 3200->3201 3204 a126148-a12614b 3200->3204 3201->3093 3210 a126151-a126157 3204->3210 3211 a126244-a126250 3204->3211 3205->3194 3205->3206 3206->3093 3212 a12619c 3208->3212 3209->3212 3210->3190 3210->3191 3212->3093
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 50b249a569b8ccec98f5114aca5dd34c1cdcc7adfb8ae38d3a4005376c3d4372
                                • Instruction ID: 88d55950d054ad8273f85e5abfa7452016ae01c890945e75177f0b0ab8b27a7c
                                • Opcode Fuzzy Hash: 50b249a569b8ccec98f5114aca5dd34c1cdcc7adfb8ae38d3a4005376c3d4372
                                • Instruction Fuzzy Hash: 66A17E303141258FFB399B39C89473D76AAEF85604F16407AE522CF3E5DB29DC628B46
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A126D28 Relevance: .2, Instructions: 249COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3410 a126d28-a126d3f 3411 a126d41-a126d58 call a125380 3410->3411 3412 a126d5a-a126d68 3410->3412 3417 a126d6f-a126d81 3411->3417 3412->3417 3419 a127001-a127021 3417->3419 3420 a126d87-a126d95 3417->3420 3425 a127023-a12703c 3419->3425 3426 a12703e-a127051 3419->3426 3423 a126d97-a126d9e 3420->3423 3424 a126ded-a126df6 3420->3424 3427 a126ef2-a126f1e 3423->3427 3428 a126da4-a126da9 3423->3428 3429 a126f25-a126f51 3424->3429 3430 a126dfc-a126e00 3424->3430 3442 a127057-a127058 3425->3442 3426->3442 3427->3429 3434 a126dc1-a126dcf 3428->3434 3435 a126dab-a126db1 3428->3435 3466 a126f58-a126fc2 3429->3466 3431 a126e02-a126e0b 3430->3431 3432 a126e11-a126e35 3430->3432 3431->3429 3431->3432 3445 a126e37-a126e42 3432->3445 3446 a126e4f-a126e53 3432->3446 3449 a126dd1-a126dd3 3434->3449 3450 a126dd8-a126de8 3434->3450 3437 a126db3 3435->3437 3438 a126db5-a126dbf 3435->3438 3437->3434 3438->3434 3455 a126e4a 3445->3455 3452 a126fc9-a126ffa 3446->3452 3453 a126e59-a126e5d 3446->3453 3454 a126ee8-a126eef 3449->3454 3450->3454 3452->3419 3453->3452 3457 a126e63-a126e6e 3453->3457 3455->3454 3457->3452 3465 a126e74-a126ea0 3457->3465 3465->3452 3470 a126ea6-a126ec1 3465->3470 3466->3452 3470->3466 3473 a126ec7-a126ee0 3470->3473 3473->3452 3477 a126ee6 3473->3477 3477->3454
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5f0260b6c5122f9b49f2ee89cfd71d909efb81b7198ee2e275859933ecb75b17
                                • Instruction ID: e056b79c69c0d50f744bc88d12b0582648be0a18274604001b4d5e7849750661
                                • Opcode Fuzzy Hash: 5f0260b6c5122f9b49f2ee89cfd71d909efb81b7198ee2e275859933ecb75b17
                                • Instruction Fuzzy Hash: 3C91D1307001289FEB18EF64C864BBE77A6EB88355F058428E5169B3D4DF34DC56CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A1246E0 Relevance: .2, Instructions: 224COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7c27078241521be04c12dc2fc5dcc5dd1fd71f67fc63a89ec28e1d5c53cc7beb
                                • Instruction ID: 689bb6cdb641f3cb85452699bceee1fd741a34a364682e30080744c57fa49f2d
                                • Opcode Fuzzy Hash: 7c27078241521be04c12dc2fc5dcc5dd1fd71f67fc63a89ec28e1d5c53cc7beb
                                • Instruction Fuzzy Hash: 7B717B34B002598BDB58ABB9D46976E76E7EFC8344F158929D406DB384EF3CDC028B91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 092FE198 Relevance: .2, Instructions: 209COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.514810797.00000000092F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_92f0000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 95fa36929db870daaabd02d525469c35d86e9a0a6336695d1810300f4944c3b7
                                • Instruction ID: 0c3a13a3346ae5a5e3a283c7fcde0523ae3c0f028d62c1ce29d34efea97d6ed7
                                • Opcode Fuzzy Hash: 95fa36929db870daaabd02d525469c35d86e9a0a6336695d1810300f4944c3b7
                                • Instruction Fuzzy Hash: EB91D275A102198FCB05CFA8D598A9DFBF6BB48310F1A8069E519AB372D730EC45CF54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A12D908 Relevance: .2, Instructions: 206COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b90a5c01ee55ebc835b2295443b8d14e18f4ff31feddb706277728c47cea586d
                                • Instruction ID: 02fb62efe11bce99ca443d35435ff2d5c2d68bd89fdf1696ff1f949752f9a24b
                                • Opcode Fuzzy Hash: b90a5c01ee55ebc835b2295443b8d14e18f4ff31feddb706277728c47cea586d
                                • Instruction Fuzzy Hash: 45712430B042108FFB24CB69E5547ADBBE2EF85314F28C1AAD4199F396E771C8568B91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 092FE53F Relevance: .2, Instructions: 201COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.514810797.00000000092F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_92f0000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e2602e5ff4edd0363abc293bcdd66165f8e964ae35f95acbfb3629ce9e2d30d9
                                • Instruction ID: 71b5d085a3d33fb3eea17a508c5ee8eae73b707a3a200c51f153e6d1927854a0
                                • Opcode Fuzzy Hash: e2602e5ff4edd0363abc293bcdd66165f8e964ae35f95acbfb3629ce9e2d30d9
                                • Instruction Fuzzy Hash: A851BD307246594FDB0A6F79A47853D7BABDFC568130A447AE607CB3A1EF28CD028752
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A1253D0 Relevance: .2, Instructions: 201COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 120d5dd1a5f01e4c787bd3dd6219deec34929c656b539cfd34b7886691cb1d2d
                                • Instruction ID: 56e01114a06157337fabc7e2aee2756262839fa43e0fac0976528c164729a6ad
                                • Opcode Fuzzy Hash: 120d5dd1a5f01e4c787bd3dd6219deec34929c656b539cfd34b7886691cb1d2d
                                • Instruction Fuzzy Hash: F07128307102558FEB28DF28C894A6A7BE7AF49225F1640A9E905CB371EB79DC51CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A129AD8 Relevance: .2, Instructions: 198COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 94dc2bf903f6130ef1e90cbcec0dc6e2462f878a94dd472cfcbc65944d3a27f5
                                • Instruction ID: 8ce0085e341e387739ec20588ae06505d8580a3ed094df832bd3d5f6587b56da
                                • Opcode Fuzzy Hash: 94dc2bf903f6130ef1e90cbcec0dc6e2462f878a94dd472cfcbc65944d3a27f5
                                • Instruction Fuzzy Hash: BB618E30F002189FEF54ABB9D4147AEBAE6EFC8394F148469D506AB381DF788C558F91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 092FEBC1 Relevance: .2, Instructions: 182COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.514810797.00000000092F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_92f0000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ddab770d9612997b63945d343c8bca06a8252a6fb3e46f4dddb86afadc28e9cc
                                • Instruction ID: 60bf6960192f6c9cdc2adff34106c3a549feb7173368d794da4547a5db2d1e44
                                • Opcode Fuzzy Hash: ddab770d9612997b63945d343c8bca06a8252a6fb3e46f4dddb86afadc28e9cc
                                • Instruction Fuzzy Hash: BA611738F201158FCB15EF68C5A05AEF7B3AFC5250F168075E9026B760E7349D41CBA2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A126450 Relevance: .2, Instructions: 162COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: faef8e55138b8d91d14a49db8462077de881d1374df18dce8ca327d0d1d56817
                                • Instruction ID: 02dadc2b4dc56491fb405ed86c5727a0c4fca87f26169747748024f36e742d01
                                • Opcode Fuzzy Hash: faef8e55138b8d91d14a49db8462077de881d1374df18dce8ca327d0d1d56817
                                • Instruction Fuzzy Hash: 51615B71E003999FEF25CFA5C54069EBBF2EF89300F218259E825AB285D770E951CF50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A12D808 Relevance: .2, Instructions: 156COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cb336d7b72a35eec7a06058a10900b7dc0ef09642eb6d9c6f6fb3d10a6fadbe6
                                • Instruction ID: 1788a7b1b4ed1715ce0dd0e97565a4e613bd13c9bee78d446d9f8f848bd48a75
                                • Opcode Fuzzy Hash: cb336d7b72a35eec7a06058a10900b7dc0ef09642eb6d9c6f6fb3d10a6fadbe6
                                • Instruction Fuzzy Hash: 7E51D430B0D3904FE7228728D4557A9BFA29B82304F19C4EAC059CF697E779C85B8B52
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A125AE0 Relevance: .2, Instructions: 151COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f6e86725951598992d6a1b6da14de3864f00a9c584061cb867e2c13f3ba781c1
                                • Instruction ID: 5a76052ebbb4e4a7d2f67151a369ccb4cc70ca1bae8fa55829f1ec07e04eb974
                                • Opcode Fuzzy Hash: f6e86725951598992d6a1b6da14de3864f00a9c584061cb867e2c13f3ba781c1
                                • Instruction Fuzzy Hash: CE514875A002599FDF19CFA4C8849DEBBB2FF89360F11811AE805AB254E7389965CF50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A1249CC Relevance: .1, Instructions: 128COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 336bd0ef87689293bd5c2bca5f2cb5233ac633a77524776161f0af8a5a6c5284
                                • Instruction ID: cae76fbed95f9ba993826f4deba9b1c2fc2220ce44ee5fc870fe3615fabceb03
                                • Opcode Fuzzy Hash: 336bd0ef87689293bd5c2bca5f2cb5233ac633a77524776161f0af8a5a6c5284
                                • Instruction Fuzzy Hash: 58419034B402158FEF58ABB9D42977E76E7EF88644F158429D906DB384EF38CC428B81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A129AD5 Relevance: .1, Instructions: 125COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cf0c797b399679b7c75222a593c131cdce4e07b7fd705093f67493f7c96b7bb0
                                • Instruction ID: 22e100b7316e0deb121de227583708523eafddf3e9acde3fe4214df1093b0f03
                                • Opcode Fuzzy Hash: cf0c797b399679b7c75222a593c131cdce4e07b7fd705093f67493f7c96b7bb0
                                • Instruction Fuzzy Hash: 4E419030B002189FEB54ABB9D41477E7AE7EFC9384F148569D506AB3D1DF788C058B91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 092FEA10 Relevance: .1, Instructions: 119COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.514810797.00000000092F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_92f0000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 727107f0db68e96f46030ea91c41da906e6777bda5ca19475dd5546701ea2c73
                                • Instruction ID: f3f8d497224d4eaeb6ed5331b6bb357136ce60a2c250ada622206701a5f8f360
                                • Opcode Fuzzy Hash: 727107f0db68e96f46030ea91c41da906e6777bda5ca19475dd5546701ea2c73
                                • Instruction Fuzzy Hash: 794103313142558FCB16DF65E86466A7BA2FF84350F0580A9FA0ACB3A1DB38DD12CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 092FE918 Relevance: .1, Instructions: 99COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.514810797.00000000092F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_92f0000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6747c33fe373a8a52afb4ef903846b113c0549578e2317dae4bbe9a4ce26b749
                                • Instruction ID: 1b8a0e0d0d9f06a4a411f84e441a0a7086c032a5213889d7dab5d48770a129fe
                                • Opcode Fuzzy Hash: 6747c33fe373a8a52afb4ef903846b113c0549578e2317dae4bbe9a4ce26b749
                                • Instruction Fuzzy Hash: E131F431B0425A9FCB11CF69D850AAEFBB8FF85310F05407BE655D7262D3709905CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A12D6D0 Relevance: .1, Instructions: 92COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e2340ad9ce6bfe5ee3bbe553b8214e5fb0851f6d8fce06762b64ece19a0b0a13
                                • Instruction ID: 88502f506bb9fafedeea3c8b96a04a53c92bb92ffb0b36a6187710d00e1392a5
                                • Opcode Fuzzy Hash: e2340ad9ce6bfe5ee3bbe553b8214e5fb0851f6d8fce06762b64ece19a0b0a13
                                • Instruction Fuzzy Hash: 8D31E630F093905FD715AB7898156AA7FE5DF86304F0681B6D549CB352EB38CC178791
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 092FE079 Relevance: .1, Instructions: 86COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.514810797.00000000092F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_92f0000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5036b238a9f14830b4482c4fbcec47b7c15d9d6a25de91ded7f7d7c84979110b
                                • Instruction ID: 920c9c91060e7b2674df061610db6632de87ee64ae27bda8c193b09c35337265
                                • Opcode Fuzzy Hash: 5036b238a9f14830b4482c4fbcec47b7c15d9d6a25de91ded7f7d7c84979110b
                                • Instruction Fuzzy Hash: 1E31A130E111098FCB15DF69C8949AFFBB3EF85760B198169E6159B3B1CB349C51CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A125D18 Relevance: .1, Instructions: 84COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a4c69f2e02b047acf20dba1905893aa5662aaa55f07455355926a26a320ec16d
                                • Instruction ID: a20c4713924e481cc497ac1212f26af04cb78d6624c7e87cd3737ea46b334116
                                • Opcode Fuzzy Hash: a4c69f2e02b047acf20dba1905893aa5662aaa55f07455355926a26a320ec16d
                                • Instruction Fuzzy Hash: 6B31D431600259DFEB11DF28C888B5ABBB3EF86320F058555D4199F3A2D735EC24CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 092FE480 Relevance: .1, Instructions: 77COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.514810797.00000000092F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_92f0000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e551b8031867e9d386e5fafa735dad2cf4a33fde48f160481f3f682843263925
                                • Instruction ID: aeb088882591119d9761331779a408171092dea430dde820fd351ef059307c3c
                                • Opcode Fuzzy Hash: e551b8031867e9d386e5fafa735dad2cf4a33fde48f160481f3f682843263925
                                • Instruction Fuzzy Hash: F7214F367106158FC7159F6DD4A4A2AB3E6EFC8B20B1A407AFA09CB375DA71DC058B50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A128F00 Relevance: .1, Instructions: 70COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 79576adbb2443f4a6d7ac0e97f2e8a644d6761faabf87de6e23411278a2c39cc
                                • Instruction ID: 23bf200165954926f0653e39d400e318afe21f964b3e62fdff21bacbb6cfa83f
                                • Opcode Fuzzy Hash: 79576adbb2443f4a6d7ac0e97f2e8a644d6761faabf87de6e23411278a2c39cc
                                • Instruction Fuzzy Hash: 60216D70A0425AEBEB24DFA5D845BEEBBB6BF44304F108029E501BB391DB79D945CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A128FF9 Relevance: .1, Instructions: 65COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c502ae00e4785b75fffd7390431368c0c4303e149d6cc9f201b2de18f9b8de0a
                                • Instruction ID: d74a85eaae496714f554fc8324dcd68c1027ff2c5ffe850872e063077e2a191f
                                • Opcode Fuzzy Hash: c502ae00e4785b75fffd7390431368c0c4303e149d6cc9f201b2de18f9b8de0a
                                • Instruction Fuzzy Hash: 3E216B34A0025C9FDB15CFE9E480AEEBBB6BF89201F148029E541B6360DB35D941CF60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A125C33 Relevance: .1, Instructions: 61COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4b63282e0ceb16a95831149b10b545e44cac8d9e856acf5f9d3886a5ce87201a
                                • Instruction ID: a190e6c73aec0d65f8cd4fa618f2af7b3f70680d178165b8ce2bbc35319f2955
                                • Opcode Fuzzy Hash: 4b63282e0ceb16a95831149b10b545e44cac8d9e856acf5f9d3886a5ce87201a
                                • Instruction Fuzzy Hash: BD212C34A04268DFDF168FA0C8949ED7FB6BF89361F018055E811AB250E739D975DF50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A125ADD Relevance: .0, Instructions: 39COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1fe64392d03e7adf82dcd34ff516ee0d20f3ba2ee0b1485fcfba97e95a73f0c7
                                • Instruction ID: acaa45056812182c38086484575cb9062039d8cef7a74a90098896369663a327
                                • Opcode Fuzzy Hash: 1fe64392d03e7adf82dcd34ff516ee0d20f3ba2ee0b1485fcfba97e95a73f0c7
                                • Instruction Fuzzy Hash: E101C475A001289FDF08CFD9D9448EEBBB6FF88311F00812AE909AB254D7359929CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A124090 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 114e8a102ae739a6b56819582df4acc84135d005c67264b03c0fc94decbbd709
                                • Instruction ID: ca52b7fe0f02bcf1940096a61b7aceabdcdb95ccf7c660c51aa9f5383f868483
                                • Opcode Fuzzy Hash: 114e8a102ae739a6b56819582df4acc84135d005c67264b03c0fc94decbbd709
                                • Instruction Fuzzy Hash: B6F082B6E01115AF5B44EABCE4089EE7FF9EB89260B10556AD41AD3201EA314A128FD0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A12D780 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b9ae19a10b3e4a66acc32d2e4d9ed74b2835ef2245ce226d148e8ce27d86d0bb
                                • Instruction ID: 56a2760f4169997933be7db384d3b5ed000268d16ad836f6c8c98e5fbc605a02
                                • Opcode Fuzzy Hash: b9ae19a10b3e4a66acc32d2e4d9ed74b2835ef2245ce226d148e8ce27d86d0bb
                                • Instruction Fuzzy Hash: 99F0A771F002289F8B50ABBCA40529FBAE9DF88650B014575D90AE3300EF38CE128BD1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 092FE748 Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.514810797.00000000092F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_92f0000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c8343acab06e9dec4ce00f7022eff69e513ef5733d6758a4738bf5ece7e26de9
                                • Instruction ID: cd6a4801c63fb06e3f4b10d6b4e0d954d08f640aced97fe2d77a468686244154
                                • Opcode Fuzzy Hash: c8343acab06e9dec4ce00f7022eff69e513ef5733d6758a4738bf5ece7e26de9
                                • Instruction Fuzzy Hash: 9EF0ED363505248FC704DF6CD448C5477E8EF0966531644E6F509CB372D625DC40CB80
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 092FFF80 Relevance: .0, Instructions: 27COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.514810797.00000000092F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_92f0000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7041406b53a280264fe4740e6527723a7f2d474837dc88b98194c2e2477c4622
                                • Instruction ID: 629c4ca3eca73e182a2d631b9038520f0c462240cfddc0463e840dadcd167395
                                • Opcode Fuzzy Hash: 7041406b53a280264fe4740e6527723a7f2d474837dc88b98194c2e2477c4622
                                • Instruction Fuzzy Hash: FFE0D8362052604FC715577519154973B6E9FC717230D02AFE545EBB92D935880683A2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A1240A0 Relevance: .0, Instructions: 25COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 31730847d4c35b29aa13d70ff78de15091cb98f8f75ef24fda4b090f32b1a490
                                • Instruction ID: 0f04516b9be3b27d858f9185ca4e305acb4d0e3cc8a5f1684bbfaa2711465be8
                                • Opcode Fuzzy Hash: 31730847d4c35b29aa13d70ff78de15091cb98f8f75ef24fda4b090f32b1a490
                                • Instruction Fuzzy Hash: 5BE01275E001299F4750DBADA8055EF7AFCEA89211B01417AD50AD3300EA3189118BE1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A12BAE1 Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2edbbcecea40110e49b905c4cd175a40bf05e1fed08b567330c3112f90d42911
                                • Instruction ID: 37a1044d8cda608e771974dad70df4b62d7f449d8db443e51d3922faa8cc12c8
                                • Opcode Fuzzy Hash: 2edbbcecea40110e49b905c4cd175a40bf05e1fed08b567330c3112f90d42911
                                • Instruction Fuzzy Hash: E4E0E639B052248FD7589A75B85827D77A7E7C82217168565D61BC3244DF384C525B40
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A12C610 Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e04806e85f702325619c2f741c00e1a2e719a80d505f3a70bdb6247efb8dd393
                                • Instruction ID: c5af39abb3ec4f7a687829382be878b9662a0c8b21b4a33ac79fa950fc26e0a8
                                • Opcode Fuzzy Hash: e04806e85f702325619c2f741c00e1a2e719a80d505f3a70bdb6247efb8dd393
                                • Instruction Fuzzy Hash: 27E0C2213553461BB754C27AD88077EB5CA8BC5164B48C176A908CBB82D929D81893A5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 092FFF90 Relevance: .0, Instructions: 21COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.514810797.00000000092F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_92f0000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3248b83486c1a3593789b552e95a48d9ca10fda9de493045ee79c3960378ac77
                                • Instruction ID: 238c928a5a60a3199e6785375d1c1ae0e566faca311fc5555781868de290655b
                                • Opcode Fuzzy Hash: 3248b83486c1a3593789b552e95a48d9ca10fda9de493045ee79c3960378ac77
                                • Instruction Fuzzy Hash: 26D05B363112345B971466BA581449B369EDBC6276308063DE655D3782DE35CC4243A1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A12FF51 Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b56ecbe4bdbf27e3739ac92c3e1d3f717606a42c0fe81b38bb85ce5c5312c568
                                • Instruction ID: 03ad8933471933aea15b393c40e4beb2a8ee6098035b21937c6808fb45733954
                                • Opcode Fuzzy Hash: b56ecbe4bdbf27e3739ac92c3e1d3f717606a42c0fe81b38bb85ce5c5312c568
                                • Instruction Fuzzy Hash: 23D05B5350D3E14BDB56977868567653F308F03061F6E05DAD494CE963D104C533C793
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A12FF60 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 648e191d1c01819278341496ce15660af91c8bd8ba523247a0c1dfc05fe1a487
                                • Instruction ID: 2567feaea7bdb626a3af206b2d5868faba7fbf2de7238b2c28c7dd3413ae5424
                                • Opcode Fuzzy Hash: 648e191d1c01819278341496ce15660af91c8bd8ba523247a0c1dfc05fe1a487
                                • Instruction Fuzzy Hash: 00D012217010710BFA5477A86C10BFB419A9FC6589F0504B5E609DFBD0EF24CC6387E1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0A129181 Relevance: .0, Instructions: 9COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.515239027.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_a120000_cvtres.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9c7669a930780c10f950d6a8d857634903b9d58fe682653c4607dc80b1a4f7b0
                                • Instruction ID: e2e2b6514e092b29d8676777404d155967d417a091cdc067a7e5df53b5fc3e95
                                • Opcode Fuzzy Hash: 9c7669a930780c10f950d6a8d857634903b9d58fe682653c4607dc80b1a4f7b0
                                • Instruction Fuzzy Hash: B0C08C3048C3E09FCB0B97B0649A08AFFF0AF43310F0801FEC08089813D6890544CB93
                                Uniqueness

                                Uniqueness Score: -1.00%