Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HEATEXCHANGER-PDF.exe

Overview

General Information

Sample name:HEATEXCHANGER-PDF.exe
Analysis ID:1447919
MD5:83313ce4e9846836e9238791e84dc6d4
SHA1:8bbbb5f96885ce3592045d785ae39c6c0ffed00b
SHA256:782b86544af52d5305148dfdb61a8055090078efbed7a2a073058c970fcb3e5d
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • HEATEXCHANGER-PDF.exe (PID: 5656 cmdline: "C:\Users\user\Desktop\HEATEXCHANGER-PDF.exe" MD5: 83313CE4E9846836E9238791E84DC6D4)
    • AddInProcess32.exe (PID: 2836 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • AddInProcess32.exe (PID: 3716 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • WerFault.exe (PID: 4688 cmdline: C:\Windows\system32\WerFault.exe -u -p 5656 -s 1060 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.oripam.xyz", "Username": "akpa@oripam.xyz", "Password": ";KPp6ZU~hCyT"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2207935659.0000023F0EF4D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    00000002.00000002.3219289884.0000000002F19000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.3219289884.0000000002EEE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.3217634764.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000002.3217634764.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              2.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                2.2.AddInProcess32.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x33475:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x334e7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33571:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33603:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x3366d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x336df:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x33775:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33805:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.HEATEXCHANGER-PDF.exe.23f1eb822b0.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.HEATEXCHANGER-PDF.exe.23f1eb822b0.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 185.56.136.50, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, Initiated: true, ProcessId: 2836, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: http://mail.oripam.xyzAvira URL Cloud: Label: malware
                    Source: http://oripam.xyzAvira URL Cloud: Label: malware
                    Found malware configuration
                    Source: 2.2.AddInProcess32.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.oripam.xyz", "Username": "akpa@oripam.xyz", "Password": ";KPp6ZU~hCyT"}
                    Multi AV Scanner detection for submitted file
                    Source: HEATEXCHANGER-PDF.exeReversingLabs: Detection: 65%
                    Source: HEATEXCHANGER-PDF.exeVirustotal: Detection: 66%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                    Machine Learning detection for sample
                    Source: HEATEXCHANGER-PDF.exeJoe Sandbox ML: detected

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 00000000.00000002.2207935659.0000023F0EF4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: HEATEXCHANGER-PDF.exe PID: 5656, type: MEMORYSTR
                    Source: HEATEXCHANGER-PDF.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: System.Drawing.pdbp^! source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.pdbp^! source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: Microsoft.CSharp.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.Dynamic.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.Drawing.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.Core.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.Windows.Forms.pdb; source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.ni.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.Core.ni.pdb source: WER496C.tmp.dmp.6.dr

                    Networking

                    barindex
                    Performs DNS queries to domains with low reputation
                    Source: DNS query: mail.oripam.xyz
                    Source: global trafficTCP traffic: 192.168.2.5:49704 -> 185.56.136.50:587
                    Source: Joe Sandbox ViewIP Address: 185.56.136.50 185.56.136.50
                    Source: Joe Sandbox ViewASN Name: SECUREDSERVERS-EU SECUREDSERVERS-EU
                    Source: global trafficTCP traffic: 192.168.2.5:49704 -> 185.56.136.50:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: mail.oripam.xyz
                    Source: AddInProcess32.exe, 00000002.00000002.3219289884.0000000002EEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.oripam.xyz
                    Source: AddInProcess32.exe, 00000002.00000002.3219289884.0000000002EEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://oripam.xyz
                    Source: AddInProcess32.exe, 00000002.00000002.3219289884.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.3222781401.0000000006251000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0m
                    Source: AddInProcess32.exe, 00000002.00000002.3219289884.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.3222781401.0000000006251000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                    Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
                    Source: AddInProcess32.exe, 00000002.00000002.3218358166.00000000011D1000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.3222781401.0000000006263000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.3219289884.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.3222781401.0000000006251000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: AddInProcess32.exe, 00000002.00000002.3218358166.00000000011D1000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.3218358166.00000000011C1000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.3222781401.0000000006263000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.3219289884.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.3222781401.0000000006251000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: HEATEXCHANGER-PDF.exe, 00000000.00000002.2208770864.0000023F1EB82000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.3217634764.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.HEATEXCHANGER-PDF.exe.23f1eb822b0.1.raw.unpack, R1W.cs.Net Code: iSeyBF

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.HEATEXCHANGER-PDF.exe.23f1eb822b0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.HEATEXCHANGER-PDF.exe.23f1ec22f28.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.HEATEXCHANGER-PDF.exe.23f1ec1acf8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.HEATEXCHANGER-PDF.exe.23f1eb822b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeCode function: 0_2_00007FF848F38A400_2_00007FF848F38A40
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeCode function: 0_2_00007FF848F31E9A0_2_00007FF848F31E9A
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeCode function: 0_2_00007FF848F349280_2_00007FF848F34928
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeCode function: 0_2_00007FF848F349500_2_00007FF848F34950
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeCode function: 0_2_00007FF848F345E80_2_00007FF848F345E8
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeCode function: 0_2_00007FF848F5C4500_2_00007FF848F5C450
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeCode function: 0_2_00007FF848F5C4C80_2_00007FF848F5C4C8
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeCode function: 0_2_00007FF848F346980_2_00007FF848F34698
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeCode function: 0_2_00007FF848F338B00_2_00007FF848F338B0
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeCode function: 0_2_00007FF8490403BD0_2_00007FF8490403BD
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeCode function: 0_2_00007FF848F30AF20_2_00007FF848F30AF2
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeCode function: 0_2_00007FF848F30C0D0_2_00007FF848F30C0D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 2_2_01519BF22_2_01519BF2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 2_2_01514A982_2_01514A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 2_2_0151CE702_2_0151CE70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 2_2_01513E802_2_01513E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 2_2_015141C82_2_015141C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 2_2_05C49D542_2_05C49D54
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 2_2_05C4D0D02_2_05C4D0D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 2_2_05C4B2C02_2_05C4B2C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 2_2_05C49A382_2_05C49A38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 2_2_0151D2182_2_0151D218
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5656 -s 1060
                    Source: HEATEXCHANGER-PDF.exeStatic PE information: No import functions for PE file found
                    Source: HEATEXCHANGER-PDF.exe, 00000000.00000000.1977746171.0000023F0CEF2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNativeMethods.dll" vs HEATEXCHANGER-PDF.exe
                    Source: HEATEXCHANGER-PDF.exe, 00000000.00000002.2207486501.0000023F0D250000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNativeMethods.dll" vs HEATEXCHANGER-PDF.exe
                    Source: HEATEXCHANGER-PDF.exe, 00000000.00000000.1977746171.0000023F0CEFC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameExiwalalonihuzarixeyiH vs HEATEXCHANGER-PDF.exe
                    Source: HEATEXCHANGER-PDF.exe, 00000000.00000002.2208770864.0000023F1EB82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename32d181c0-3d36-4c96-9f49-7cdcb5c2e04b.exe4 vs HEATEXCHANGER-PDF.exe
                    Source: HEATEXCHANGER-PDF.exe, 00000000.00000002.2208770864.0000023F1EB82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNativeMethods.dll" vs HEATEXCHANGER-PDF.exe
                    Source: HEATEXCHANGER-PDF.exe, 00000000.00000002.2208770864.0000023F1EB82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExiwalalonihuzarixeyiH vs HEATEXCHANGER-PDF.exe
                    Source: HEATEXCHANGER-PDF.exe, 00000000.00000002.2208770864.0000023F1EB82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEpigagifL vs HEATEXCHANGER-PDF.exe
                    Source: HEATEXCHANGER-PDF.exeBinary or memory string: OriginalFilenameNativeMethods.dll" vs HEATEXCHANGER-PDF.exe
                    Source: HEATEXCHANGER-PDF.exeBinary or memory string: OriginalFilenameExiwalalonihuzarixeyiH vs HEATEXCHANGER-PDF.exe
                    Source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.HEATEXCHANGER-PDF.exe.23f1eb822b0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.HEATEXCHANGER-PDF.exe.23f1ec22f28.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.HEATEXCHANGER-PDF.exe.23f1ec1acf8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.HEATEXCHANGER-PDF.exe.23f1eb822b0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.HEATEXCHANGER-PDF.exe.23f1eb822b0.1.raw.unpack, KLhJmaON.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.HEATEXCHANGER-PDF.exe.23f1eb822b0.1.raw.unpack, KLhJmaON.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.HEATEXCHANGER-PDF.exe.23f1eb822b0.1.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.HEATEXCHANGER-PDF.exe.23f1eb822b0.1.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.HEATEXCHANGER-PDF.exe.23f1eb822b0.1.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.HEATEXCHANGER-PDF.exe.23f1eb822b0.1.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.HEATEXCHANGER-PDF.exe.23f1eb822b0.1.raw.unpack, 9HIFdl.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.HEATEXCHANGER-PDF.exe.23f1eb822b0.1.raw.unpack, 9HIFdl.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@6/5@1/1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutant created: NULL
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5656
                    Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\362e80f3-b4c6-4a0e-8735-a02356b79e1eJump to behavior
                    Source: HEATEXCHANGER-PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: HEATEXCHANGER-PDF.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: HEATEXCHANGER-PDF.exeReversingLabs: Detection: 65%
                    Source: HEATEXCHANGER-PDF.exeVirustotal: Detection: 66%
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeFile read: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exe "C:\Users\user\Desktop\HEATEXCHANGER-PDF.exe"
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5656 -s 1060
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: HEATEXCHANGER-PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: HEATEXCHANGER-PDF.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: HEATEXCHANGER-PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: System.Drawing.pdbp^! source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.pdbp^! source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: Microsoft.CSharp.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.Dynamic.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.Drawing.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.Core.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.Windows.Forms.pdb; source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.ni.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER496C.tmp.dmp.6.dr
                    Source: Binary string: System.Core.ni.pdb source: WER496C.tmp.dmp.6.dr
                    Source: HEATEXCHANGER-PDF.exeStatic PE information: 0xD7B7C12B [Thu Sep 7 05:46:19 2084 UTC]
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeCode function: 0_2_00007FF848F359E7 push es; retf 0_2_00007FF848F35A27
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeCode function: 0_2_00007FF848F300BD pushad ; iretd 0_2_00007FF848F300C1
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeCode function: 0_2_00007FF848F31B9D push eax; retn 48E2h0_2_00007FF848F31BD3
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeCode function: 0_2_00007FF8490403BD push esp; retf 4810h0_2_00007FF8490406B2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 2_2_01510718 push eax; ret 2_2_01510722
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 2_2_01510708 push eax; ret 2_2_01510712
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 2_2_01510728 push eax; ret 2_2_01510732
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 2_2_015106C8 push eax; ret 2_2_015106F2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 2_2_015106C8 push eax; ret 2_2_01510702
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 2_2_01510698 push eax; ret 2_2_01510712
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 2_2_01510698 push eax; ret 2_2_01510722
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: HEATEXCHANGER-PDF.exe PID: 5656, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: HEATEXCHANGER-PDF.exe, 00000000.00000002.2207935659.0000023F0EF4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: HEATEXCHANGER-PDF.exe, 00000000.00000002.2207935659.0000023F0EF4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeMemory allocated: 23F0D220000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeMemory allocated: 23F26B70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 1510000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 2EA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 4EA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 887Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 5387Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2584Thread sleep count: 887 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -99875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2584Thread sleep count: 5387 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -99766s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -99641s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -99516s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -99406s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -99297s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -99186s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -99078s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -98966s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -98859s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -98750s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -98637s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -98531s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -98422s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -98313s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -98203s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -98093s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -97984s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -97871s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -97766s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -97656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -97538s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -97422s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -97312s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -97203s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -97094s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -96984s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -96874s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -96766s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -96656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2804Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99516Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99186Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98966Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98637Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98093Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97871Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97538Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96874Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Amcache.hve.6.drBinary or memory string: VMware
                    Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
                    Source: HEATEXCHANGER-PDF.exe, 00000000.00000002.2207935659.0000023F0EF4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: HEATEXCHANGER-PDF.exe, 00000000.00000002.2207935659.0000023F0EF4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: HEATEXCHANGER-PDF.exe, 00000000.00000002.2207935659.0000023F0EF4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: HEATEXCHANGER-PDF.exe, 00000000.00000002.2207935659.0000023F0EF4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: HEATEXCHANGER-PDF.exe, 00000000.00000002.2207935659.0000023F0EF4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: AddInProcess32.exe, 00000002.00000002.3222781401.0000000006220000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: Amcache.hve.6.drBinary or memory string: vmci.sys
                    Source: Amcache.hve.6.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: HEATEXCHANGER-PDF.exe, 00000000.00000002.2207935659.0000023F0EF4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                    Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
                    Source: HEATEXCHANGER-PDF.exe, 00000000.00000002.2207935659.0000023F0EF4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: HEATEXCHANGER-PDF.exe, 00000000.00000002.2207935659.0000023F0EF4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: HEATEXCHANGER-PDF.exe, 00000000.00000002.2208770864.0000023F1EB82000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.3217634764.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: hgfsZrw6
                    Source: HEATEXCHANGER-PDF.exe, 00000000.00000002.2207935659.0000023F0EF4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.6.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: HEATEXCHANGER-PDF.exe, 00000000.00000002.2207935659.0000023F0EF4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: HEATEXCHANGER-PDF.exe, 00000000.00000002.2207935659.0000023F0EF4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: 0.2.HEATEXCHANGER-PDF.exe.23f1ec22f28.2.raw.unpack, NativeMethods.csReference to suspicious API methods: xVirtualProtect(address, size, newProtect, out oldProtect)
                    Source: 0.2.HEATEXCHANGER-PDF.exe.23f1ec22f28.2.raw.unpack, NativeMethods.csReference to suspicious API methods: xLoadLibrary(libraryName)
                    Source: 0.2.HEATEXCHANGER-PDF.exe.23f1ec22f28.2.raw.unpack, NativeMethods.csReference to suspicious API methods: xGetProcAddress(moduleHandle, procName)
                    Source: 0.2.HEATEXCHANGER-PDF.exe.23f1eb822b0.1.raw.unpack, moEk.csReference to suspicious API methods: EYAPsVT.OpenProcess(CgGfQLvbm.DuplicateHandle, bInheritHandle: true, (uint)_2y5.ProcessID)
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: C14008Jump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeQueries volume information: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\HEATEXCHANGER-PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HEATEXCHANGER-PDF.exe.23f1eb822b0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HEATEXCHANGER-PDF.exe.23f1ec22f28.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HEATEXCHANGER-PDF.exe.23f1ec1acf8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HEATEXCHANGER-PDF.exe.23f1eb822b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.3219289884.0000000002F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3219289884.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3217634764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3219289884.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2208770864.0000023F1EB82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: HEATEXCHANGER-PDF.exe PID: 5656, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 2836, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HEATEXCHANGER-PDF.exe.23f1eb822b0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HEATEXCHANGER-PDF.exe.23f1ec22f28.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HEATEXCHANGER-PDF.exe.23f1ec1acf8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HEATEXCHANGER-PDF.exe.23f1eb822b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.3217634764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3219289884.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2208770864.0000023F1EB82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: HEATEXCHANGER-PDF.exe PID: 5656, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 2836, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HEATEXCHANGER-PDF.exe.23f1eb822b0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HEATEXCHANGER-PDF.exe.23f1ec22f28.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HEATEXCHANGER-PDF.exe.23f1ec1acf8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HEATEXCHANGER-PDF.exe.23f1eb822b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.3219289884.0000000002F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3219289884.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3217634764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3219289884.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2208770864.0000023F1EB82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: HEATEXCHANGER-PDF.exe PID: 5656, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 2836, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		211
                    Process Injection                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		231
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API                    		Boot or Logon Initialization Scripts1
                    DLL Side-Loading                    		151
                    Virtualization/Sandbox Evasion                    		1
                    Input Capture                    		1
                    Process Discovery                    		Remote Desktop Protocol1
                    Input Capture                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)211
                    Process Injection                    		1
                    Credentials in Registry                    		151
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares11
                    Archive Collected Data                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Deobfuscate/Decode Files or Information                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object Model2
                    Data from Local System                    		11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Obfuscated Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Timestomp                    		Cached Domain Credentials24
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    HEATEXCHANGER-PDF.exe66%ReversingLabsWin64.Spyware.Negasteal
                    HEATEXCHANGER-PDF.exe66%VirustotalBrowse
                    HEATEXCHANGER-PDF.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    oripam.xyz3%VirustotalBrowse
                    mail.oripam.xyz4%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://r3.o.lencr.org00%URL Reputationsafe
                    http://upx.sf.net0%URL Reputationsafe
                    http://upx.sf.net0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://r3.i.lencr.org/0m0%Avira URL Cloudsafe
                    http://mail.oripam.xyz100%Avira URL Cloudmalware
                    http://oripam.xyz100%Avira URL Cloudmalware
                    http://r3.i.lencr.org/0m0%VirustotalBrowse
                    http://oripam.xyz3%VirustotalBrowse
                    http://mail.oripam.xyz4%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    oripam.xyz
                    		185.56.136.50
                    		truetrueunknown
                    mail.oripam.xyz
                    		unknown
                    		unknowntrueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://r3.o.lencr.org0AddInProcess32.exe, 00000002.00000002.3219289884.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.3222781401.0000000006251000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://upx.sf.netAmcache.hve.6.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://r3.i.lencr.org/0mAddInProcess32.exe, 00000002.00000002.3219289884.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.3222781401.0000000006251000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://account.dyn.com/HEATEXCHANGER-PDF.exe, 00000000.00000002.2208770864.0000023F1EB82000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.3217634764.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://x1.c.lencr.org/0AddInProcess32.exe, 00000002.00000002.3218358166.00000000011D1000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.3222781401.0000000006263000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.3219289884.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.3222781401.0000000006251000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://x1.i.lencr.org/0AddInProcess32.exe, 00000002.00000002.3218358166.00000000011D1000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.3218358166.00000000011C1000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.3222781401.0000000006263000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.3219289884.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.3222781401.0000000006251000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://mail.oripam.xyzAddInProcess32.exe, 00000002.00000002.3219289884.0000000002EEE000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 4%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown
                    http://oripam.xyzAddInProcess32.exe, 00000002.00000002.3219289884.0000000002EEE000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 3%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    185.56.136.50
                    		oripam.xyzMalta
                    		60558SECUREDSERVERS-EUtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1447919
                    Start date and time:2024-05-27 12:29:42 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 5m 39s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:11
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:HEATEXCHANGER-PDF.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.expl.evad.winEXE@6/5@1/1
                    EGA Information:
                    • Successful, ratio: 50%
                    HCA Information:Failed
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 104.208.16.94
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
                    • Execution Graph export aborted for target HEATEXCHANGER-PDF.exe, PID 5656 because it is empty
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    06:30:32API Interceptor31x Sleep call for process: AddInProcess32.exe modified
                    06:30:48API Interceptor1x Sleep call for process: WerFault.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    185.56.136.50HJT3fdlBod.exeGet hashmaliciousGuLoaderBrowse
                    • timefrieghts.com/wp-content/plugins/wpcargo/includes/config/binned_iZyvWaLXE113.bin

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    SECUREDSERVERS-EUCheq.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                    • 185.56.136.50
                    INV9019849.exeGet hashmaliciousAgentTeslaBrowse
                    • 185.56.136.50
                    NKU101.exeGet hashmaliciousAgentTeslaBrowse
                    • 185.56.136.50
                    SWIFTUSD30985.exeGet hashmaliciousAgentTeslaBrowse
                    • 185.56.136.50
                    991887.exeGet hashmaliciousAgentTeslaBrowse
                    • 185.56.136.50
                    f5msHWi3Cl.exeGet hashmaliciousAgentTeslaBrowse
                    • 185.56.136.50
                    SecuriteInfo.com.Win64.TrojanX-gen.17222.13558.exeGet hashmaliciousAgentTeslaBrowse
                    • 185.56.136.50
                    SecuriteInfo.com.Win64.PWSX-gen.20057.28212.exeGet hashmaliciousAgentTeslaBrowse
                    • 185.56.136.50
                    SecuriteInfo.com.Trojan.PackedNET.2742.2492.3257.exeGet hashmaliciousAgentTeslaBrowse
                    • 185.56.136.50
                    qWLVwpwiVS.elfGet hashmaliciousUnknownBrowse
                    • 131.153.16.214

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_HEATEXCHANGER-PD_ec9db82188bfd47b4ee296545b4bc3ad7550_48574fd9_563e9c03-a463-43bd-b1db-3ae7d27a7a43\Report.wer

                    Download File
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):1.0388211695167455
                    Encrypted:false
                    SSDEEP:384:cY2tS5OKsvUnUbMWam8GzuiFPY4lO8ZQ:r2tS5IvUnUbMWayzuiFPY4lO8Z
                    MD5:731FA0414CB6E3E8B310A57804C18AEF
                    SHA1:799FE13E914F1D12EC97962716C0A7DB46933439
                    SHA-256:25F61C6D0359953F5ABBD147F5A013F71D00205EEA626B87CC6DC56ADB05E805
                    SHA-512:B7F7722EE5F1704D27224FB398DB290491B8D407CF4879268F56CF40DA6C54B3FAE92D9A4A8CC49FC51BBD606A83096E22D93C08B3474860067B5D4C35617E90
                    Malicious:false
                    Reputation:low
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.2.7.9.4.3.2.2.0.2.7.5.5.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.2.7.9.4.3.3.7.6.5.2.5.6.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.6.3.e.9.c.0.3.-.a.4.6.3.-.4.3.b.d.-.b.1.d.b.-.3.a.e.7.d.2.7.a.7.a.4.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.1.1.8.e.3.8.d.-.8.c.7.3.-.4.5.7.7.-.9.d.4.e.-.5.9.4.7.5.b.0.2.1.7.7.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.H.E.A.T.E.X.C.H.A.N.G.E.R.-.P.D.F...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.x.i.w.a.l.a.l.o.n.i.h.u.z.a.r.i.x.e.y.i.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.1.8.-.0.0.0.1.-.0.0.1.4.-.7.2.5.6.-.0.d.e.3.2.0.b.0.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.c.8.8.6.4.7.a.c.b.b.f.5.0.a.8.8.1.6.f.0.7.2.7.a.8.9.a.c.3.b.b.0.0.0.0.0.0.0.0.!.0.0.0.0.8.b.b.b.b.5.f.9.6.8.8.5.c.e.3.5.9.2.0.4.5.d.7.8.5.a.e.3.9.c.6.c.0.f.f.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER496C.tmp.dmp

                    Download File
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:Mini DuMP crash report, 16 streams, Mon May 27 10:30:33 2024, 0x1205a4 type
                    Category:dropped
                    Size (bytes):452708
                    Entropy (8bit):3.5636083196958848
                    Encrypted:false
                    SSDEEP:3072:kQUbEQp2hv69x2J3R43MdcSZYIFJtkN5H41CCqRgHhl73+ve1pnt:kQUbEQp2t6kRp9Z3q2HH3QW
                    MD5:E310E6E4BE0FD21ACDD72DCADB7DF78F
                    SHA1:A944995562BCF85AAE9B59C6DFBE8564651796E3
                    SHA-256:9DB408E097742A615CD818AE052D28306638B7ABE8C389D9CC685F167BC4CE6B
                    SHA-512:2CFEC1C20131730C55C17A4604FD1100DBD4C4105F13E76FC30C57DAA2625F47A2AAE0DEFF4BC7FF50FDCAE1C1525C879E89484B999FB6B520261AC97C092FA7
                    Malicious:false
                    Reputation:low
                    Preview:MDMP..a..... ........`Tf........................D...........$............2..<.......4n.............l.......8...........T...........x)..............O...........Q..............................................................................eJ......hR......Lw......................T............`Tf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E30.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8636
                    Entropy (8bit):3.720491327521945
                    Encrypted:false
                    SSDEEP:192:R6l7wVeJDzcart96YEIOJ3gmf+14dprV89b8Qyfo3vUm:R6lXJDoap96YEBJ3gmf+14i8lf6
                    MD5:75BE1D553D0EB349C4B243260A25E46B
                    SHA1:84B318A0A3A3A39A2086466B65823113D20A3B1A
                    SHA-256:C56A905D0A6F9A2567E01A262F9ED08C0756B1602F5903144785423B80A90A1B
                    SHA-512:23D2D7256761DF6CD765F27D1CE58B23C1A36B96AF507579530D864E7226F81651BCE4C8ED92543558E9271CCBD233B0A4E1A5433C06C50AB4D6470BDD6C6B3D
                    Malicious:false
                    Reputation:low
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.5.6.<./.P.i.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4EAE.tmp.xml

                    Download File
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4808
                    Entropy (8bit):4.582197754615862
                    Encrypted:false
                    SSDEEP:48:cvIwWl8zsfJg771I94DWpW8VY6Ym8M4JPY+FLyq851xXAFjq+iFTd:uIjfBI73y7V6JPpwFWjq+idd
                    MD5:7F4B58294F2D8945127F3644398947E0
                    SHA1:63A33241AA96CD41B550B946C9678A0DEA4D992E
                    SHA-256:6E8B2A545A11FB88C1335585663D452025E4255AEE49E40674BD3EF79B21F243
                    SHA-512:8EA9B3FF765E97C5A9B6526E29238B369CA8EB39DF228B6E4A213166AC492F42C4845B75F429FBBD3FDF481DADEF7349E601FE4746C08E5F0E065AB9F94CDCE4
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="341373" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                    C:\Windows\appcompat\Programs\Amcache.hve

                    Download File
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:MS Windows registry file, NT/2000 or above
                    Category:dropped
                    Size (bytes):1835008
                    Entropy (8bit):4.422143181791921
                    Encrypted:false
                    SSDEEP:6144:YSvfpi6ceLP/9skLmb0OTaWSPHaJG8nAgeMZMMhA2fX4WABlEnNc0uhiTw:jvloTaW+EZMM6DFyu03w
                    MD5:2EC7937C6089A0F0850A673C35991009
                    SHA1:D6F099CD6690D8B1C4B0929A8DE27CD6E797A25F
                    SHA-256:1F29F24EF77A5C70CAB8B0EB7357BF8E7935A76B9519CF6861DA669DD15A1820
                    SHA-512:B8C29D9E5DC2F568623FCEA7D937F433C7653455E7103774540291AE61C9C1EFF27577A49D3FC4FE757424A355D24459A78935D0F8925A32C227CA887A384A31
                    Malicious:false
                    Reputation:low
                    Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    Static File Info

                    General

                    File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):7.967619143586467
                    TrID:
                    • Win64 Executable GUI Net Framework (217006/5) 49.88%
                    • Win64 Executable GUI (202006/5) 46.43%
                    • Win64 Executable (generic) (12005/4) 2.76%
                    • Generic Win/DOS Executable (2004/3) 0.46%
                    • DOS Executable Generic (2002/1) 0.46%
                    File name:HEATEXCHANGER-PDF.exe
                    File size:625'161 bytes
                    MD5:83313ce4e9846836e9238791e84dc6d4
                    SHA1:8bbbb5f96885ce3592045d785ae39c6c0ffed00b
                    SHA256:782b86544af52d5305148dfdb61a8055090078efbed7a2a073058c970fcb3e5d
                    SHA512:27cbea7aca6e359ca96d56e4fc16f0a43f960bae957cdd6659e8133f445416ab60ec78cff7e532ed162c5f0c66c990a6bacec42576aa170adba14101b91f0f2b
                    SSDEEP:12288:eKwbq0NyhcJM31HLkpxyCfaP4TSioXolbvPFAEUO34U:haNUn31gvvPmUvdIO37
                    TLSH:DED423642BED75BADEEB5DBCFC6566096630F18529C6CD2E2C28076F01C3A484F503D6
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...+............."...0.L................ ....@...... ....................................`................................

                    File Icon

                    Icon Hash:00928e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0x400000
                    Entrypoint Section:
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Time Stamp:0xD7B7C12B [Thu Sep 7 05:46:19 2084 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:

                    Entrypoint Preview

                    Instruction
                    dec ebp
                    pop edx
                    nop
                    add byte ptr [ebx], al
                    add byte ptr [eax], al
                    add byte ptr [eax+eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x9f4.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0xb0300x1c.text
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000x904c0x9200a2a5cc13e48624f7d731c3311ce239e2False0.4468910530821918data5.596865658038361IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rsrc0xc0000x9f40xa00c383e93d6282267d6c7a4f81ed9fb1cbFalse0.3125data4.1511610977624755IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_VERSION0xc0b80x3a8data0.4861111111111111
                    RT_VERSION0xc4600x3a8dataEnglishUnited States0.4893162393162393
                    RT_MANIFEST0xc8080x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    May 27, 2024 12:30:33.919586897 CEST49704587192.168.2.5185.56.136.50
                    May 27, 2024 12:30:33.927122116 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:33.927335978 CEST49704587192.168.2.5185.56.136.50
                    May 27, 2024 12:30:34.670829058 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:34.675173044 CEST49704587192.168.2.5185.56.136.50
                    May 27, 2024 12:30:34.680706978 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:34.856542110 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:34.856739998 CEST49704587192.168.2.5185.56.136.50
                    May 27, 2024 12:30:34.861785889 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:35.031779051 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:35.055622101 CEST49704587192.168.2.5185.56.136.50
                    May 27, 2024 12:30:35.060726881 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:35.245785952 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:35.245865107 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:35.245906115 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:35.245953083 CEST49704587192.168.2.5185.56.136.50
                    May 27, 2024 12:30:35.281191111 CEST49704587192.168.2.5185.56.136.50
                    May 27, 2024 12:30:35.286217928 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:35.480447054 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:35.493798018 CEST49704587192.168.2.5185.56.136.50
                    May 27, 2024 12:30:35.500961065 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:35.678087950 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:35.679277897 CEST49704587192.168.2.5185.56.136.50
                    May 27, 2024 12:30:35.684216022 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:35.890618086 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:35.898415089 CEST49704587192.168.2.5185.56.136.50
                    May 27, 2024 12:30:35.903357983 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:36.120301962 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:36.120786905 CEST49704587192.168.2.5185.56.136.50
                    May 27, 2024 12:30:36.125792027 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:36.296863079 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:36.297110081 CEST49704587192.168.2.5185.56.136.50
                    May 27, 2024 12:30:36.302089930 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:36.690414906 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:36.692565918 CEST49704587192.168.2.5185.56.136.50
                    May 27, 2024 12:30:36.697498083 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:36.867213964 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:36.870162010 CEST49704587192.168.2.5185.56.136.50
                    May 27, 2024 12:30:36.870258093 CEST49704587192.168.2.5185.56.136.50
                    May 27, 2024 12:30:36.870294094 CEST49704587192.168.2.5185.56.136.50
                    May 27, 2024 12:30:36.870333910 CEST49704587192.168.2.5185.56.136.50
                    May 27, 2024 12:30:36.875251055 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:36.875282049 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:36.875313044 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:36.875339985 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:37.171051979 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:30:37.217300892 CEST49704587192.168.2.5185.56.136.50
                    May 27, 2024 12:32:13.829689026 CEST49704587192.168.2.5185.56.136.50
                    May 27, 2024 12:32:13.834773064 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:32:14.014970064 CEST58749704185.56.136.50192.168.2.5
                    May 27, 2024 12:32:14.019958973 CEST49704587192.168.2.5185.56.136.50

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    May 27, 2024 12:30:33.822221041 CEST5828753192.168.2.51.1.1.1
                    May 27, 2024 12:30:33.901144028 CEST53582871.1.1.1192.168.2.5

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    May 27, 2024 12:30:33.822221041 CEST192.168.2.51.1.1.10x5452Standard query (0)mail.oripam.xyzA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    May 27, 2024 12:30:33.901144028 CEST1.1.1.1192.168.2.50x5452No error (0)mail.oripam.xyzoripam.xyzCNAME (Canonical name)IN (0x0001)false
                    May 27, 2024 12:30:33.901144028 CEST1.1.1.1192.168.2.50x5452No error (0)oripam.xyz185.56.136.50A (IP address)IN (0x0001)false

                    SMTP Packets

                    TimestampSource PortDest PortSource IPDest IPCommands
                    May 27, 2024 12:30:34.670829058 CEST58749704185.56.136.50192.168.2.5220-terminal7.veeblehosting.com ESMTP Exim 4.97.1 #2 Mon, 27 May 2024 16:00:34 +0530
                    220-We do not authorize the use of this system to transport unsolicited,
                    220 and/or bulk e-mail.
                    May 27, 2024 12:30:34.675173044 CEST49704587192.168.2.5185.56.136.50EHLO 405464
                    May 27, 2024 12:30:34.856542110 CEST58749704185.56.136.50192.168.2.5250-terminal7.veeblehosting.com Hello 405464 [8.46.123.175]
                    250-SIZE 52428800
                    250-8BITMIME
                    250-PIPELINING
                    250-PIPECONNECT
                    250-STARTTLS
                    250 HELP
                    May 27, 2024 12:30:34.856739998 CEST49704587192.168.2.5185.56.136.50STARTTLS
                    May 27, 2024 12:30:35.031779051 CEST58749704185.56.136.50192.168.2.5220 TLS go ahead

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:06:30:25
                    Start date:27/05/2024
                    Path:C:\Users\user\Desktop\HEATEXCHANGER-PDF.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Users\user\Desktop\HEATEXCHANGER-PDF.exe"
                    Imagebase:0x23f0cef0000
                    File size:625'161 bytes
                    MD5 hash:83313CE4E9846836E9238791E84DC6D4
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2207935659.0000023F0EF4D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2208770864.0000023F1EB82000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2208770864.0000023F1EB82000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:2
                    Start time:06:30:30
                    Start date:27/05/2024
                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Imagebase:0xba0000
                    File size:43'008 bytes
                    MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3219289884.0000000002F19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3219289884.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3217634764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3217634764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3219289884.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3219289884.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:moderate
                    Has exited:false

                    General

                    Target ID:3
                    Start time:06:30:30
                    Start date:27/05/2024
                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Imagebase:0x950000
                    File size:43'008 bytes
                    MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:true

                    General

                    Target ID:6
                    Start time:06:30:31
                    Start date:27/05/2024
                    Path:C:\Windows\System32\WerFault.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\WerFault.exe -u -p 5656 -s 1060
                    Imagebase:0x7ff667d60000
                    File size:570'736 bytes
                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    Disassembly

                    Reset < >

                      Executed Functions

                      Function 00007FF8490403BD Relevance: 8.4, Strings: 5, Instructions: 2113COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2213191578.00007FF849040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849040000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff849040000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID: @H$A$HH$`H$b@'
                      • API String ID: 0-316383867
                      • Opcode ID: ae19e0280176102bcdbe296c1e110f11a5e98e81f9fa6d306fe9e019b4c286be
                      • Instruction ID: 979b262b45d64c2c4fd13d176ce3e6f5a72f18fbc275ad25ef8a2bef188cd880
                      • Opcode Fuzzy Hash: ae19e0280176102bcdbe296c1e110f11a5e98e81f9fa6d306fe9e019b4c286be
                      • Instruction Fuzzy Hash: 1BE20771C0DAC58FEB66EF2898556A47FF0FF66340F1805FAC489DB193DA28A846C741
                      Function 00007FF848F5C4C8 Relevance: 2.2, Strings: 1, Instructions: 930COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID: AJ_H
                      • API String ID: 0-986013803
                      • Opcode ID: 5139d95de4ce0eef6f6f26292d868b235841aea93f58363802b32a4960805d3f
                      • Instruction ID: 30ec1649bef0f0644ab07d48bb324224cc809a2045a5808665efb59391bafcb5
                      • Opcode Fuzzy Hash: 5139d95de4ce0eef6f6f26292d868b235841aea93f58363802b32a4960805d3f
                      • Instruction Fuzzy Hash: 3B524D31A1CA468FDA98EB18D091A76B3E2FFA4344F1445B9D44EC36C7DF29F8468784
                      Function 00007FF848F30AF2 Relevance: 1.3, Instructions: 1317COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9dfd6f7f55c1fee18b76c6fbe8e312335aafc07045787a095e03b39a48bb5e02
                      • Instruction ID: 2c7f11f04a41a4b367365d3bedb6954bd24c9eaf6701321fa23561b1875e750a
                      • Opcode Fuzzy Hash: 9dfd6f7f55c1fee18b76c6fbe8e312335aafc07045787a095e03b39a48bb5e02
                      • Instruction Fuzzy Hash: 7CA2A420D1EAC56FD71A93B804636EDBFE0EF46345F688AEED0C6875D3C95A14039709
                      Function 00007FF848F34950 Relevance: 1.3, Instructions: 1298COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 906efd968004c685bd70ef20ad9f477243f944977a2081f2539750a1fd692d6c
                      • Instruction ID: 9715bf45541737478201987bcc919509dec3a9628e9fdd6b5b65e856a52f297f
                      • Opcode Fuzzy Hash: 906efd968004c685bd70ef20ad9f477243f944977a2081f2539750a1fd692d6c
                      • Instruction Fuzzy Hash: 72A23070A1CA4A8FD7A8EB18C495BA6B7E1FFA8354F10467DD04DC7292DF34A842CB45
                      Function 00007FF848F30C0D Relevance: 1.2, Instructions: 1221COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bb98c644e1d0d87371ff4f51135a2b73cae3a13aa48de46df5219b9aa103cecd
                      • Instruction ID: 321b35aaa096466304419f1fb9814da995499a5da8e021a00fff7b97613ba3d3
                      • Opcode Fuzzy Hash: bb98c644e1d0d87371ff4f51135a2b73cae3a13aa48de46df5219b9aa103cecd
                      • Instruction Fuzzy Hash: FE92B520D1EAC56FD72AD7B804A36EDBFE0DF46345F688AEED0C6875D3C95A14038609
                      Function 00007FF848F34928 Relevance: 1.0, Instructions: 951COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8be19ab9e8d3b577ea6faea4d555e2d05d909f2bc7fc93be993558d817f55c4a
                      • Instruction ID: d8c26f3d3da434e841bde937cb546c46e61ecd6ec22fa984166a555f40fc8464
                      • Opcode Fuzzy Hash: 8be19ab9e8d3b577ea6faea4d555e2d05d909f2bc7fc93be993558d817f55c4a
                      • Instruction Fuzzy Hash: 53528131A1CE4A9FE799EB28905567573E2FF98340F1442B9D04ED72C6DF28AC828785
                      Function 00007FF848F345E8 Relevance: .8, Instructions: 838COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 134f419f8db806fa314b624039e214ae65818a0eef910f79da6b55f42d8118e2
                      • Instruction ID: 46a41799e7087d8bba3b03ae9f26ae64d3f2df2551aaefb8bd83af03d0a14831
                      • Opcode Fuzzy Hash: 134f419f8db806fa314b624039e214ae65818a0eef910f79da6b55f42d8118e2
                      • Instruction Fuzzy Hash: 89321431A1CE464FE759BB2CA4522B9B7D2FF95390F44457ED04EC32C3DF28A8468689
                      Function 00007FF848F5C450 Relevance: .8, Instructions: 753COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6a40acb0ba36705d7189d18a40d7138a9054186e64fc233907cd4c9ce61a699f
                      • Instruction ID: 979d791a6a32ef3c2ba12a3dc83cbe6485ff9631e50ec276b6ee9cd79e5b7113
                      • Opcode Fuzzy Hash: 6a40acb0ba36705d7189d18a40d7138a9054186e64fc233907cd4c9ce61a699f
                      • Instruction Fuzzy Hash: 72423B30A1DA0A8FEBA8EB18C494B75B3E1FF58344F1045B9D44EC7296DF35A886CB45
                      Function 00007FF848F31E9A Relevance: .4, Instructions: 360COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 09456da13dcc3816bce1faa02060e0ad5abe08e24aa515825b63710d02b05c76
                      • Instruction ID: 02af01f8a739830efc91daba675b54fc77a58d94bbc2657cff7a2ec95503ee9c
                      • Opcode Fuzzy Hash: 09456da13dcc3816bce1faa02060e0ad5abe08e24aa515825b63710d02b05c76
                      • Instruction Fuzzy Hash: F7B1B321E2D9898FF795B77C44663B96BC2EF89650F5446FBD08DC32D3CE2868028351
                      Function 00007FF848F38A40 Relevance: .3, Instructions: 337COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a68af27c1144133bf13797422f0006685bf38e7f96ffe6862aad1750be9a080a
                      • Instruction ID: 3d9ed1ad4f5f8f68b0cd777559bb27851a895613ad51f6fb9b6085607a0b5ae9
                      • Opcode Fuzzy Hash: a68af27c1144133bf13797422f0006685bf38e7f96ffe6862aad1750be9a080a
                      • Instruction Fuzzy Hash: 04A12671A2EECA5FD749EB3C44552BA7BE1EF55280B4801BFC04AC72D7DE2D98068341
                      Function 00007FF848F3C735 Relevance: 3.3, Strings: 2, Instructions: 761COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID: zL_^${L_^
                      • API String ID: 0-1587584267
                      • Opcode ID: 1edd20ab92579f93de5a0f2c8074ef57815459ed9a9f6c0a2860fa9310eb228b
                      • Instruction ID: 7d269af548cb0545f76cfb58b7e2bbd9f9be36a12cef55182777e1354ea550b5
                      • Opcode Fuzzy Hash: 1edd20ab92579f93de5a0f2c8074ef57815459ed9a9f6c0a2860fa9310eb228b
                      • Instruction Fuzzy Hash: 2522E432A1E9468FE790F72CA8546B977E1FF957A4B0801B7D048CB1D7EE28AC458385
                      Function 00007FF848F384BD Relevance: 2.7, Strings: 2, Instructions: 209COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID: L_^($L_^*
                      • API String ID: 0-3076304550
                      • Opcode ID: 6ee24e7ec427909ac2df950a4426f4745d5711aacc3788ab2f4816df79cd4af9
                      • Instruction ID: 017a64d429cc74395403eadf0bfbcea3a310039387d02460e15ca56fe4525093
                      • Opcode Fuzzy Hash: 6ee24e7ec427909ac2df950a4426f4745d5711aacc3788ab2f4816df79cd4af9
                      • Instruction Fuzzy Hash: 4B51A031A0C90D9FEB54FB5CE885AF9B7E1FB99360F14027AD04ED3192DA24B856C784
                      Function 00007FF848F3CA60 Relevance: 2.5, Strings: 2, Instructions: 1COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID: iH$iH
                      • API String ID: 0-664495421
                      • Opcode ID: 956970ea5a531e40fed1dfbb379278b113ac46256958a1e72306108307eab120
                      • Instruction ID: aa1fafb539141743f7667d6450a64e0b70a98230d44d970e1914926d8372d118
                      • Opcode Fuzzy Hash: 956970ea5a531e40fed1dfbb379278b113ac46256958a1e72306108307eab120
                      • Instruction Fuzzy Hash:
                      Function 00007FF848F451E0 Relevance: 1.7, Strings: 1, Instructions: 458COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID: d
                      • API String ID: 0-2564639436
                      • Opcode ID: 9264f0c77c371d8114d4a637bafd1168f7c3b03fe169884faad054db743497ba
                      • Instruction ID: 448523337916aa3c160e6a135ce5a8eb9859595be6c732ae4b99d611e423a0ba
                      • Opcode Fuzzy Hash: 9264f0c77c371d8114d4a637bafd1168f7c3b03fe169884faad054db743497ba
                      • Instruction Fuzzy Hash: 65E19E3061CB498FD768EF18D485AB5B3E2FBA8754F14457ED08E83696CB35B842CB81
                      Function 00007FF848F32592 Relevance: 1.6, Strings: 1, Instructions: 319COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID: _H
                      • API String ID: 0-2626321992
                      • Opcode ID: f71da521a08ca5730f5853bd467bd32ad5a0ae3d449243a8a6c0ba737560e6dd
                      • Instruction ID: 84af23f9c94ff4c7dc05c6ee406624d122ba6fb3cffce5053cb18b997d040c0d
                      • Opcode Fuzzy Hash: f71da521a08ca5730f5853bd467bd32ad5a0ae3d449243a8a6c0ba737560e6dd
                      • Instruction Fuzzy Hash: 9391683180EAD61FE35AA3B858561B57FD1EF533A1F1801FAC8CAC70D7E91868438395
                      Function 00007FF848F30790 Relevance: 1.5, Strings: 1, Instructions: 242COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID: _H
                      • API String ID: 0-2626321992
                      • Opcode ID: 1ffea2b748c00b2f79e00b82cc81616d05e263abac7f46d3c43991f5d3beda4a
                      • Instruction ID: c4cda6bdc4b31981e5e2e5cd0a7fd6849c7e7dfb62e4346fe0655d717ae9869b
                      • Opcode Fuzzy Hash: 1ffea2b748c00b2f79e00b82cc81616d05e263abac7f46d3c43991f5d3beda4a
                      • Instruction Fuzzy Hash: 43617931D0EA855FE359A77858AB5B97FD0DF57252B0805FEC48AC71E3E92928038381
                      Function 00007FF848F3CAC8 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID: yL_^
                      • API String ID: 0-4278417862
                      • Opcode ID: 7dd8ae15f380d60e4f3f35ae2deba95745678a1a8f0b56166a6e706d12916033
                      • Instruction ID: 2b2e50aea41b3c02037286645cddb94585b3e062f29451cc5f2e8efc48fd3864
                      • Opcode Fuzzy Hash: 7dd8ae15f380d60e4f3f35ae2deba95745678a1a8f0b56166a6e706d12916033
                      • Instruction Fuzzy Hash: 8D61EF3391E5A25FE351B77DB4520E57B50EF422BDF0841B7C18C8E0D3EE1E644A8699
                      Function 00007FF848F329D8 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID: _H
                      • API String ID: 0-2626321992
                      • Opcode ID: b58ec5e2d42a383baf26531a9a7a2fea4bdf30f333b47674013e79ec593165ed
                      • Instruction ID: c7435c736409032eb225245c16b35e11a06efb2e2b8511342518b17e57881dec
                      • Opcode Fuzzy Hash: b58ec5e2d42a383baf26531a9a7a2fea4bdf30f333b47674013e79ec593165ed
                      • Instruction Fuzzy Hash: D3413571E0D9419FD74CAB7CA45A57977D1EF99352F0841FFD04AC72E3DE2898028644
                      Function 00007FF849041469 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2213191578.00007FF849040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849040000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff849040000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID: `H
                      • API String ID: 0-3713285532
                      • Opcode ID: 1b2f914cc37cc4dd0baa9c88f5e15d7978f8acabf19f08b9bca4845605433510
                      • Instruction ID: 5b61ed99565adb1cde2b365f1cc233de172a40c65d2312a17c1701a16c83f663
                      • Opcode Fuzzy Hash: 1b2f914cc37cc4dd0baa9c88f5e15d7978f8acabf19f08b9bca4845605433510
                      • Instruction Fuzzy Hash: 6141253180DAC98FDF96EF24D8959F97FE1FF66340B1501BAD00ACB192DA25E845C741
                      Function 00007FF848F3C052 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID: cL_H
                      • API String ID: 0-879983468
                      • Opcode ID: 1158380b11425cea2d2a0ebcca8002119cb1bbf7e96fea3b4fe11bd35de52cef
                      • Instruction ID: 1353dae26ff47c5853fc50066aca195caab7cb8db04c285154acb02712554ecb
                      • Opcode Fuzzy Hash: 1158380b11425cea2d2a0ebcca8002119cb1bbf7e96fea3b4fe11bd35de52cef
                      • Instruction Fuzzy Hash: 7D31E171F1D9458FE358FB3CA4992B4B7E2EF99751B1481BFC04AC32A6DE289C068345
                      Function 00007FF848F32906 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID: _H
                      • API String ID: 0-2626321992
                      • Opcode ID: aa7a971b8b51b388475b68d5481542fe41d279d4a2f28e04baa01d58456635f0
                      • Instruction ID: 1a32fdced8ecfb0c1c3ed49c9b59755c7d059ce7f1df55944e4bcfe1b219e354
                      • Opcode Fuzzy Hash: aa7a971b8b51b388475b68d5481542fe41d279d4a2f28e04baa01d58456635f0
                      • Instruction Fuzzy Hash: 8221E562E0F9C59FD75AE77C44AA5B9BFE0DF9611238846EEC086CB2E3ED1514079300
                      Function 00007FF848F327E8 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID: _H
                      • API String ID: 0-2626321992
                      • Opcode ID: b66804cb9e2615df9d3da11c4cad676f9accc3dc796cc4efa3c92b302df86a7c
                      • Instruction ID: a6987823b3093013baa5d41ea12591953914ecb731734216b7510f172319364a
                      • Opcode Fuzzy Hash: b66804cb9e2615df9d3da11c4cad676f9accc3dc796cc4efa3c92b302df86a7c
                      • Instruction Fuzzy Hash: C201F7A3E0D99A6FE198A37D1C6A5B51BC9FB959E2F0801BBD00DC31D3ED1818024265
                      Function 00007FF848F3D69B Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID: MW_H
                      • API String ID: 0-1693315056
                      • Opcode ID: 4f86bf1a73c01ac8b52facb56366622c7e6a8f3513736e36a20e0aab2b3f8dd2
                      • Instruction ID: d7c78eb570b3f3cfd004eb55ad7df2b5431a1397512ad48e0312a696537fbc50
                      • Opcode Fuzzy Hash: 4f86bf1a73c01ac8b52facb56366622c7e6a8f3513736e36a20e0aab2b3f8dd2
                      • Instruction Fuzzy Hash: D7118B70D29A4A8FE7A4EB2888517A9B7F0FB49744F5041FAD05ED3282DF3469818B06
                      Function 00007FF848F31D78 Relevance: .8, Instructions: 790COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 175d58db65ca8568cea9763c6c82448562d5b5ee46cecb5c2c089139cae76ee5
                      • Instruction ID: d69491cb02fda52b48db4397e98a58884e8d28bb36558f85070bae6d5bfdb71e
                      • Opcode Fuzzy Hash: 175d58db65ca8568cea9763c6c82448562d5b5ee46cecb5c2c089139cae76ee5
                      • Instruction Fuzzy Hash: 9F324831D0EEC75FE79AA73814251B93FE1EF66A80F4845FEC4899B5C3DE18A8468305
                      Function 00007FF848F31D88 Relevance: .7, Instructions: 742COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d355aadaa50d5e194860cbd49eaffc290f4e123656a2b2a98c891220b25716d7
                      • Instruction ID: 9714d9e9dd56138b7ffbea99fc1abab8dfb51b0195891103a3c3e0f16a2597d5
                      • Opcode Fuzzy Hash: d355aadaa50d5e194860cbd49eaffc290f4e123656a2b2a98c891220b25716d7
                      • Instruction Fuzzy Hash: 5D22F331E0DE8A4FE7A9A72C646527477D1EFA5B54F0842BFC049C71D7EE29AC058384
                      Function 00007FF848F5C460 Relevance: .7, Instructions: 699COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6572800f4606937df3783afcc21ef13cf8983cd13701d493d0ed2cf50c588efa
                      • Instruction ID: 8f02da7c2d483697984833646f8426e2ab9623b6533989c97518e217ac9e3ac3
                      • Opcode Fuzzy Hash: 6572800f4606937df3783afcc21ef13cf8983cd13701d493d0ed2cf50c588efa
                      • Instruction Fuzzy Hash: 7E22A430A0CA4A8FEB98FB18D455A6573E2FB99340F2446BDD44DD72D6DE24EC42CB84
                      Function 00007FF848F39E48 Relevance: .7, Instructions: 678COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 44922b31d90397fdd451ee519cd3e3af788da0dfba15f0c7f505a9136862ca02
                      • Instruction ID: 410277b8336f61ecbbe53044333ded2846e2b7c8c3e9e72ca96508bfecd2225d
                      • Opcode Fuzzy Hash: 44922b31d90397fdd451ee519cd3e3af788da0dfba15f0c7f505a9136862ca02
                      • Instruction Fuzzy Hash: 8A22533191DA464FE369EB28D8415B5B7E0FF61350F0446BED08AC72D3EB29B882C785
                      Function 00007FF848F51F10 Relevance: .7, Instructions: 659COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bcd64de6f4d41c2829e8626646d499bf099a2f3f7e5f3e8125a140a96b039915
                      • Instruction ID: bb48c9cc36c5e3bbd0583c82f348d9d032ae05a387b83aedd52e4c06cc9466c4
                      • Opcode Fuzzy Hash: bcd64de6f4d41c2829e8626646d499bf099a2f3f7e5f3e8125a140a96b039915
                      • Instruction Fuzzy Hash: 24021A32E1DE864FE758A73C686A1B977D1FF95754F0802BED04DC32D7DE28A8428249
                      Function 00007FF848F31DF8 Relevance: .6, Instructions: 604COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e54c1a2d693391863537cc4b58886fa6dfe8cf7268b046f2e12207aef419247a
                      • Instruction ID: 5d8afe7b2351428b0d602cdb1d688fdc95fce7e4c8dd3181dc3040cabc870bbd
                      • Opcode Fuzzy Hash: e54c1a2d693391863537cc4b58886fa6dfe8cf7268b046f2e12207aef419247a
                      • Instruction Fuzzy Hash: 32028131A1CA0A4FEB98EB28949567573E1FFA8350B1445BAD40EC72D7DF38EC468784
                      Function 00007FF848F64538 Relevance: .5, Instructions: 536COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d134b297ab63c9e78e12c3ce7d9b647c743d1fd8bfca862db36b81bb7958158a
                      • Instruction ID: a00411083b879023b2bb7acc502547d54425b8375106b17708536bf57511cf18
                      • Opcode Fuzzy Hash: d134b297ab63c9e78e12c3ce7d9b647c743d1fd8bfca862db36b81bb7958158a
                      • Instruction Fuzzy Hash: FF02C33190DBC24FE74AAB3888656617FE1EF56240F1942EBD089CB1E3DE18A846C755
                      Function 00007FF848F34970 Relevance: .4, Instructions: 410COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 305c40990f777033aceb8bf0fe87157a994efa8fdd69462b2f95a0d75d8113ab
                      • Instruction ID: 0e9362dd403936ea25eda409829d86ec5eb416946e0d1e940a288a01a79bb596
                      • Opcode Fuzzy Hash: 305c40990f777033aceb8bf0fe87157a994efa8fdd69462b2f95a0d75d8113ab
                      • Instruction Fuzzy Hash: 27C10531A1DE4A4FD758EB2C9455AB6B7E1EFA4350F0046BEC04FC7297DF28A8468784
                      Function 00007FF848F39E70 Relevance: .4, Instructions: 356COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 211532914f65b02ab8081e52306ea26ebc69f3dcfd0ac0f0c3c47e8747371f1e
                      • Instruction ID: bcb68bf1af54c40e8a62125356f7b64d8c50c092c3f1ff0f24851891e722c674
                      • Opcode Fuzzy Hash: 211532914f65b02ab8081e52306ea26ebc69f3dcfd0ac0f0c3c47e8747371f1e
                      • Instruction Fuzzy Hash: 68A1553191CA4A8FE359EB2884951B1B7D0FF66754F14067ED88EC32D2EF29B846C784
                      Function 00007FF848F5C4B0 Relevance: .3, Instructions: 342COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0f154de23704642e9149a67604adb9b1f3775c3794a87445345d34387296052c
                      • Instruction ID: 0e8459043dcdbdc8aec96eaf562097c4af0a6e6b5ef60ceebc2f84ed63ebfa9d
                      • Opcode Fuzzy Hash: 0f154de23704642e9149a67604adb9b1f3775c3794a87445345d34387296052c
                      • Instruction Fuzzy Hash: E7C15E30E1DA4A8FEB98EB18C480775B7E1FF54355F644479C44E866C6CB3AE886CB84
                      Function 00007FF848F5C7D8 Relevance: .3, Instructions: 341COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d937b49f206fc740db4e745b86f399b058455888f6fbb995002c3e94e09ec983
                      • Instruction ID: fc8c726b8887c29f3fab58f0fdcbc668d0795909602fbf673b3899672f1b6e6f
                      • Opcode Fuzzy Hash: d937b49f206fc740db4e745b86f399b058455888f6fbb995002c3e94e09ec983
                      • Instruction Fuzzy Hash: 6AA1D63160CB094FEB58EB1DE8519B9B7E1FF99760F04027FE44AC3292DF25A8428785
                      Function 00007FF848F3C4A1 Relevance: .3, Instructions: 335COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2c5e8bf9e4e4cf0f6669093fcfc5692f5b70901623e14bbd3e8b40af812b974b
                      • Instruction ID: ce019f354656b01e7992238a37803020287bd14fcc85a499e09650c9250a8149
                      • Opcode Fuzzy Hash: 2c5e8bf9e4e4cf0f6669093fcfc5692f5b70901623e14bbd3e8b40af812b974b
                      • Instruction Fuzzy Hash: 13A12731A1DA4A5FE349F72C94415F677E1EF953A4F0402BBD08EC71D3EE28A8428789
                      Function 00007FF848F38E08 Relevance: .3, Instructions: 329COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0ae02f1fe6bc1750284307752b97bf669b1495e02475a16c2963b95f94aa416b
                      • Instruction ID: d0c68e896f8056458e7d05fa558e047b8a47891ac6ad274977c873f858d1b5ad
                      • Opcode Fuzzy Hash: 0ae02f1fe6bc1750284307752b97bf669b1495e02475a16c2963b95f94aa416b
                      • Instruction Fuzzy Hash: E991853161EB494FD718EB1C98868B177E0EBB5765F1002BFD48AD32E2DE25B8428785
                      Function 00007FF848F350FA Relevance: .3, Instructions: 314COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7d91b5b344a0845b1b05d8b1d16780184551ac7df50139380176f46ad4d86ac9
                      • Instruction ID: a0d889f6447495f723087057acffad6deaae9b103ef83ce665cb117d694749f8
                      • Opcode Fuzzy Hash: 7d91b5b344a0845b1b05d8b1d16780184551ac7df50139380176f46ad4d86ac9
                      • Instruction Fuzzy Hash: D1812B23B1E9565FD25176ADB8064FA37A0EFD53B5B0802B7D149CB1D3DE0CA80682E9
                      Function 00007FF848F356CD Relevance: .3, Instructions: 280COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7e26baf845d79a034f8192a26585b6ba43f85b2f4716bf303a9526dda42dd5ac
                      • Instruction ID: 5ddf7c699c500276b8acd634942f32aa8a3fb5bf9676730283b205055d6eb8d8
                      • Opcode Fuzzy Hash: 7e26baf845d79a034f8192a26585b6ba43f85b2f4716bf303a9526dda42dd5ac
                      • Instruction Fuzzy Hash: 10810671D0E98A9FE352F7B854662B97FE0EF9A250F5806FAC04AC71D3DA1C6842C341
                      Function 00007FF848F39E58 Relevance: .3, Instructions: 278COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e0bfaa7d6fa76016ddcfa66c51f858904aa2f3d20f7f6fc40ff71c60da14f6a5
                      • Instruction ID: 14d5728b549f00e53b433dfc52af7e01cc90f1f4d164e8482623a8994779e261
                      • Opcode Fuzzy Hash: e0bfaa7d6fa76016ddcfa66c51f858904aa2f3d20f7f6fc40ff71c60da14f6a5
                      • Instruction Fuzzy Hash: D581C130A2CA094FE768EF18C845575B3E1FBA4740F50497ED49AD3693DE35F8828B85
                      Function 00007FF848F34888 Relevance: .3, Instructions: 267COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e73114c256d3f44f4279ea60feeccbc890ecd0e8263b9741df9709c819542bcc
                      • Instruction ID: c9a96de94e95430d68e79337c54ee7cfc5280803c796ba9f3d91038845e1b501
                      • Opcode Fuzzy Hash: e73114c256d3f44f4279ea60feeccbc890ecd0e8263b9741df9709c819542bcc
                      • Instruction Fuzzy Hash: EE719230A1CA1A4FE7A8FB1C9445A76B3D1EBE9350F10477AD48ED3295DF24F8428789
                      Function 00007FF848F44DB0 Relevance: .3, Instructions: 265COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ccc2249331cecf2b478de60a9bfc1f2172f6493fd2261020124806ecf7bb805d
                      • Instruction ID: 548e8b04a2d04d6b3addcd9a6d1f8adf0aa09c46618fe48dedfa327367d043ec
                      • Opcode Fuzzy Hash: ccc2249331cecf2b478de60a9bfc1f2172f6493fd2261020124806ecf7bb805d
                      • Instruction Fuzzy Hash: E671363151EA094FD758EB1CC8899B173E0EBB4765F14027ED44AE32A2DB25BC82C7C5
                      Function 00007FF848F5C4D0 Relevance: .3, Instructions: 259COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bc0772e920c65bd67da2bd49dcc329b6023864897a473596366831a3a6318f59
                      • Instruction ID: dca8d1213e4312b85daa439938a53bebe72f5b06de2f80bfa68f1df49733a058
                      • Opcode Fuzzy Hash: bc0772e920c65bd67da2bd49dcc329b6023864897a473596366831a3a6318f59
                      • Instruction Fuzzy Hash: 5A816E3061CA0A8FDB58EB1CD484E62B3E1FB98354F2445A9D44EC7697DB25FC82CB94
                      Function 00007FF848F5C410 Relevance: .2, Instructions: 250COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 00116c38274621832f8bff93aaf3a26d4d3429d2d8cabbc04ab333f77fa9db84
                      • Instruction ID: 3f774bb8303bc576e025923df78268b16b2c1b73f8c9cca6e19ca02d225ab6eb
                      • Opcode Fuzzy Hash: 00116c38274621832f8bff93aaf3a26d4d3429d2d8cabbc04ab333f77fa9db84
                      • Instruction Fuzzy Hash: 9D71F471D1DE855FE358EB2C94456B6B7E1EBA4350F00897FC08EC3697DE28A8468781
                      Function 00007FF848F33E90 Relevance: .2, Instructions: 242COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 481ec324043644ebed7e5ed49e1c727cdcca8d9b14d8824a0372161461634da2
                      • Instruction ID: 44d1609ba74acb5683508642b070ba367292eb254392be9c5040fd8626d3a2fa
                      • Opcode Fuzzy Hash: 481ec324043644ebed7e5ed49e1c727cdcca8d9b14d8824a0372161461634da2
                      • Instruction Fuzzy Hash: 31712430A0DA895FD705FB289451AB57BE1EF85360F2402EED049872E7CB28BC46C795
                      Function 00007FF848F33A90 Relevance: .2, Instructions: 235COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4bca7b09c0130527a6c1ee79e284bcbf8c8e0bf83a5a6be7d748aa241a050a4c
                      • Instruction ID: 3bc9ad85976a8d0fe67f24d2859a1b95bb8996124bd0d3283420db396092e22b
                      • Opcode Fuzzy Hash: 4bca7b09c0130527a6c1ee79e284bcbf8c8e0bf83a5a6be7d748aa241a050a4c
                      • Instruction Fuzzy Hash: 74615D306189499FDAA4FB2C9459B7A77E1FF69740F1400BAD48ECB2A6CE28EC458741
                      Function 00007FF848F33798 Relevance: .2, Instructions: 234COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d58d4510e30c33c5e4f58716de178f89f2ccbf1bb18e5eac380a85eb00607cbb
                      • Instruction ID: 212d4910f575554d5856018562bf42581f665e8dd60b145814a383a538f325d0
                      • Opcode Fuzzy Hash: d58d4510e30c33c5e4f58716de178f89f2ccbf1bb18e5eac380a85eb00607cbb
                      • Instruction Fuzzy Hash: 81614431A0EE8E0FE795EB2C54553BA77D1EFA5A94F0402BBD40DD32C6CF28A9018390
                      Function 00007FF848F34745 Relevance: .2, Instructions: 227COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b0d50a46fa45e3881162e5055c5e2224cdecad5b18f82a4bd947791a78fa6c4f
                      • Instruction ID: 6a840e03c24118a137d354b5ee7f21e3c976e3e2e465f901ed963d92b0260ada
                      • Opcode Fuzzy Hash: b0d50a46fa45e3881162e5055c5e2224cdecad5b18f82a4bd947791a78fa6c4f
                      • Instruction Fuzzy Hash: 3861E87091CB864FE778AB28944A3BAB7D5FF99751F00067EC49EC71D2DF3868028646
                      Function 00007FF848F32237 Relevance: .2, Instructions: 212COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2526dd55312ac62734515df10d7a87ebee153f1707c3e4e64f3c2233b69b981c
                      • Instruction ID: 40e19336dff5b117a289f18a3b6c25ce6ba05b7472e74368e435288ccf679ded
                      • Opcode Fuzzy Hash: 2526dd55312ac62734515df10d7a87ebee153f1707c3e4e64f3c2233b69b981c
                      • Instruction Fuzzy Hash: 97515E31B1CA494FE788F72C9465778A7D2EBD9790F1402BBD44DD32C2CE28AC428B85
                      Function 00007FF848F3A2FA Relevance: .2, Instructions: 203COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 835bbb81a44d303b700f606dcc49f8b67cb62542385072eaa7cf6ed560d5635b
                      • Instruction ID: 295e774fb23452d9014ed8f646516d90d0ed284b2f8918fa7f67c5e60b0a3303
                      • Opcode Fuzzy Hash: 835bbb81a44d303b700f606dcc49f8b67cb62542385072eaa7cf6ed560d5635b
                      • Instruction Fuzzy Hash: 98513431D1EECA6FE255FB3888665F67BE1EF15340F4845BAC04A871E7CE1DA9428300
                      Function 00007FF848F353A7 Relevance: .2, Instructions: 192COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 32a782d8005171141ad30d04a29a9e7fc7265d6dc3939fae678178034f03c921
                      • Instruction ID: aacfdddfa4611c59be096ccdc13a2079fcbaf1f4324d7c0e90e55a260c50eefa
                      • Opcode Fuzzy Hash: 32a782d8005171141ad30d04a29a9e7fc7265d6dc3939fae678178034f03c921
                      • Instruction Fuzzy Hash: 50610B30629D069FCB98FB28C091DA577F2FFA8300B5545A9E00AC76A6DF39F945CB44
                      Function 00007FF848F34885 Relevance: .2, Instructions: 190COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fa2d960727c3040fb0fc6e01f7042f581b534aa3240d1cd8ca7c652a3c398db0
                      • Instruction ID: 0459f3f4fda01ca47e6bf1d91adfc6523eb3980790094ef935c2da0053dca7d6
                      • Opcode Fuzzy Hash: fa2d960727c3040fb0fc6e01f7042f581b534aa3240d1cd8ca7c652a3c398db0
                      • Instruction Fuzzy Hash: 3541D531B1CA454EEB58B71CA8066BDB7D1EBD9791F00017FE84AC32C3EE146C5282DA
                      Function 00007FF848F589F0 Relevance: .2, Instructions: 187COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c6c2fc89a10e6a697f722fec021cc6acaf4b762a1e964fda7657938b946fe73b
                      • Instruction ID: 5be5248a42dfd7273f0af6c5a84e47a0cc1798dde34a466bff74256343b74cae
                      • Opcode Fuzzy Hash: c6c2fc89a10e6a697f722fec021cc6acaf4b762a1e964fda7657938b946fe73b
                      • Instruction Fuzzy Hash: 3C51D331A2C94A5FEBA8EB28945567677D1EF98340F4444BED40EC72C7DE29AC42C748
                      Function 00007FF848F31AA2 Relevance: .2, Instructions: 182COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d32b817041d54d25c979c41b8f031d5e3d05d40f29ebf0d690cc2aeb7457b045
                      • Instruction ID: 55e422ccc0c92c53e5423a5e4b848e95dbfeda52cb5ec0886166595ee3dff105
                      • Opcode Fuzzy Hash: d32b817041d54d25c979c41b8f031d5e3d05d40f29ebf0d690cc2aeb7457b045
                      • Instruction Fuzzy Hash: DB51862290E6965FE351777C78661E67FA0DF422A9F0C02F7E088CE0D3DE0C548583A9
                      Function 00007FF848F33818 Relevance: .2, Instructions: 173COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 429946a0fcb9f9bdd3ab18f458cb79db19fbca52d9941d01935e1360f7840540
                      • Instruction ID: ed3b0595314e7a50c9569e7f67edd75951ce8eb264a1f48caf625e081c45a116
                      • Opcode Fuzzy Hash: 429946a0fcb9f9bdd3ab18f458cb79db19fbca52d9941d01935e1360f7840540
                      • Instruction Fuzzy Hash: CE416D3061CE098FD749FB2C9455A75B7D2EFA8754B0401BEE00ED7292DF29E8428785
                      Function 00007FF848F3AF51 Relevance: .2, Instructions: 166COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 571bc368b5e2e02f1db1c34aef236c4e158383c403afbec373c352a2265facd9
                      • Instruction ID: d449c80b8f3fed6e084d1216512f1d2d007828cbd360c0cc0bc64637d29604a3
                      • Opcode Fuzzy Hash: 571bc368b5e2e02f1db1c34aef236c4e158383c403afbec373c352a2265facd9
                      • Instruction Fuzzy Hash: 63414631E1DE864FD316A73C58225BABBE1EF86240F4846FBD08DC71D7DE18A8468385
                      Function 00007FF848F348A0 Relevance: .2, Instructions: 159COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a4208a7841e5135ef76a26698b3fdffc58ebdd6dbb8192874ebb5a925fd7189a
                      • Instruction ID: e47911535dce8b4e05a5eabbbc74087e241351d4090f3755fc362689d33ebb9e
                      • Opcode Fuzzy Hash: a4208a7841e5135ef76a26698b3fdffc58ebdd6dbb8192874ebb5a925fd7189a
                      • Instruction Fuzzy Hash: 41418531B1CA495FE758BB1CA8066B977D1EB997A1F00017FE84BC32C3DE156C5242D9
                      Function 00007FF848F33AC2 Relevance: .2, Instructions: 155COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4736289327a0c62f041b59cf9aaf675e16cd41029c05826249579e47d7f796db
                      • Instruction ID: 8834edf4bbb7f0e264435bb34ae5c75c4e8f84ac875b30324a7b4ad55789b253
                      • Opcode Fuzzy Hash: 4736289327a0c62f041b59cf9aaf675e16cd41029c05826249579e47d7f796db
                      • Instruction Fuzzy Hash: 28412930A1CA0A4FEB58F76C984697637D1EF657A0F64017ED44AC31D6EE15EC028285
                      Function 00007FF848F33ADD Relevance: .2, Instructions: 152COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8a61e67b7435b1d9018163578413a421bd92187ad2e35a8ecba6f7f93d54ba42
                      • Instruction ID: 6d027f4f870ecb67845234ab01927f34d242277e4ca8ae4749f952ff84b56652
                      • Opcode Fuzzy Hash: 8a61e67b7435b1d9018163578413a421bd92187ad2e35a8ecba6f7f93d54ba42
                      • Instruction Fuzzy Hash: 12410531E1D84A5FE798E72C685667977C1FFA96A0B1402BAC44ED32C6EE147C528384
                      Function 00007FF848F33A30 Relevance: .2, Instructions: 150COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 519de8a8551f3bc77cc939952f00d4c13520d8c46f51a4e8c8c8c7b674d87d42
                      • Instruction ID: d0ebbdc41fce5fa7e2727e900215ded047a572cc21e9f056cee41e4121df4e30
                      • Opcode Fuzzy Hash: 519de8a8551f3bc77cc939952f00d4c13520d8c46f51a4e8c8c8c7b674d87d42
                      • Instruction Fuzzy Hash: 5741473261D9095FE798F72CA8566B577C1EF99670B4402BBD04EC71D3DE29BC428384
                      Function 00007FF848F5C560 Relevance: .2, Instructions: 150COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c20cf3d67cb8e363ca1e4b2a6967a2fe43131284a620cf7f0f849a1affde500a
                      • Instruction ID: 67b5eef06caaa7666d45dae16b3341ae39514503882d5c37556548b266cc5bd1
                      • Opcode Fuzzy Hash: c20cf3d67cb8e363ca1e4b2a6967a2fe43131284a620cf7f0f849a1affde500a
                      • Instruction Fuzzy Hash: 4941AF31E1CB465FE7A4EB28D088B76B7D1FF94345F044AB9D08AC36D2D768A885C740
                      Function 00007FF848F34930 Relevance: .1, Instructions: 149COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 002a8902b3bbc9820a4f92c1937e7f6d5cf462d0cee98362a4b234539b8170ad
                      • Instruction ID: 400332f0470f93af46e3e1607b6b05f039f0f7b424a15f4ec5f2d5d36c40b398
                      • Opcode Fuzzy Hash: 002a8902b3bbc9820a4f92c1937e7f6d5cf462d0cee98362a4b234539b8170ad
                      • Instruction Fuzzy Hash: 8341BF30E0C91A8EE7A8E729944877522D2FFA8351F5453BAD40ED71D5DF29E8C28344
                      Function 00007FF848F348C0 Relevance: .1, Instructions: 143COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 383c54ef41e6e455346e7f55c29e7c1e3e83927c6c082b321087570af075461b
                      • Instruction ID: 3ef76358cd95a64e74ef973c05d4f2fc2544e008e9e0a6e1a31629cb26128a73
                      • Opcode Fuzzy Hash: 383c54ef41e6e455346e7f55c29e7c1e3e83927c6c082b321087570af075461b
                      • Instruction Fuzzy Hash: 08319771A1CA495FE75CAB1CA8466B9B7D1EB95750F00017FE84BC32C3EE24BC5242C9
                      Function 00007FF848F31B9D Relevance: .1, Instructions: 141COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: af25840d066d9afff4590a2394a0d5361f382fdb7d52c0641194d401b4f84edc
                      • Instruction ID: 41ffb373237a88a2a2b86bae87ec1c53c7c214156099c121fd59f25a79282c58
                      • Opcode Fuzzy Hash: af25840d066d9afff4590a2394a0d5361f382fdb7d52c0641194d401b4f84edc
                      • Instruction Fuzzy Hash: 0531D92790E5965EF25477AC78162FA3B94EF413B9F0802BBE14C8A1C3DE1C548592ED
                      Function 00007FF848F333C5 Relevance: .1, Instructions: 140COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1d53ed2dbf0cbb34c86d3a9dc4eebcf797960e52cf3306137a84ae4a24ae34bd
                      • Instruction ID: c1fa893f659abca7ce9b41a92318da8906394660667db625a03a993642da205c
                      • Opcode Fuzzy Hash: 1d53ed2dbf0cbb34c86d3a9dc4eebcf797960e52cf3306137a84ae4a24ae34bd
                      • Instruction Fuzzy Hash: E341D772E0D9894FDB96EB6CE8566B87BE0EF49350F0801ABD44CD72D2CA245C01C795
                      Function 00007FF848F3CBB0 Relevance: .1, Instructions: 137COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d15ca3d32e51840bd99a418e17aac9db26ed09f74927d60ed8aae0406af316dc
                      • Instruction ID: abf9048de39e8f2990a41d6f072f45e7401aaa0b9cb9e779c4de3d9350551257
                      • Opcode Fuzzy Hash: d15ca3d32e51840bd99a418e17aac9db26ed09f74927d60ed8aae0406af316dc
                      • Instruction Fuzzy Hash: 9841F823D2E5A65EE351B37DB8510E93B50EF422F9F4802B7D08CCE0C3EE0D644A8699
                      Function 00007FF848F33EA8 Relevance: .1, Instructions: 136COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5d903bdb4e85d443be8c3d04b8f778ab90f24c5b4c7324fd210216d6105ffb9b
                      • Instruction ID: 2442e8ca6a4ee721d35f5c6c0c9da3f0a06bbec56a9c7e2b050c60122e16d865
                      • Opcode Fuzzy Hash: 5d903bdb4e85d443be8c3d04b8f778ab90f24c5b4c7324fd210216d6105ffb9b
                      • Instruction Fuzzy Hash: B241723061CA189FDB18FB18D4529B977E1EF98351F2402ADE44A872D3CB28BC46C795
                      Function 00007FF848F31B00 Relevance: .1, Instructions: 134COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b97dfc6bb36ac0f4622ffafa261d64bc538e0d4c01c454c3582a62a36ad5bdab
                      • Instruction ID: c7f7c91ea18c2167ca55d6724833b01cfa38837113e125d32e039d5c0bb2a9fa
                      • Opcode Fuzzy Hash: b97dfc6bb36ac0f4622ffafa261d64bc538e0d4c01c454c3582a62a36ad5bdab
                      • Instruction Fuzzy Hash: 6831C92691F6566AF25076AC74661FB3BD0EF453BDF0842BBE18C8A0C3EE1C548542ED
                      Function 00007FF848F531D0 Relevance: .1, Instructions: 130COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6919a456767824472d0511c6b366005d95315c9ff33518fc7b20d6804b7b321d
                      • Instruction ID: 10e50e3286d969a91f6a1339d0879933fe6a8ff73fa56e2d15edf4d27b1bbabe
                      • Opcode Fuzzy Hash: 6919a456767824472d0511c6b366005d95315c9ff33518fc7b20d6804b7b321d
                      • Instruction Fuzzy Hash: AA416C31A1CE0A9FEAA8EB1D9494A76B3D1FF69390F84057DD44AC36D2DB24F8408744
                      Function 00007FF848F33B05 Relevance: .1, Instructions: 129COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 47e75ee71ffffbf936953c9e3cf8f278c49332307445ab3040205acb21e0f146
                      • Instruction ID: 4eaf2fc8201fe64516b0383d29fcff2d0bbb346a295ba40493ccaaf5fc854bb4
                      • Opcode Fuzzy Hash: 47e75ee71ffffbf936953c9e3cf8f278c49332307445ab3040205acb21e0f146
                      • Instruction Fuzzy Hash: 78319431B08C194FEBD8FB6C9498AB573D1EFA8765B0401BBD40DD72A6DE25DC828780
                      Function 00007FF848F3C290 Relevance: .1, Instructions: 126COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 69f8600a2dbfa31f017facaaa89903eed9123f47e21e28bf2d60e85fefea43a0
                      • Instruction ID: 77f87d09582f9fe3f98368482acaf89499996430bf07e2503221763369715ba3
                      • Opcode Fuzzy Hash: 69f8600a2dbfa31f017facaaa89903eed9123f47e21e28bf2d60e85fefea43a0
                      • Instruction Fuzzy Hash: C031F432A1DD5A0FE798F628A4455B6B7E1EFA43A1F04017BD40EC32D6DE2DE9428384
                      Function 00007FF848F31D00 Relevance: .1, Instructions: 123COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a89d18793f4a60a8b947b9335a281e3c1f6ddc4a31b9b1fe781e54ff05335b31
                      • Instruction ID: 1c3e9c0e0ae1ae664c8fe9b8f7798109cadb13c5d769348cdfed128e72811359
                      • Opcode Fuzzy Hash: a89d18793f4a60a8b947b9335a281e3c1f6ddc4a31b9b1fe781e54ff05335b31
                      • Instruction Fuzzy Hash: A631D532E0C9494FDB95EB6CE8566BD7BE1EF89740F1401AAD44CD32D6CE286C01C795
                      Function 00007FF848F33541 Relevance: .1, Instructions: 118COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 045f0d361fcc2d13e5bdb8bed37350d13f6fb76718566c1dbee3e718a562a6b6
                      • Instruction ID: b84c869611136ad5ec884b4d626916e0eb778ecef05d41e77a562aede4aed8c2
                      • Opcode Fuzzy Hash: 045f0d361fcc2d13e5bdb8bed37350d13f6fb76718566c1dbee3e718a562a6b6
                      • Instruction Fuzzy Hash: 3B31E232C1E9DA9FD392E77C28261F9BFA0EF02651B0946FBD088CB1D3C90C19428356
                      Function 00007FF848F34700 Relevance: .1, Instructions: 116COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4d55b33e24b13ff35433433dae7b3fa51a18826a6f29bcf8b9070203560f326c
                      • Instruction ID: f161093e0e8dbb586a2498c5784e5ac2f7f241946e4358ac0a5ca866ab6131fd
                      • Opcode Fuzzy Hash: 4d55b33e24b13ff35433433dae7b3fa51a18826a6f29bcf8b9070203560f326c
                      • Instruction Fuzzy Hash: 6B31F632A1DA411EE34CB66CA4465FA77E0EF99364F00457EF08E836C7DE2DA8464399
                      Function 00007FF848F3210D Relevance: .1, Instructions: 112COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7bb25d238119aa0df382e51ba8c27dcc6a472a9999eb22e85ce131d2f2e458ce
                      • Instruction ID: 881da0c48bdbc969dee9d07d0f0c91a07ecbd9834f1702a4906be304bf11c708
                      • Opcode Fuzzy Hash: 7bb25d238119aa0df382e51ba8c27dcc6a472a9999eb22e85ce131d2f2e458ce
                      • Instruction Fuzzy Hash: AD31B621E2CA864FE399F77C04663799AC2EF89690F5801FBD54DC32C3DE2C68428795
                      Function 00007FF848F31C98 Relevance: .1, Instructions: 106COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b3acb960b10dd094a68bb0512cf9e7ebd0c14b9f9ada60a640693db2e0d31fd1
                      • Instruction ID: e974e9f04b512b73e8363f08ca88fced4f66994a494eabbde72d2dd9b3042133
                      • Opcode Fuzzy Hash: b3acb960b10dd094a68bb0512cf9e7ebd0c14b9f9ada60a640693db2e0d31fd1
                      • Instruction Fuzzy Hash: 10313B31D0DD8A5FEB54EB7898555BE3BE2EF6A780F45027AD44CE72D2DB649802C340
                      Function 00007FF848F445E0 Relevance: .1, Instructions: 105COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7a0383e40e135435cddd79c9c3e0438f1bcf552f81decc7a56073133ed7d8d8e
                      • Instruction ID: a6275dd0fa9ff9fd39c77140c2a656dd9b7e48daff1d75c2bc7eeb9430b0a5e4
                      • Opcode Fuzzy Hash: 7a0383e40e135435cddd79c9c3e0438f1bcf552f81decc7a56073133ed7d8d8e
                      • Instruction Fuzzy Hash: 7531F43160CF498FC784EB1CD084AAAB7E1FFA9755F00067AE049D32A4DE30E8858782
                      Function 00007FF848F5C7C8 Relevance: .1, Instructions: 105COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2585e0ae850c2471cae165c0e3cd51dd015b70f342b702f8011a3c7da0116f8a
                      • Instruction ID: 486dcef41d31396aea66b255abdd5819763a4f839ab2329386ba5ebdf4ec7733
                      • Opcode Fuzzy Hash: 2585e0ae850c2471cae165c0e3cd51dd015b70f342b702f8011a3c7da0116f8a
                      • Instruction Fuzzy Hash: 4531C43150DB484FDB19E72CD8569F67BF0EF56724F0502ABE049C71A3CE25A845C785
                      Function 00007FF848F613F0 Relevance: .1, Instructions: 103COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c47dc593313a661e37a1fa3ad25ad2d6b5bd15abbc1a88bd7a665dcda7a99b14
                      • Instruction ID: 1d5dc850869f0973076d9cc591166dd94c132662512e89daa9800f82ad999830
                      • Opcode Fuzzy Hash: c47dc593313a661e37a1fa3ad25ad2d6b5bd15abbc1a88bd7a665dcda7a99b14
                      • Instruction Fuzzy Hash: 48315A71A1CE0A9FEBA4FB59C084E66B3E1FF68340F600579D40DC36A1DA65F8428B84
                      Function 00007FF848F49EA0 Relevance: .1, Instructions: 98COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d09fe091a1a6e18d906438f6ab240419960ab6f023dda85e0e4dce7a7315ef5a
                      • Instruction ID: d0bc7a0bb588fd4adbdc1e38e663a9cff12524400ad3a29097bac58f42ecb9d3
                      • Opcode Fuzzy Hash: d09fe091a1a6e18d906438f6ab240419960ab6f023dda85e0e4dce7a7315ef5a
                      • Instruction Fuzzy Hash: BB21D431B2CD0A4FEAA8FA1D544477673C1EBB8A64F5041BBD40ED3AEADE18AC024344
                      Function 00007FF848F31D6F Relevance: .1, Instructions: 97COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e5f48dad5dd1f209915cb14ad8476098ca571cd837fb19ffae99863c18955094
                      • Instruction ID: e6db6604e2c2b599deec296be8ac38c402a9e9179cdd78d8e4fd6277086f81e1
                      • Opcode Fuzzy Hash: e5f48dad5dd1f209915cb14ad8476098ca571cd837fb19ffae99863c18955094
                      • Instruction Fuzzy Hash: 5E217F3071CD094FD69CFA2CD849A7577E1FBA9310B10026EE04EC36A6DE25EC468784
                      Function 00007FF848F34948 Relevance: .1, Instructions: 94COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2525e82a39d57c3e887b6e60d2b284b2738da9bc12a666fdc6e939f9586f38c1
                      • Instruction ID: 5c2fb2956550e3b275559cd7dbcf1cc94ad70867598e9480e0158e8f03db81dd
                      • Opcode Fuzzy Hash: 2525e82a39d57c3e887b6e60d2b284b2738da9bc12a666fdc6e939f9586f38c1
                      • Instruction Fuzzy Hash: AE21F93160CB095FE798F76C944A97A77D0EB98751F00163EE44EC32A2DE24BC428786
                      Function 00007FF848F338D3 Relevance: .1, Instructions: 92COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a5d75a15460a379d892049a867c018b85ebff831c5528edf910f59f60ab9dac4
                      • Instruction ID: e0a6c9084cdfb694becc56cf5a7bc6d78847689b6d847828a56de4c5cb22f372
                      • Opcode Fuzzy Hash: a5d75a15460a379d892049a867c018b85ebff831c5528edf910f59f60ab9dac4
                      • Instruction Fuzzy Hash: 9711E93731652CA6D708BAECF8D55FA7398DF857B7744037BD6068F002DE15504ACAA0
                      Function 00007FF848F382FD Relevance: .1, Instructions: 91COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4114286ee3be588fb8a88595fd2104d19b557cef1b8148eb040636302934ca69
                      • Instruction ID: a61b83ef5480a3769fc7f56bc60e122c5c08bc2d4b897f9795c014df8b57d272
                      • Opcode Fuzzy Hash: 4114286ee3be588fb8a88595fd2104d19b557cef1b8148eb040636302934ca69
                      • Instruction Fuzzy Hash: 8921283191EA865FD329EB2998424B27BB0EF55310B0441BFD04AC36E7DE1DB84B8325
                      Function 00007FF848F32B55 Relevance: .1, Instructions: 90COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9c9b57e4510dd8f269d5d65471856b649fa38d869d335266f81f7e19affc15c3
                      • Instruction ID: 1ce648fd1bbb9549e70f64a0fba88cc632c0c350f1b036897298641610b74be2
                      • Opcode Fuzzy Hash: 9c9b57e4510dd8f269d5d65471856b649fa38d869d335266f81f7e19affc15c3
                      • Instruction Fuzzy Hash: 24112B22A0DB561FF324566CBC563B63BC4DF863A2F0801BFE848C31D3DD189C8582A5
                      Function 00007FF848F348C8 Relevance: .1, Instructions: 84COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8152c2467fb904cb675c44275f58911cd270e0da78e091dc30d843932150ff7b
                      • Instruction ID: da9c49976876287dc22651ad6c4afeed40231583e13d3c9ee5c99cf48eec5f3d
                      • Opcode Fuzzy Hash: 8152c2467fb904cb675c44275f58911cd270e0da78e091dc30d843932150ff7b
                      • Instruction Fuzzy Hash: 3C21933160CA0C8FDB18EB1DD845DB677E1EBA9761F05026EE04AD32A1DE61F841C7C5
                      Function 00007FF848F38D40 Relevance: .1, Instructions: 83COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c37f62e60bf60a7e2e5a59fda573c9f9e142c663fdd2f03d151404f8cfc10002
                      • Instruction ID: 300cdcbc493e207e27e17ae8f0634f7cea349f8c11bf84c7f423e8ef12bd936e
                      • Opcode Fuzzy Hash: c37f62e60bf60a7e2e5a59fda573c9f9e142c663fdd2f03d151404f8cfc10002
                      • Instruction Fuzzy Hash: 6221D431B2D94A4FE796F72C84556A537D1EF96240F4840BAD40CC7AC6DE2DE8028344
                      Function 00007FF848F38346 Relevance: .1, Instructions: 83COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6aad517de13aed98995929b43886bd545f95c64b6f7e5e0063c4daf81e59377c
                      • Instruction ID: 59ba67789581ce912dbbc6c338c9cb8b6118f8a86b1af113091d7c67e0484846
                      • Opcode Fuzzy Hash: 6aad517de13aed98995929b43886bd545f95c64b6f7e5e0063c4daf81e59377c
                      • Instruction Fuzzy Hash: 14219F31A2DE464FD658FB2894414B673E1FB68350B40867ED04FC36DBDF2CB94A8648
                      Function 00007FF848F33EF0 Relevance: .1, Instructions: 82COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 765ef5a055d3840748bdf551a729c709ce718bd894187f8cf1eb91a22c50114b
                      • Instruction ID: 115be7c519b60a8a394f0024be816e464c0edf3693bb7299b33ef75559bd206a
                      • Opcode Fuzzy Hash: 765ef5a055d3840748bdf551a729c709ce718bd894187f8cf1eb91a22c50114b
                      • Instruction Fuzzy Hash: D8210631D1DE9A9FE756AB3858156B9BBE0FF52350F0407FAC048E71D7DB2828468742
                      Function 00007FF848F3AEA0 Relevance: .1, Instructions: 79COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4ac6a8a69490c8e9948ab565347ed588a4263d712d78ac72cffbf40a157add9a
                      • Instruction ID: 4a592555e7a8a95fe1f349e51cecaa1b5a281f23503c7c223041b2a0c3c0e149
                      • Opcode Fuzzy Hash: 4ac6a8a69490c8e9948ab565347ed588a4263d712d78ac72cffbf40a157add9a
                      • Instruction Fuzzy Hash: 8321033050D9464FD725FB3AC4949B6B7E0EF95310F2886BED04AC76E7DA29A8C6C344
                      Function 00007FF848F530C0 Relevance: .1, Instructions: 79COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 458451001120131fe3e5c939754bb99ad817ca787773b5eebe6fed8983f37ecb
                      • Instruction ID: 260c49d60cfe9bf0626cac31702552e984be580aa36ca0907b06ba2dc58e91c4
                      • Opcode Fuzzy Hash: 458451001120131fe3e5c939754bb99ad817ca787773b5eebe6fed8983f37ecb
                      • Instruction Fuzzy Hash: 3E11E13192CA811FD64CE62C84469BA7BE1EBA8340F00443EF08F836D3DE68A8058346
                      Function 00007FF848F3B12D Relevance: .1, Instructions: 70COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 30ef846f070b8f5e564a7b2aa91441065d03e03e36ad1db3b1ca55dc15ca583c
                      • Instruction ID: 36fd4c193b6616436e31be96a3c25aa7fb6e7701d69a24efb0651edd5994e7d2
                      • Opcode Fuzzy Hash: 30ef846f070b8f5e564a7b2aa91441065d03e03e36ad1db3b1ca55dc15ca583c
                      • Instruction Fuzzy Hash: BF119132F2DD4A1FF2D6F72C146423562D2EFA82A1F9500B7D40DC32D6EE1C98460209
                      Function 00007FF848F32862 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 043e79e32135b5a07893cff69697c01c605ee408067aa83897d4503f3d6c44bc
                      • Instruction ID: 1ccbd852542f07947582898a75be202fca922ef8254f39010ec7437e65a7a8e7
                      • Opcode Fuzzy Hash: 043e79e32135b5a07893cff69697c01c605ee408067aa83897d4503f3d6c44bc
                      • Instruction Fuzzy Hash: F8118271F19A458FE74CAF6C641A67977E1EB48341F2581BFD00EC36E7DE7998028608
                      Function 00007FF848F3C28A Relevance: .1, Instructions: 67COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d244771dcf940fb5b91982021e3854066c95cddbead49fc79db0bdc391ae99c1
                      • Instruction ID: 4884d8c4f1f4c8c7c5214606a1ba5ce4781fb9f61097916c7f3eea6ab3a30935
                      • Opcode Fuzzy Hash: d244771dcf940fb5b91982021e3854066c95cddbead49fc79db0bdc391ae99c1
                      • Instruction Fuzzy Hash: FE014E31A1DD450FE758F62CA4499B577D0DB943A5F04017FD80DC32E7DD19E9428344
                      Function 00007FF848F355E0 Relevance: .1, Instructions: 67COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c72bb818f8d032ef31896bc724b6f01a0a5e1cbdb24deb20a35c0b33e2aeb15a
                      • Instruction ID: e6809b379879cf1f8243ac810ac61ab7e29eda4d7af9ca3a503a295b505f8a46
                      • Opcode Fuzzy Hash: c72bb818f8d032ef31896bc724b6f01a0a5e1cbdb24deb20a35c0b33e2aeb15a
                      • Instruction Fuzzy Hash: A8011E71A1CB444B9748AB4CB4420BAB7E1EBD9361F50063FF44EC3796DF26A442468A
                      Function 00007FF848F44B30 Relevance: .1, Instructions: 65COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3cae3446defea06f147f6da59c4f25c48265b52828b2efc01e09d34901b444b6
                      • Instruction ID: 9053146bc42ded91d7ab832a2e6bf2851eda3f3d178ced8194610fb88f273eaa
                      • Opcode Fuzzy Hash: 3cae3446defea06f147f6da59c4f25c48265b52828b2efc01e09d34901b444b6
                      • Instruction Fuzzy Hash: 4D11CE30A1DE0A8FEAB8A7389455371B2E1FBB8748F14457EC01ED22C1DF28E8468784
                      Function 00007FF848F3AE25 Relevance: .1, Instructions: 62COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 49a64ee6cd90ff249321d5b6c96d60e0ffd511e70b81e9bd4166867ceb5d51ce
                      • Instruction ID: dd3fe73ccdeebbb8ab72bd89d0f6132943822ecd1abe1160d65895b014773ec9
                      • Opcode Fuzzy Hash: 49a64ee6cd90ff249321d5b6c96d60e0ffd511e70b81e9bd4166867ceb5d51ce
                      • Instruction Fuzzy Hash: 15112932C0EBC20FE316A73A58158563FE09F42250B0946FBC089CB1D7EE0D64868301
                      Function 00007FF848F37D80 Relevance: .1, Instructions: 61COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fc4d2bfd29406ca8bc648fa0a512e4b9e7df0e0756bec6b3c7da257bc901f771
                      • Instruction ID: 25741ab23348a8d3ff378005f0668482c8e44772d5a9e16359e2d4a188bfd2f0
                      • Opcode Fuzzy Hash: fc4d2bfd29406ca8bc648fa0a512e4b9e7df0e0756bec6b3c7da257bc901f771
                      • Instruction Fuzzy Hash: 8901F232A2ED1A1FA26CB62C68494B677D0EBA8764B00017FE40FC36C7ED1CA9464284
                      Function 00007FF848F31B98 Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0731b97986680dcc54f4e31a19edea78a54e28b3a80fb9fd55e9ff16e9e84f27
                      • Instruction ID: a281fa6316afea3254f532d94dea3dfa9cda2ab66d83771542f3856487e72365
                      • Opcode Fuzzy Hash: 0731b97986680dcc54f4e31a19edea78a54e28b3a80fb9fd55e9ff16e9e84f27
                      • Instruction Fuzzy Hash: B901A935A0CA172FF2785A5D64597BB36C5EF897E2F04017FE84DC31C6DE289C4442A5
                      Function 00007FF848F3BD5D Relevance: .1, Instructions: 54COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6970a8c7e32a4b80fa3696b689bb6d28c17462eec32a310c687df0866b5672fc
                      • Instruction ID: 3cc6babe2e142f38c2426ef8ee0c3dcf4dc117bd8bb649a0741a3c0425110366
                      • Opcode Fuzzy Hash: 6970a8c7e32a4b80fa3696b689bb6d28c17462eec32a310c687df0866b5672fc
                      • Instruction Fuzzy Hash: E1018B32B2CD1A4AD668BB1CB4511BA73D0EB98760B10417FD44E832CBDF28A9464289
                      Function 00007FF848F613E0 Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8e188e79453eb95d74fcb842a18c2b02d6e16a16fc046fc9b2890b80696e82bd
                      • Instruction ID: 6b9739a3eadabfd65073890de140f19e443cc70ac04d67899ec635d9fe747374
                      • Opcode Fuzzy Hash: 8e188e79453eb95d74fcb842a18c2b02d6e16a16fc046fc9b2890b80696e82bd
                      • Instruction Fuzzy Hash: 0F01B530A1DB854FE746E76C14981702AE1EF56501B1402FBD018CB1E2DB0D9C478315
                      Function 00007FF848F65E60 Relevance: .1, Instructions: 51COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d2dce09111a375ad205626e0b30772910e1c7d62ce559b32e089097c84172dca
                      • Instruction ID: 48a41e9140e34dcbb78cecc80c57b944357d6dc5918195c8b591df197d1e3fa5
                      • Opcode Fuzzy Hash: d2dce09111a375ad205626e0b30772910e1c7d62ce559b32e089097c84172dca
                      • Instruction Fuzzy Hash: 9EF04631F0C91A0FEBE8E66CB4956B432C1EF6C221B4511FAE40CDB1C5E9099CC243C5
                      Function 00007FF848F5C540 Relevance: .1, Instructions: 51COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a67c2a98c9ca919ba8428738ce16e910c485582febede5f934ac2637276022b0
                      • Instruction ID: 63103f8fc9a96702ea56dd1080c03234fe2b714b40ad6deca3b489f095106372
                      • Opcode Fuzzy Hash: a67c2a98c9ca919ba8428738ce16e910c485582febede5f934ac2637276022b0
                      • Instruction Fuzzy Hash: 3A112A38D1CB954EFB65A368D044375EBD09F16368F1848ACC4CA826C3DB9DB8D9C34A
                      Function 00007FF848F3B186 Relevance: .0, Instructions: 49COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5e21dfea40d35cc1d06134a2f0699ffc2ce1a2db4f8d9370571553c505ae75dc
                      • Instruction ID: 5f98f7e9c93ef9134bf18b23fe8b39aeb634a6a8cc0d93e52ba4de1100403b43
                      • Opcode Fuzzy Hash: 5e21dfea40d35cc1d06134a2f0699ffc2ce1a2db4f8d9370571553c505ae75dc
                      • Instruction Fuzzy Hash: 7A016D32F2E94A1FE6D6B72C146423966D2EF98261F9900B7D80DC32D7EE1C98454219
                      Function 00007FF848F53810 Relevance: .0, Instructions: 49COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 96f3c77ca22bd744d4123894b21aa4f9f381d82fa04840f0f71ea5daa17e6ac8
                      • Instruction ID: ff83355abfc85cafccbd032f8cd0e8399463ee71f6a7fe95b31512b175bbda64
                      • Opcode Fuzzy Hash: 96f3c77ca22bd744d4123894b21aa4f9f381d82fa04840f0f71ea5daa17e6ac8
                      • Instruction Fuzzy Hash: 47F09622D1CA660EEBE8A71D34046F412C19B513D1F5900B3E81DCB3D6DA0DDEC341C6
                      Function 00007FF848F51290 Relevance: .0, Instructions: 47COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 158192ef9d73482efa83ba7e8f1ad9f05878c629428e556e9995e7a0bb0aa0f5
                      • Instruction ID: 197f289f773075e2655a467bc20b30b76ace2c8aaa57bbfdab971016fe97daea
                      • Opcode Fuzzy Hash: 158192ef9d73482efa83ba7e8f1ad9f05878c629428e556e9995e7a0bb0aa0f5
                      • Instruction Fuzzy Hash: 3BF0DA30718C0E8FDA94F71DE458A2573E6EF9836175902A6E40DC72A5DF64EC82C791
                      Function 00007FF848F3BB45 Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a9f820d3e3d91989ec34ac19ab6b631c87b42ef02c26b0f547fc9eb5089d55ff
                      • Instruction ID: 27e3a10a1fd2fc98b27ddc2cdc21c4dbed92c77dfafe60f990cd38b721ad5273
                      • Opcode Fuzzy Hash: a9f820d3e3d91989ec34ac19ab6b631c87b42ef02c26b0f547fc9eb5089d55ff
                      • Instruction Fuzzy Hash: A201846291EBC56FE753A73808390B9BFA1AF53241B0944EBC0888B0FBEA245919C305
                      Function 00007FF848F39529 Relevance: .0, Instructions: 43COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a482f3e586c913ee76759d290ca3d1a7d8130a81f83ddeef26046fcdce851a03
                      • Instruction ID: b49565b4ce88b135434a382ef46a175b8c88fef7a128fb5ff6d9957f7fec1a77
                      • Opcode Fuzzy Hash: a482f3e586c913ee76759d290ca3d1a7d8130a81f83ddeef26046fcdce851a03
                      • Instruction Fuzzy Hash: CD01697091DBCE4FDB86EF2888581A97FB0FF56200F0405EBD859C76A2DA799914C741
                      Function 00007FF848F35020 Relevance: .0, Instructions: 43COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b9e7123c37876428c45c64ed92c38c00e33604c8090e278b4cdf253bfb002953
                      • Instruction ID: 42d86d2be790ec0d1a946511735ad4c5e74e428868b3dabfd238ec3c8a6ebae2
                      • Opcode Fuzzy Hash: b9e7123c37876428c45c64ed92c38c00e33604c8090e278b4cdf253bfb002953
                      • Instruction Fuzzy Hash: ACF06D30A1DE1A4FEAA9E7389054772B2E1FB78348F10447A906ED35C5DF28E8498744
                      Function 00007FF848F5C490 Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8ded95978b1c20412dbb38b22416150447fe9915940e9ba5ce71a3c6e5037753
                      • Instruction ID: 867dec188f14a68e1cdc20f777cf7a17fb7b95520951b7cbd1370285492928e4
                      • Opcode Fuzzy Hash: 8ded95978b1c20412dbb38b22416150447fe9915940e9ba5ce71a3c6e5037753
                      • Instruction Fuzzy Hash: 01F0F934A1C90E8FEE94FB2CD451D25B7D0EF28788B6545A8D41ECB2D2EA16EC46C704
                      Function 00007FF848F33E6D Relevance: .0, Instructions: 41COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a630e769d71c7eaadebd20df01993f0dd79cf2464d7ab1d45e298692e5a6ca79
                      • Instruction ID: e940015b7853336462af0733957389e7b339822d91ee80a00938f4d48ca5c76c
                      • Opcode Fuzzy Hash: a630e769d71c7eaadebd20df01993f0dd79cf2464d7ab1d45e298692e5a6ca79
                      • Instruction Fuzzy Hash: 69F02B11B2E81A0BB29072AD38C91FE4386DFD81B6F540373E05CC21C2DE4C5C4B4398
                      Function 00007FF848F33180 Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 73f8a5bd260fe4952292e853adfd52fde3758e7a815d293e8b64971c11bef6e5
                      • Instruction ID: 988ea640ea37f1bede48449408496822a066b6720f6a4f7218a8e67d37beffaa
                      • Opcode Fuzzy Hash: 73f8a5bd260fe4952292e853adfd52fde3758e7a815d293e8b64971c11bef6e5
                      • Instruction Fuzzy Hash: 79F08211C5CFA60DF7B6727924483BAA9C19F25350F4814B6D899C55CADA4CFCC58389
                      Function 00007FF848F3A675 Relevance: .0, Instructions: 29COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 13de4fda3a4672a59dc6d43f9f438cbd7d0a76efbb93c97880f45f2b3065dd77
                      • Instruction ID: 9c4fb845a9b1e40df67eed373f44bef081362ad2d28a832f94296f7f6c0c7be9
                      • Opcode Fuzzy Hash: 13de4fda3a4672a59dc6d43f9f438cbd7d0a76efbb93c97880f45f2b3065dd77
                      • Instruction Fuzzy Hash: F7E0D832C0DEC84FD716676448660E87F90EF86100F4A46DBD0884B4D2E616551A9342
                      Function 00007FF848F3A558 Relevance: .0, Instructions: 29COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 21c14299079eb23d78b7d71f5f07306f78bd394e75c16d1adbdd4fdd0c55b1d9
                      • Instruction ID: 58130bee0899770a8f8c498e222e7b79352da5994e8565fb43ec03e77d29eaa2
                      • Opcode Fuzzy Hash: 21c14299079eb23d78b7d71f5f07306f78bd394e75c16d1adbdd4fdd0c55b1d9
                      • Instruction Fuzzy Hash: 32E0DF36B2E9598FE398F63C68010B2B3E0FB1529471089BBC04AC7581DE29E8054340
                      Function 00007FF848F3083D Relevance: .0, Instructions: 26COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a370b9ff258d1d4c85eb144cf16a78f15db54662391d754fb67ffeca8c41a571
                      • Instruction ID: 1baf44171b621716d9f58c9076fc3f94bcedb0fae3c8855d8b0920d77aeebb95
                      • Opcode Fuzzy Hash: a370b9ff258d1d4c85eb144cf16a78f15db54662391d754fb67ffeca8c41a571
                      • Instruction Fuzzy Hash: ACE0B61154F7D50FD75333391C699A93F60AE93161B5902FBD488CB0E3D80E084A83A7
                      Function 00007FF848F45780 Relevance: .0, Instructions: 22COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 514d55df2232d89d7f8f2143610a2d47297b464045e0e075938b82bab9921d74
                      • Instruction ID: 14f94a12f467b992d8f3e0887e73154a39de5f4e3f16578d272f835e6efb7201
                      • Opcode Fuzzy Hash: 514d55df2232d89d7f8f2143610a2d47297b464045e0e075938b82bab9921d74
                      • Instruction Fuzzy Hash: 3CD0123092CE1D4FDAB4BB7890452B7A1E0FB18310F400A7AD01AC36C9DF6CAD894394
                      Function 00007FF848F3BB80 Relevance: .0, Instructions: 21COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0c1de273596d0a57741fb580973f1cbaeffc6ae231e3809dab2161c930f1a435
                      • Instruction ID: ee80db793303965833fbd1208d0f1446e606a814b496d2435b7ea0c410437198
                      • Opcode Fuzzy Hash: 0c1de273596d0a57741fb580973f1cbaeffc6ae231e3809dab2161c930f1a435
                      • Instruction Fuzzy Hash: 94D0C251B19A4A5FEB05B63D482D0B53B92AB94680B0580E2C408CB0D6ED24180D4204
                      Function 00007FF848F34BF8 Relevance: .0, Instructions: 16COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 18d99d7b74357d908af2533293fcdd4efcdcdb4734b939bc05190397d2b2aa5d
                      • Instruction ID: 5f220180a3faadb9caa555086e60ec6ea10b898d1a30f6b0ce4906fa8d157ad4
                      • Opcode Fuzzy Hash: 18d99d7b74357d908af2533293fcdd4efcdcdb4734b939bc05190397d2b2aa5d
                      • Instruction Fuzzy Hash: A5D02332C2DC014AD94873374C930142580BB55714FE40294D02CC21C1E90DC4C6C305
                      Function 00007FF848F339FA Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 828206d1ea030f0cec8598aca4a619669cd6545592d0db83204712f5fc724bbc
                      • Instruction ID: e83400509e767bb0ce30af9bb9a466a89e7e1e2946793ac6add0473cbf36a56a
                      • Opcode Fuzzy Hash: 828206d1ea030f0cec8598aca4a619669cd6545592d0db83204712f5fc724bbc
                      • Instruction Fuzzy Hash: B3A0222200F0F0C8CB03A3B800300FA3F000F03A0CF3C00EFC0C02808382000000C380
                      Function 00007FF848F3320D Relevance: .0, Instructions: 2COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 82ecaa0b4a3321324835a43a85e0a359be7c532cfb3e07ae71b04ce52994a3d6
                      • Instruction ID: 49594303c7cba8ca31afcc6ce102cddb5c962f3546497795fbd05b9f1bea566c
                      • Opcode Fuzzy Hash: 82ecaa0b4a3321324835a43a85e0a359be7c532cfb3e07ae71b04ce52994a3d6
                      • Instruction Fuzzy Hash:

                      Non-executed Functions

                      Function 00007FF848F338B0 Relevance: 2.1, Strings: 1, Instructions: 814COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID: 8J_H
                      • API String ID: 0-754093949
                      • Opcode ID: 535edf426a93cdb1c0a75d136d6b263838ae69218d4a4978ef5b3ec1aee29479
                      • Instruction ID: 25ce72d2e95790622eae254e6abccc734ff9d3f4cbfb1ddbf692f4b7405acd8f
                      • Opcode Fuzzy Hash: 535edf426a93cdb1c0a75d136d6b263838ae69218d4a4978ef5b3ec1aee29479
                      • Instruction Fuzzy Hash: DB223731A0CA4A4FE758EB1CE841675B7D1EF95360F1402BED88ED36D7DE29A8438384
                      Function 00007FF848F34698 Relevance: 2.0, Strings: 1, Instructions: 763COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2212565961.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f30000_HEATEXCHANGER-PDF.jbxd
                      Similarity
                      • API ID:
                      • String ID: I
                      • API String ID: 0-3707901625
                      • Opcode ID: dedcba37759b4736c35ec003111750c4de669b52a297d00bfd86f1a94b5cc702
                      • Instruction ID: 50c5e89a098451dafa6937175cb68de09cc3e6287277c3ad11697ca0061d3a57
                      • Opcode Fuzzy Hash: dedcba37759b4736c35ec003111750c4de669b52a297d00bfd86f1a94b5cc702
                      • Instruction Fuzzy Hash: 1122D231B1CA464FE75DEB2CA455679B3D2FB99740F44467EE04EC36C3DF28A8028689

                      Execution Graph

                      Execution Coverage:8%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:85
                      Total number of Limit Nodes:6
                      execution_graph 24080 5c4a920 24082 5c4a951 24080->24082 24083 5c4a99d 24080->24083 24081 5c4a95d 24082->24081 24086 5c4ab96 24082->24086 24089 5c4ab98 24082->24089 24092 5c4abd8 24086->24092 24087 5c4aba2 24087->24083 24090 5c4aba2 24089->24090 24091 5c4abd8 2 API calls 24089->24091 24090->24083 24091->24090 24093 5c4abdd 24092->24093 24094 5c4ac1c 24093->24094 24100 5c4ae80 24093->24100 24104 5c4ae72 24093->24104 24094->24087 24095 5c4ae20 GetModuleHandleW 24097 5c4ae4d 24095->24097 24096 5c4ac14 24096->24094 24096->24095 24097->24087 24101 5c4ae94 24100->24101 24102 5c4aeb9 24101->24102 24108 5c49b90 24101->24108 24102->24096 24105 5c4ae94 24104->24105 24106 5c49b90 LoadLibraryExW 24105->24106 24107 5c4aeb9 24105->24107 24106->24107 24107->24096 24109 5c4b040 LoadLibraryExW 24108->24109 24111 5c4b0b9 24109->24111 24111->24102 24112 5c4cdd0 24113 5c4ce38 CreateWindowExW 24112->24113 24115 5c4cef4 24113->24115 24116 148d030 24117 148d048 24116->24117 24119 148d0a2 24117->24119 24124 5c4cf77 24117->24124 24128 5c4cfd8 24117->24128 24133 5c4cf88 24117->24133 24137 5c4e0d8 24117->24137 24146 5c49d2c 24117->24146 24125 5c4cf85 24124->24125 24126 5c4cfcf 24125->24126 24127 5c49d2c CallWindowProcW 24125->24127 24126->24119 24127->24126 24129 5c4cfe6 24128->24129 24130 5c4cfc7 24128->24130 24129->24119 24131 5c49d2c CallWindowProcW 24130->24131 24132 5c4cfcf 24131->24132 24132->24119 24134 5c4cfae 24133->24134 24135 5c4cfcf 24134->24135 24136 5c49d2c CallWindowProcW 24134->24136 24135->24119 24136->24135 24140 5c4e115 24137->24140 24138 5c4e149 24142 5c4e147 24138->24142 24171 5c4dd5c 24138->24171 24140->24138 24141 5c4e139 24140->24141 24155 5c4e270 24141->24155 24160 5c4e260 24141->24160 24165 5c4e33c 24141->24165 24149 5c49d37 24146->24149 24147 5c4e149 24148 5c4dd5c CallWindowProcW 24147->24148 24151 5c4e147 24147->24151 24148->24151 24149->24147 24150 5c4e139 24149->24150 24152 5c4e260 CallWindowProcW 24150->24152 24153 5c4e270 CallWindowProcW 24150->24153 24154 5c4e33c CallWindowProcW 24150->24154 24152->24151 24153->24151 24154->24151 24157 5c4e272 24155->24157 24156 5c4e310 24156->24142 24175 5c4e318 24157->24175 24179 5c4e328 24157->24179 24162 5c4e26e 24160->24162 24161 5c4e310 24161->24142 24163 5c4e318 CallWindowProcW 24162->24163 24164 5c4e328 CallWindowProcW 24162->24164 24163->24161 24164->24161 24166 5c4e2fa 24165->24166 24167 5c4e34a 24165->24167 24169 5c4e318 CallWindowProcW 24166->24169 24170 5c4e328 CallWindowProcW 24166->24170 24168 5c4e310 24168->24142 24169->24168 24170->24168 24172 5c4dd67 24171->24172 24173 5c4f5aa CallWindowProcW 24172->24173 24174 5c4f559 24172->24174 24173->24174 24174->24142 24176 5c4e328 24175->24176 24177 5c4e339 24176->24177 24182 5c4f4f0 24176->24182 24177->24156 24180 5c4e339 24179->24180 24181 5c4f4f0 CallWindowProcW 24179->24181 24180->24156 24181->24180 24183 5c4dd5c CallWindowProcW 24182->24183 24184 5c4f4fa 24183->24184 24184->24177

                      Executed Functions

                      Function 01519BF2 Relevance: 2.8, Instructions: 2763COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0640a7fbb4bd73ba5e689ae1e2f2732672def8ec0f2148f2d3cbeb14c8fa1ccd
                      • Instruction ID: 1feb47708c2f4129a373ff58b5b95ddf1f5215724c7f2b715579d6d9afc8fd80
                      • Opcode Fuzzy Hash: 0640a7fbb4bd73ba5e689ae1e2f2732672def8ec0f2148f2d3cbeb14c8fa1ccd
                      • Instruction Fuzzy Hash: 7353F931D10B1A8ADB11EF68C88469DF7B1FF99300F51D79AE4587B125EB70AAC4CB81
                      Function 0151CE70 Relevance: 2.3, Instructions: 2312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: eada07d042d97d7ea04d2a677c6f9ae4bd3247a5e131788a0482772147b564e6
                      • Instruction ID: c4581564aa939075c90beb0f7e0e9966c8bf3e303b04815751d344efa50f39f8
                      • Opcode Fuzzy Hash: eada07d042d97d7ea04d2a677c6f9ae4bd3247a5e131788a0482772147b564e6
                      • Instruction Fuzzy Hash: 98332E31D1071A8EDB11DF68C8846ADF7B1FF99300F54C79AE458AB225EB70AAC5CB41
                      Function 01513E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1743 1513e80-1513ee6 1745 1513f30-1513f32 1743->1745 1746 1513ee8-1513ef3 1743->1746 1748 1513f34-1513f8c 1745->1748 1746->1745 1747 1513ef5-1513f01 1746->1747 1749 1513f03-1513f0d 1747->1749 1750 1513f24-1513f2e 1747->1750 1757 1513fd6-1513fd8 1748->1757 1758 1513f8e-1513f99 1748->1758 1751 1513f11-1513f20 1749->1751 1752 1513f0f 1749->1752 1750->1748 1751->1751 1754 1513f22 1751->1754 1752->1751 1754->1750 1760 1513fda-1513ff2 1757->1760 1758->1757 1759 1513f9b-1513fa7 1758->1759 1761 1513fa9-1513fb3 1759->1761 1762 1513fca-1513fd4 1759->1762 1767 1513ff4-1513fff 1760->1767 1768 151403c-151403e 1760->1768 1763 1513fb5 1761->1763 1764 1513fb7-1513fc6 1761->1764 1762->1760 1763->1764 1764->1764 1766 1513fc8 1764->1766 1766->1762 1767->1768 1769 1514001-151400d 1767->1769 1770 1514040-151408e 1768->1770 1771 1514030-151403a 1769->1771 1772 151400f-1514019 1769->1772 1778 1514094-15140a2 1770->1778 1771->1770 1774 151401b 1772->1774 1775 151401d-151402c 1772->1775 1774->1775 1775->1775 1776 151402e 1775->1776 1776->1771 1779 15140a4-15140aa 1778->1779 1780 15140ab-151410b 1778->1780 1779->1780 1787 151411b-151411f 1780->1787 1788 151410d-1514111 1780->1788 1790 1514121-1514125 1787->1790 1791 151412f-1514133 1787->1791 1788->1787 1789 1514113 1788->1789 1789->1787 1790->1791 1792 1514127-151412a call 1510ab8 1790->1792 1793 1514143-1514147 1791->1793 1794 1514135-1514139 1791->1794 1792->1791 1795 1514157-151415b 1793->1795 1796 1514149-151414d 1793->1796 1794->1793 1798 151413b-151413e call 1510ab8 1794->1798 1801 151416b-151416f 1795->1801 1802 151415d-1514161 1795->1802 1796->1795 1800 151414f-1514152 call 1510ab8 1796->1800 1798->1793 1800->1795 1805 1514171-1514175 1801->1805 1806 151417f 1801->1806 1802->1801 1804 1514163 1802->1804 1804->1801 1805->1806 1807 1514177 1805->1807 1808 1514180 1806->1808 1807->1806 1808->1808
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID: \Vl
                      • API String ID: 0-682378881
                      • Opcode ID: 34b2ac56d62bf5a2c1244f7e5b6fd4fc3762962035e168939859d04b5d19230b
                      • Instruction ID: bd725b0824146b25baa00485bc2c4dc2337a180752e80115783b093149d1223d
                      • Opcode Fuzzy Hash: 34b2ac56d62bf5a2c1244f7e5b6fd4fc3762962035e168939859d04b5d19230b
                      • Instruction Fuzzy Hash: 0F916D70E00209CFEF51DFA9C99579EBBF2BF88314F148529E415AB298EB749845CB81
                      Function 01514A98 Relevance: .3, Instructions: 266COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1154c90c7d6e41a2deadeeeaeb06b13497589e82180e69398055d140225f3337
                      • Instruction ID: 1e510db2fa093c2a1143dd8fe035e77741ceacc424688a675ede97baa23209c9
                      • Opcode Fuzzy Hash: 1154c90c7d6e41a2deadeeeaeb06b13497589e82180e69398055d140225f3337
                      • Instruction Fuzzy Hash: 1CB16170E00209CFEF11CFA9C9857ADBBF2BF88314F149529D415EB298EB749885CB81
                      Function 01514810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1080 1514810-151489c 1083 15148e6-15148e8 1080->1083 1084 151489e-15148a9 1080->1084 1085 15148ea-1514902 1083->1085 1084->1083 1086 15148ab-15148b7 1084->1086 1093 1514904-151490f 1085->1093 1094 151494c-151494e 1085->1094 1087 15148b9-15148c3 1086->1087 1088 15148da-15148e4 1086->1088 1090 15148c5 1087->1090 1091 15148c7-15148d6 1087->1091 1088->1085 1090->1091 1091->1091 1092 15148d8 1091->1092 1092->1088 1093->1094 1095 1514911-151491d 1093->1095 1096 1514950-15149a9 1094->1096 1097 1514940-151494a 1095->1097 1098 151491f-1514929 1095->1098 1105 15149b2-15149d2 1096->1105 1106 15149ab-15149b1 1096->1106 1097->1096 1100 151492b 1098->1100 1101 151492d-151493c 1098->1101 1100->1101 1101->1101 1102 151493e 1101->1102 1102->1097 1110 15149dc-1514a0f 1105->1110 1106->1105 1113 1514a11-1514a15 1110->1113 1114 1514a1f-1514a23 1110->1114 1113->1114 1115 1514a17-1514a1a call 1510ab8 1113->1115 1116 1514a33-1514a37 1114->1116 1117 1514a25-1514a29 1114->1117 1115->1114 1120 1514a47-1514a4b 1116->1120 1121 1514a39-1514a3d 1116->1121 1117->1116 1119 1514a2b-1514a2e call 1510ab8 1117->1119 1119->1116 1124 1514a5b 1120->1124 1125 1514a4d-1514a51 1120->1125 1121->1120 1123 1514a3f 1121->1123 1123->1120 1127 1514a5c 1124->1127 1125->1124 1126 1514a53 1125->1126 1126->1124 1127->1127
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID: \Vl$\Vl
                      • API String ID: 0-415357090
                      • Opcode ID: a993fde82dec71a5cacef92ad7085a0345c3b90e00ee5565d7ba72e7a6628e03
                      • Instruction ID: 228284d03841d75738121d6085a59e492d545b9b40b585a7ede2a1bb7a31a671
                      • Opcode Fuzzy Hash: a993fde82dec71a5cacef92ad7085a0345c3b90e00ee5565d7ba72e7a6628e03
                      • Instruction Fuzzy Hash: 0E718DB1E00249DFEB11DFA9C98179EBBF2BF88314F148129E414AB258EB749841CB85
                      Function 01514804 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1032 1514804-151489c 1035 15148e6-15148e8 1032->1035 1036 151489e-15148a9 1032->1036 1037 15148ea-1514902 1035->1037 1036->1035 1038 15148ab-15148b7 1036->1038 1045 1514904-151490f 1037->1045 1046 151494c-151494e 1037->1046 1039 15148b9-15148c3 1038->1039 1040 15148da-15148e4 1038->1040 1042 15148c5 1039->1042 1043 15148c7-15148d6 1039->1043 1040->1037 1042->1043 1043->1043 1044 15148d8 1043->1044 1044->1040 1045->1046 1047 1514911-151491d 1045->1047 1048 1514950-1514962 1046->1048 1049 1514940-151494a 1047->1049 1050 151491f-1514929 1047->1050 1055 1514969-1514995 1048->1055 1049->1048 1052 151492b 1050->1052 1053 151492d-151493c 1050->1053 1052->1053 1053->1053 1054 151493e 1053->1054 1054->1049 1056 151499b-15149a9 1055->1056 1057 15149b2-15149c0 1056->1057 1058 15149ab-15149b1 1056->1058 1061 15149c8-15149d2 1057->1061 1058->1057 1062 15149dc-1514a0f 1061->1062 1065 1514a11-1514a15 1062->1065 1066 1514a1f-1514a23 1062->1066 1065->1066 1067 1514a17-1514a1a call 1510ab8 1065->1067 1068 1514a33-1514a37 1066->1068 1069 1514a25-1514a29 1066->1069 1067->1066 1072 1514a47-1514a4b 1068->1072 1073 1514a39-1514a3d 1068->1073 1069->1068 1071 1514a2b-1514a2e call 1510ab8 1069->1071 1071->1068 1076 1514a5b 1072->1076 1077 1514a4d-1514a51 1072->1077 1073->1072 1075 1514a3f 1073->1075 1075->1072 1079 1514a5c 1076->1079 1077->1076 1078 1514a53 1077->1078 1078->1076 1079->1079
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID: \Vl$\Vl
                      • API String ID: 0-415357090
                      • Opcode ID: 748728152551242814a0c470bc5b8ff97eb6551df1864fd5df0d604060cc0051
                      • Instruction ID: 661783d3769cf55d3f08c00894b5fead513960707f72fc89f4c6bbe20afc6578
                      • Opcode Fuzzy Hash: 748728152551242814a0c470bc5b8ff97eb6551df1864fd5df0d604060cc0051
                      • Instruction Fuzzy Hash: 90717DB1E00249DFEB11DFA9C9857DEBBF2BF48314F148129E414AB258DB749841CB95
                      Function 01516ED7 Relevance: 2.7, Strings: 2, Instructions: 161COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1128 1516ed7-1516ee4 1129 1516ee6-1516f42 call 1516c40 1128->1129 1130 1516e6f-1516e8f 1128->1130 1145 1516f44-1516f5d call 151637c 1129->1145 1146 1516f5e-1516f8c 1129->1146 1133 1516e91-1516e95 1130->1133 1134 1516e9f 1130->1134 1133->1134 1135 1516e97-1516e9a call 1510a00 1133->1135 1139 1516ea0 1134->1139 1135->1134 1139->1139 1150 1516f8e-1516f91 1146->1150 1152 1516fa1-1516fa4 1150->1152 1153 1516f93 call 1517908 1150->1153 1154 1516fd7-1516fda 1152->1154 1155 1516fa6-1516fba 1152->1155 1158 1516f99-1516f9c 1153->1158 1156 1516fdc-1516fe3 1154->1156 1157 1516fee-1516ff1 1154->1157 1164 1516fc0 1155->1164 1165 1516fbc-1516fbe 1155->1165 1160 1516fe9 1156->1160 1161 15170eb-15170f1 1156->1161 1162 1516ff3-1517028 1157->1162 1163 151702d-151702f 1157->1163 1158->1152 1160->1157 1162->1163 1166 1517031 1163->1166 1167 1517036-1517039 1163->1167 1169 1516fc3-1516fd2 1164->1169 1165->1169 1166->1167 1167->1150 1168 151703f-151704e 1167->1168 1172 1517050-1517053 1168->1172 1173 1517078-151708d 1168->1173 1169->1154 1175 151705b-1517076 1172->1175 1173->1161 1175->1172 1175->1173
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID: LRjq$LRjq
                      • API String ID: 0-348097489
                      • Opcode ID: 0b0fde95ca94eb5b94eb8ac8c8f659f90416885e0df61bb8f8bda439f1880e8c
                      • Instruction ID: ba1f6caed1d70fb54aa14b40b374f5d993e7c935eac8f9a1a8b0229a268e8d48
                      • Opcode Fuzzy Hash: 0b0fde95ca94eb5b94eb8ac8c8f659f90416885e0df61bb8f8bda439f1880e8c
                      • Instruction Fuzzy Hash: 4051B130A103099FEB16DF68C4547AEB7B2FF85310F10852AE416EF299DBB59C46CB51
                      Function 05C4ABD8 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1616 5c4abd8-5c4abf7 1618 5c4ac23-5c4ac27 1616->1618 1619 5c4abf9-5c4ac06 call 5c49b4c 1616->1619 1620 5c4ac29-5c4ac33 1618->1620 1621 5c4ac3b-5c4ac7c 1618->1621 1626 5c4ac1c 1619->1626 1627 5c4ac08 1619->1627 1620->1621 1628 5c4ac7e-5c4ac86 1621->1628 1629 5c4ac89-5c4ac97 1621->1629 1626->1618 1673 5c4ac0e call 5c4ae80 1627->1673 1674 5c4ac0e call 5c4ae72 1627->1674 1628->1629 1630 5c4ac99-5c4ac9e 1629->1630 1631 5c4acbb-5c4acbd 1629->1631 1635 5c4aca0-5c4aca7 call 5c49b58 1630->1635 1636 5c4aca9 1630->1636 1634 5c4acc0-5c4acc7 1631->1634 1632 5c4ac14-5c4ac16 1632->1626 1633 5c4ad58-5c4ae18 1632->1633 1668 5c4ae20-5c4ae4b GetModuleHandleW 1633->1668 1669 5c4ae1a-5c4ae1d 1633->1669 1638 5c4acd4-5c4acdb 1634->1638 1639 5c4acc9-5c4acd1 1634->1639 1637 5c4acab-5c4acb9 1635->1637 1636->1637 1637->1634 1641 5c4acdd-5c4ace5 1638->1641 1642 5c4ace8-5c4acf1 call 5c43224 1638->1642 1639->1638 1641->1642 1648 5c4acf3-5c4acfb 1642->1648 1649 5c4acfe-5c4ad03 1642->1649 1648->1649 1650 5c4ad05-5c4ad0c 1649->1650 1651 5c4ad21-5c4ad2e 1649->1651 1650->1651 1653 5c4ad0e-5c4ad1e call 5c47abc call 5c49b68 1650->1653 1657 5c4ad30-5c4ad4e 1651->1657 1658 5c4ad51-5c4ad57 1651->1658 1653->1651 1657->1658 1670 5c4ae54-5c4ae68 1668->1670 1671 5c4ae4d-5c4ae53 1668->1671 1669->1668 1671->1670 1673->1632 1674->1632
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 05C4AE3E
                      Memory Dump Source
                      • Source File: 00000002.00000002.3222732839.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_5c40000_AddInProcess32.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: 734a551e6d3e9b5a449b35dd051ae1d7ca513f4044a92d692d375e22612f74c0
                      • Instruction ID: 0ea64c84f56752e163b5530bdc85363bcd40c1e4e03b6019ca86f9e33b011376
                      • Opcode Fuzzy Hash: 734a551e6d3e9b5a449b35dd051ae1d7ca513f4044a92d692d375e22612f74c0
                      • Instruction Fuzzy Hash: D1813370A00B058FD764DF69D444BAABBF6FF88200F048A2ED49AD7A50D735E949CF91
                      Function 05C4CDC4 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1675 5c4cdc4-5c4ce36 1677 5c4ce41-5c4ce48 1675->1677 1678 5c4ce38-5c4ce3e 1675->1678 1679 5c4ce53-5c4ce8b 1677->1679 1680 5c4ce4a-5c4ce50 1677->1680 1678->1677 1681 5c4ce93-5c4cef2 CreateWindowExW 1679->1681 1680->1679 1682 5c4cef4-5c4cefa 1681->1682 1683 5c4cefb-5c4cf33 1681->1683 1682->1683 1687 5c4cf35-5c4cf38 1683->1687 1688 5c4cf40 1683->1688 1687->1688 1689 5c4cf41 1688->1689 1689->1689
                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05C4CEE2
                      Memory Dump Source
                      • Source File: 00000002.00000002.3222732839.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_5c40000_AddInProcess32.jbxd
                      Similarity
                      • API ID: CreateWindow
                      • String ID:
                      • API String ID: 716092398-0
                      • Opcode ID: 83491a4a8f3fb47a1655b9f673f1dd932530756d7437f66dff8e7210bfeec2e5
                      • Instruction ID: 27249e73630fade12f961900605dc2ddd608e63b3f464c5c11847da0cad14e0f
                      • Opcode Fuzzy Hash: 83491a4a8f3fb47a1655b9f673f1dd932530756d7437f66dff8e7210bfeec2e5
                      • Instruction Fuzzy Hash: 1651E0B0C01349AFDB14CF99C984ADEFBF5BF48310F64852AE819AB220D7759945CF90
                      Function 05C4CDD0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1690 5c4cdd0-5c4ce36 1691 5c4ce41-5c4ce48 1690->1691 1692 5c4ce38-5c4ce3e 1690->1692 1693 5c4ce53-5c4cef2 CreateWindowExW 1691->1693 1694 5c4ce4a-5c4ce50 1691->1694 1692->1691 1696 5c4cef4-5c4cefa 1693->1696 1697 5c4cefb-5c4cf33 1693->1697 1694->1693 1696->1697 1701 5c4cf35-5c4cf38 1697->1701 1702 5c4cf40 1697->1702 1701->1702 1703 5c4cf41 1702->1703 1703->1703
                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05C4CEE2
                      Memory Dump Source
                      • Source File: 00000002.00000002.3222732839.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_5c40000_AddInProcess32.jbxd
                      Similarity
                      • API ID: CreateWindow
                      • String ID:
                      • API String ID: 716092398-0
                      • Opcode ID: e47d6f8315db35dab5cc3afd94bbb27701f90c9d6420bcefe6a5ad5e6a52cc7f
                      • Instruction ID: 36ae94f6a0e778aa064ceb41917c1e61f8189b49cee7df61910f93f320c93ea7
                      • Opcode Fuzzy Hash: e47d6f8315db35dab5cc3afd94bbb27701f90c9d6420bcefe6a5ad5e6a52cc7f
                      • Instruction Fuzzy Hash: D541EFB1C013099FDB14CF9AC984ADEFBF5BF48310F24852AE819AB220D7759985CF90
                      Function 05C4DD5C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1704 5c4dd5c-5c4f54c 1707 5c4f552-5c4f557 1704->1707 1708 5c4f5fc-5c4f61c call 5c49d2c 1704->1708 1709 5c4f559-5c4f590 1707->1709 1710 5c4f5aa-5c4f5e2 CallWindowProcW 1707->1710 1715 5c4f61f-5c4f62c 1708->1715 1717 5c4f592-5c4f598 1709->1717 1718 5c4f599-5c4f5a8 1709->1718 1713 5c4f5e4-5c4f5ea 1710->1713 1714 5c4f5eb-5c4f5fa 1710->1714 1713->1714 1714->1715 1717->1718 1718->1715
                      APIs
                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 05C4F5D1
                      Memory Dump Source
                      • Source File: 00000002.00000002.3222732839.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_5c40000_AddInProcess32.jbxd
                      Similarity
                      • API ID: CallProcWindow
                      • String ID:
                      • API String ID: 2714655100-0
                      • Opcode ID: faf67cfb47ae0e3120c2bbfb9993d58c1411bb7aa7c7b6bf615fb71a3f33b8de
                      • Instruction ID: d16e19c1655834bf1fc3cf9c8cd58147a5b16219330a89810f09be793750a8b8
                      • Opcode Fuzzy Hash: faf67cfb47ae0e3120c2bbfb9993d58c1411bb7aa7c7b6bf615fb71a3f33b8de
                      • Instruction Fuzzy Hash: EF4105B49002499FCB14DF99C488EAABBF5FF88314F24885DE519AB321D374A945CFA0
                      Function 05C4B03A Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1721 5c4b03a-5c4b080 1723 5c4b082-5c4b085 1721->1723 1724 5c4b088-5c4b0b7 LoadLibraryExW 1721->1724 1723->1724 1725 5c4b0c0-5c4b0dd 1724->1725 1726 5c4b0b9-5c4b0bf 1724->1726 1726->1725
                      APIs
                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05C4AEB9,00000800,00000000,00000000), ref: 05C4B0AA
                      Memory Dump Source
                      • Source File: 00000002.00000002.3222732839.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_5c40000_AddInProcess32.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: d76b988ed15fd7b61aa589b3ae5a675aa358abad4126a103e54e8cf7e99677b3
                      • Instruction ID: 4ed79fb595e36f175f749ef9cba6d5383fa3a8c6211eacf0e225dc3bbbbf0d81
                      • Opcode Fuzzy Hash: d76b988ed15fd7b61aa589b3ae5a675aa358abad4126a103e54e8cf7e99677b3
                      • Instruction Fuzzy Hash: 8611F9B58003099FDB20DF9AD844ADEFBF9FB88314F10841AD529A7210C775A545CFA5
                      Function 05C49B90 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1729 5c49b90-5c4b080 1731 5c4b082-5c4b085 1729->1731 1732 5c4b088-5c4b0b7 LoadLibraryExW 1729->1732 1731->1732 1733 5c4b0c0-5c4b0dd 1732->1733 1734 5c4b0b9-5c4b0bf 1732->1734 1734->1733
                      APIs
                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05C4AEB9,00000800,00000000,00000000), ref: 05C4B0AA
                      Memory Dump Source
                      • Source File: 00000002.00000002.3222732839.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_5c40000_AddInProcess32.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: 729c37d85f15f3a5f41121af71e5a404f348792e015155cee922d5ca31b6dd48
                      • Instruction ID: 713ee20ff56d8091dc85f26a7581361c4c50f4ce750a26d4eb6f385a39b27e66
                      • Opcode Fuzzy Hash: 729c37d85f15f3a5f41121af71e5a404f348792e015155cee922d5ca31b6dd48
                      • Instruction Fuzzy Hash: F71106B58002488FDB20DF9AC444AAEFBF4FB88314F10841AD529A7200C379A945CFA5
                      Function 05C4ADD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1737 5c4add8-5c4ae18 1738 5c4ae20-5c4ae4b GetModuleHandleW 1737->1738 1739 5c4ae1a-5c4ae1d 1737->1739 1740 5c4ae54-5c4ae68 1738->1740 1741 5c4ae4d-5c4ae53 1738->1741 1739->1738 1741->1740
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 05C4AE3E
                      Memory Dump Source
                      • Source File: 00000002.00000002.3222732839.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_5c40000_AddInProcess32.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: 861eeba1bdf0381f8259972195a08e2636d616d467c6280c2d469f9f972504e6
                      • Instruction ID: e8f6dc109afdb70446cdbbed3f3b0cfd01482473706571887e400c1cf051413b
                      • Opcode Fuzzy Hash: 861eeba1bdf0381f8259972195a08e2636d616d467c6280c2d469f9f972504e6
                      • Instruction Fuzzy Hash: B411E0B6C003498FDB10DF9AD844ADEFBF9EF88324F10842AD529A7210C379A545CFA1
                      Function 01513E74 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1809 1513e74-1513ee6 1811 1513f30-1513f32 1809->1811 1812 1513ee8-1513ef3 1809->1812 1814 1513f34-1513f8c 1811->1814 1812->1811 1813 1513ef5-1513f01 1812->1813 1815 1513f03-1513f0d 1813->1815 1816 1513f24-1513f2e 1813->1816 1823 1513fd6-1513fd8 1814->1823 1824 1513f8e-1513f99 1814->1824 1817 1513f11-1513f20 1815->1817 1818 1513f0f 1815->1818 1816->1814 1817->1817 1820 1513f22 1817->1820 1818->1817 1820->1816 1826 1513fda-1513ff2 1823->1826 1824->1823 1825 1513f9b-1513fa7 1824->1825 1827 1513fa9-1513fb3 1825->1827 1828 1513fca-1513fd4 1825->1828 1833 1513ff4-1513fff 1826->1833 1834 151403c-151403e 1826->1834 1829 1513fb5 1827->1829 1830 1513fb7-1513fc6 1827->1830 1828->1826 1829->1830 1830->1830 1832 1513fc8 1830->1832 1832->1828 1833->1834 1835 1514001-151400d 1833->1835 1836 1514040-1514052 1834->1836 1837 1514030-151403a 1835->1837 1838 151400f-1514019 1835->1838 1843 1514059-151408e 1836->1843 1837->1836 1840 151401b 1838->1840 1841 151401d-151402c 1838->1841 1840->1841 1841->1841 1842 151402e 1841->1842 1842->1837 1844 1514094-15140a2 1843->1844 1845 15140a4-15140aa 1844->1845 1846 15140ab-151410b 1844->1846 1845->1846 1853 151411b-151411f 1846->1853 1854 151410d-1514111 1846->1854 1856 1514121-1514125 1853->1856 1857 151412f-1514133 1853->1857 1854->1853 1855 1514113 1854->1855 1855->1853 1856->1857 1858 1514127-151412a call 1510ab8 1856->1858 1859 1514143-1514147 1857->1859 1860 1514135-1514139 1857->1860 1858->1857 1861 1514157-151415b 1859->1861 1862 1514149-151414d 1859->1862 1860->1859 1864 151413b-151413e call 1510ab8 1860->1864 1867 151416b-151416f 1861->1867 1868 151415d-1514161 1861->1868 1862->1861 1866 151414f-1514152 call 1510ab8 1862->1866 1864->1859 1866->1861 1871 1514171-1514175 1867->1871 1872 151417f 1867->1872 1868->1867 1870 1514163 1868->1870 1870->1867 1871->1872 1873 1514177 1871->1873 1874 1514180 1872->1874 1873->1872 1874->1874
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID: \Vl
                      • API String ID: 0-682378881
                      • Opcode ID: be305f60e4f1f707317bd11e0665db8a48f8f244df2dc6c2ede2a5c58b0be835
                      • Instruction ID: c30ebbfe18413e936b0ae60c3de31e8eea2a19e16adc48a110a28c9bcf6b655f
                      • Opcode Fuzzy Hash: be305f60e4f1f707317bd11e0665db8a48f8f244df2dc6c2ede2a5c58b0be835
                      • Instruction Fuzzy Hash: 78A16C70E00209CFEF51DFA9C9957EEBBF1BF88314F148129E415AB258EB749885CB81
                      Function 0151F3CD Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID: PHjq
                      • API String ID: 0-751881793
                      • Opcode ID: 79289c2618f4adfe32400d29f492cd64600f9791f785e2afec93fe0de2347d11
                      • Instruction ID: ed77a34736e785e2ef3b9293e98d6c48d12bdff7ce31b583f27375a027ef13ec
                      • Opcode Fuzzy Hash: 79289c2618f4adfe32400d29f492cd64600f9791f785e2afec93fe0de2347d11
                      • Instruction Fuzzy Hash: 1631F331B002018FDF169B78E55466E7BA7BF85214F148429D006DB39AEF79DC0ACB90
                      Function 01516F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID: LRjq
                      • API String ID: 0-665714880
                      • Opcode ID: 0cde3ba4b48bf1544e1d53bee779c89178a86e6526f9f1b8936b2e5d542c20c0
                      • Instruction ID: 1c3e21e69570c2150eeeebee48d07c80b7bb89f873b1b00f80d9be5a4c722dae
                      • Opcode Fuzzy Hash: 0cde3ba4b48bf1544e1d53bee779c89178a86e6526f9f1b8936b2e5d542c20c0
                      • Instruction Fuzzy Hash: 74316134E102098FEB16CFA8C550B9EB7B2FF89300F10852AE516FF258DBB1A945CB50
                      Function 01516BA1 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID: LRjq
                      • API String ID: 0-665714880
                      • Opcode ID: e9c57fb431779db9da184b3a9b94de3600db4218e1279a7fe1349dea06b73062
                      • Instruction ID: b35fb38c91fab3ff47c2d38db2bad002ed5189cd4a4ec914540b5e7115087a99
                      • Opcode Fuzzy Hash: e9c57fb431779db9da184b3a9b94de3600db4218e1279a7fe1349dea06b73062
                      • Instruction Fuzzy Hash: 442104306042554FC716EF7CD4546AE7BB6FF86220B0489AEC009CF2AADB369C49C792
                      Function 01517908 Relevance: .6, Instructions: 554COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 424a6d4e376d74dcb19ce257135efdf97b44b5f74af00fa54e977e1cf166132d
                      • Instruction ID: 00c9686bcd986c610fa6ce210ea3d41f613286e22e7ff03bc5fe52535ab6338d
                      • Opcode Fuzzy Hash: 424a6d4e376d74dcb19ce257135efdf97b44b5f74af00fa54e977e1cf166132d
                      • Instruction Fuzzy Hash: 57122F307005129FDB26AF3CE45461D36ABFB8A214B518A3AD116CF369CF75EC4ADB90
                      Function 015196E0 Relevance: .4, Instructions: 353COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 596f76498f613558e58b6f41d06f70a907d4a272c9f20abcf597e003d9ac57be
                      • Instruction ID: c1ebf77b5becdbf89d55d7aeb928b66d183554a9c55d089564b359f4d3eb6fe9
                      • Opcode Fuzzy Hash: 596f76498f613558e58b6f41d06f70a907d4a272c9f20abcf597e003d9ac57be
                      • Instruction Fuzzy Hash: 9FC1CE75A002058FEF15CFA8D9907AEBBB6FF85314F20856AE909DB399D770D844CB90
                      Function 01519364 Relevance: .3, Instructions: 318COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 41bcb245c3ff7165ec39a733e04e4b17e1c52ea0efd9a8d439f2539d769e27fd
                      • Instruction ID: 36ddda87cd628ff17552c1b651ac1bc05e14c5da4bc85d7b1f2156d0f680b4a0
                      • Opcode Fuzzy Hash: 41bcb245c3ff7165ec39a733e04e4b17e1c52ea0efd9a8d439f2539d769e27fd
                      • Instruction Fuzzy Hash: 49C19375A002058FDB15DFA8D5A4AADBBF2FF89314F248425E906EB359DB30DC41CB50
                      Function 01514A8C Relevance: .3, Instructions: 265COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3b3082f887ae6665c3df4b4d76e1a1053eb2de471de05546fe86892bcdb915ac
                      • Instruction ID: d5365e0d0cc4300200f732835e128221d9cb8a726238c0d9dfcf9d226d40d66d
                      • Opcode Fuzzy Hash: 3b3082f887ae6665c3df4b4d76e1a1053eb2de471de05546fe86892bcdb915ac
                      • Instruction Fuzzy Hash: 79B14A70E002098FEF11CFA9D9857ADBBF1BF88314F149529D815EB298EB759885CB81
                      Function 01516CDD Relevance: .1, Instructions: 137COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: db82d06b00b7f8087a6869aebb00230922760135ec30f27d30e0b3dd9a7b0b53
                      • Instruction ID: bde723535d0a23ad22b84fa0557fc388396ae13eac66bfcabcbb23eed6245e0c
                      • Opcode Fuzzy Hash: db82d06b00b7f8087a6869aebb00230922760135ec30f27d30e0b3dd9a7b0b53
                      • Instruction Fuzzy Hash: 40511370D102188FEB15CFA9C885BEEFBF1BF48310F54811AE815BB268D7B49844CB91
                      Function 01516CE8 Relevance: .1, Instructions: 132COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 23f43db3826af1a819cf70b49a46cfefb86353f70807846210065e29eeed9588
                      • Instruction ID: d45aea1fb958a91ca214fbfef879837591673d3db1f16a811d7b1d24dcdf6118
                      • Opcode Fuzzy Hash: 23f43db3826af1a819cf70b49a46cfefb86353f70807846210065e29eeed9588
                      • Instruction Fuzzy Hash: 9F510370D002188FEB15DFA9C885B9EFBB1BF48310F548519E815BB369D7B4A844CB95
                      Function 0151112A Relevance: .1, Instructions: 116COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 671344f16e1ae2a05ef1b273c7161f9277ae7dca3ff60445f2d5ffb9f715a013
                      • Instruction ID: 6695abb83c9fade94516fbf0e235a7477b9a73aada642132494147ed1a54a3cd
                      • Opcode Fuzzy Hash: 671344f16e1ae2a05ef1b273c7161f9277ae7dca3ff60445f2d5ffb9f715a013
                      • Instruction Fuzzy Hash: EF51C830641A678FCB1AEF2EF980A5D3B66FB533053049B69D2055B67EDA70790DCB80
                      Function 01511138 Relevance: .1, Instructions: 112COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8fcf7b568484594de4488ee8a5e99951a7916079267e9aecab0fcc05673287e0
                      • Instruction ID: e76dc22894153821cdbf601a007dfa49f666d88d0fdfa2b6ce186dc7168b542a
                      • Opcode Fuzzy Hash: 8fcf7b568484594de4488ee8a5e99951a7916079267e9aecab0fcc05673287e0
                      • Instruction Fuzzy Hash: 2651B831641A678FCB1AEF2EF980A5D3B66FB533053049B69D2055B23EDA70790DCB80
                      Function 0151F290 Relevance: .1, Instructions: 93COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a292a5f7eb136b1742475af4d606077a67b8d0cfd193768e5b59e3cb8c453a2a
                      • Instruction ID: 3b5dec0ee8424824df6ddb072bb33915f3a215b698f75035c5b8058845d15589
                      • Opcode Fuzzy Hash: a292a5f7eb136b1742475af4d606077a67b8d0cfd193768e5b59e3cb8c453a2a
                      • Instruction Fuzzy Hash: 65317435E006099FDB1ACF68D95469EB7F2BF89310F10C91AE805EB754DB70AC46CB50
                      Function 015126DD Relevance: .1, Instructions: 93COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dc7056c34e829cdb23d46df734f7a42c73e79cf5f80ec6999d4698465d6235c7
                      • Instruction ID: 83b75eb9bd8d187cf0610d6e15326372b5583a5a5b4d85656d49576dfcab00de
                      • Opcode Fuzzy Hash: dc7056c34e829cdb23d46df734f7a42c73e79cf5f80ec6999d4698465d6235c7
                      • Instruction Fuzzy Hash: FC41DFB0D00349AFDB14DFA9C584ADEBFF5FF48310F24842AE819AB254DB759945CB90
                      Function 0151F2A0 Relevance: .1, Instructions: 91COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 218b3b9567557b81092f4aaf03c5e88e93ba1d777c5797144d4a29bed9cf1c16
                      • Instruction ID: c9d14213dd867055954da3978dd0541c74aa8cc74fefc9e8837bc9fc8411534c
                      • Opcode Fuzzy Hash: 218b3b9567557b81092f4aaf03c5e88e93ba1d777c5797144d4a29bed9cf1c16
                      • Instruction Fuzzy Hash: 04316535E006099BDB1ADF69D954A9EB7F6BF89300F10C91AE805EB354DF70AC46CB50
                      Function 015126E8 Relevance: .1, Instructions: 90COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4697aa243c3efdb61b27bf44842799b27ed763a2105754f31ac90b1762e77eae
                      • Instruction ID: 724453dbbc628d031984a080cd72bc6ff2d19f494174cf397a997effe303ea11
                      • Opcode Fuzzy Hash: 4697aa243c3efdb61b27bf44842799b27ed763a2105754f31ac90b1762e77eae
                      • Instruction Fuzzy Hash: 1441BFB0D003499FDB14DFA9C584ADEBFF5FF48310F24842AE819AB254DB75A945CB90
                      Function 0151169F Relevance: .1, Instructions: 83COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bd8fc684036d5c79eb09718145601e9ae306d7d76d38d78bc1c3884f5e964c1e
                      • Instruction ID: 67499d3ca2ac5080c062a339b32cd01a22a64fa926eb73bc0952335359c1f1b5
                      • Opcode Fuzzy Hash: bd8fc684036d5c79eb09718145601e9ae306d7d76d38d78bc1c3884f5e964c1e
                      • Instruction Fuzzy Hash: 0B2182386009114FEF27AB7CE9C4B6D3769FB45310F104AA5D106CF3AEE729A8458B91
                      Function 0151924F Relevance: .1, Instructions: 80COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 45877fddce4b8340bb342efd2c4433dcbf14c75d5449ea46554ed6b8db4028cf
                      • Instruction ID: 2a2e57efc6c5603fa3d74155ea40235cc5f869fe2785b0ab3b581a623e9a70bb
                      • Opcode Fuzzy Hash: 45877fddce4b8340bb342efd2c4433dcbf14c75d5449ea46554ed6b8db4028cf
                      • Instruction Fuzzy Hash: 48318275E002099FEB06DFA8D9906DEF7B6BF85314F10C62AD805EB355DB709886CB50
                      Function 01519260 Relevance: .1, Instructions: 78COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bc1a4aeb45c69cbc03df41b2691996e8630f7b9ef0e91b09b73a02f242fa0b2f
                      • Instruction ID: a6d9ec7f24d4f9b378637d895d65f93e84268b06b19f7d0f0e6eacb95d72aafc
                      • Opcode Fuzzy Hash: bc1a4aeb45c69cbc03df41b2691996e8630f7b9ef0e91b09b73a02f242fa0b2f
                      • Instruction Fuzzy Hash: 07219471E006099BEB06DFA9D59069EFBB2FF89304F10C619E805EB359DB709886CB50
                      Function 01511878 Relevance: .1, Instructions: 76COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3d27d9e1eef70f644da0136f08e1470d4c2798bca1ea66b7bc3170f8df723172
                      • Instruction ID: 3cc5cda1818349f8501fc7110cf6714740e7be38a7c643bb1613cf7263e4cea5
                      • Opcode Fuzzy Hash: 3d27d9e1eef70f644da0136f08e1470d4c2798bca1ea66b7bc3170f8df723172
                      • Instruction Fuzzy Hash: AA219130B00606CFEB56EB78C5956AD77F6BF49210F2005ADC602AF2A8DB369D05CB50
                      Function 01519150 Relevance: .1, Instructions: 75COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 616b076df12ec93fe3bdfd7fb683f688c3910e37678927edd6489a1de0a7adbf
                      • Instruction ID: 4db4d8b059d46e22e260e4edd6891b7d666543cb6a1dd8fd5f99a844982fb307
                      • Opcode Fuzzy Hash: 616b076df12ec93fe3bdfd7fb683f688c3910e37678927edd6489a1de0a7adbf
                      • Instruction Fuzzy Hash: 8C219231E0060ADBDB1ACFA8D9545EEF7F2BF85314F10892AE816BB354DB719941CB40
                      Function 01514F89 Relevance: .1, Instructions: 73COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 66151f9b1780b589fa0db8b1d82aeab40cd5d43afd732b0de8047b5f61fe84e6
                      • Instruction ID: 3e611db6c7d9ea7c4ae13d4cf44dbd4cffa39669fa76e042fc696d7873c3dbe8
                      • Opcode Fuzzy Hash: 66151f9b1780b589fa0db8b1d82aeab40cd5d43afd732b0de8047b5f61fe84e6
                      • Instruction Fuzzy Hash: 82213970A10205CFDB55EF78D559AAD7BF1BF8A300B100469E406EB368EB329D04CB91
                      Function 0148D030 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218702512.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_148d000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0f5cc81abf47fd01c408930dc7a6bcf12e615875dbd87302af18c8b1d475b539
                      • Instruction ID: badf579e9f48e62956d16b62ed7d517eacbee9e124e76c152af53581db6df01f
                      • Opcode Fuzzy Hash: 0f5cc81abf47fd01c408930dc7a6bcf12e615875dbd87302af18c8b1d475b539
                      • Instruction Fuzzy Hash: AC21F5B1904204DFDB15EF58D980F2ABB65FB85318F24C56ED90A4B3A6C33AD447CA62
                      Function 01511382 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9436148e638299a96e8e0340b5770dd55ca8518dd207b1fe2b31f7d8c9156ca2
                      • Instruction ID: 7b2353c0ac7067645304664b8b2fdbd6d12e6e27ea769be1c39e29473057cfb2
                      • Opcode Fuzzy Hash: 9436148e638299a96e8e0340b5770dd55ca8518dd207b1fe2b31f7d8c9156ca2
                      • Instruction Fuzzy Hash: 2821A130640E518FEF335A3CE4C872D37A5FB42315F1108AED106CF69DD6698889D742
                      Function 01519160 Relevance: .1, Instructions: 70COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 02b7e0bf184cfedc9dba436fdfb159fbc514bfa6354f23759bec5869060fbdc4
                      • Instruction ID: 06332643fc61be315b4ff68229a523624744bafedfceac9f95fed449ed9b4758
                      • Opcode Fuzzy Hash: 02b7e0bf184cfedc9dba436fdfb159fbc514bfa6354f23759bec5869060fbdc4
                      • Instruction Fuzzy Hash: 27216534E0060A9BDB1ACFA8D9545DEF7B2BF89314F10852AE815FB354DB709941CB50
                      Function 01511888 Relevance: .1, Instructions: 70COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c1d5578f0578944f8988ffa9e332ed7f83f4b33229c194acb1252cf64b34fa0f
                      • Instruction ID: f869e0a51f7af22b22e4021b794cb3459dce3611980c7dfeb186d9cf8164fe1b
                      • Opcode Fuzzy Hash: c1d5578f0578944f8988ffa9e332ed7f83f4b33229c194acb1252cf64b34fa0f
                      • Instruction Fuzzy Hash: D8216230B006068FEB56EB78C5956AD77F6BF89200F2004ADD606EF358DB359D45CB91
                      Function 0148D006 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218702512.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_148d000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9fd7fd623116b11d881e128417eb93c482f032848c04c4b3ed438471e87fe10a
                      • Instruction ID: 52b617daaf7f4058d0ae82a332a31243914aba5aa1e312d70f8de4e584716b22
                      • Opcode Fuzzy Hash: 9fd7fd623116b11d881e128417eb93c482f032848c04c4b3ed438471e87fe10a
                      • Instruction Fuzzy Hash: D7217A714093C49FCB03DB64C990B15BF71EB46214F28C5DBD8898F2A7C23A980ACB62
                      Function 015116B0 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f42a0fb74499701ca188a8374cb406309167db4c2709871bde2914bbbe18e424
                      • Instruction ID: 24d201674c1a2f9fc7621b13f59058c71d1ff8d89c693b2049aee94116667b63
                      • Opcode Fuzzy Hash: f42a0fb74499701ca188a8374cb406309167db4c2709871bde2914bbbe18e424
                      • Instruction Fuzzy Hash: CF215B382009118FEF27EA7DF9C4B5D376AFB45310F104A65D106CB26EEB29E8488B91
                      Function 01514F98 Relevance: .1, Instructions: 68COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0ac8c0e15144adaa3694f2bec1683b0d01632b721e7f792155fe412fe2d93ee5
                      • Instruction ID: 3d5573c2d1ea0a00b7c4b16f5c020b2d08f78c389b548955a8d8b19443cc9c26
                      • Opcode Fuzzy Hash: 0ac8c0e15144adaa3694f2bec1683b0d01632b721e7f792155fe412fe2d93ee5
                      • Instruction Fuzzy Hash: A5213C70B00205CFDB55EFB9D559A9D77F5BF8A300B100468E506EB368EB359D04CB90
                      Function 01510848 Relevance: .1, Instructions: 62COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: de1427304adf013ded0d613b95489e419ce6e44de1c7edf298fc3893b3753c18
                      • Instruction ID: 7ddc386d056fad1c809807e5c9bd85cafb05079fbcc2afa6573ff2efd737d652
                      • Opcode Fuzzy Hash: de1427304adf013ded0d613b95489e419ce6e44de1c7edf298fc3893b3753c18
                      • Instruction Fuzzy Hash: 72116D30B042046BFF27AA7DD45476E3699FB46220F204939F406CF2DAEA65DCC58BC1
                      Function 01510838 Relevance: .1, Instructions: 62COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 812b46f3379eaf6ae373dd7e171aa747a69c577a5a6d6add34595812469ae161
                      • Instruction ID: 8b5d4e9d233b5f639687f99ce33402b311d3215370b2148ada1dc9e7a5f46963
                      • Opcode Fuzzy Hash: 812b46f3379eaf6ae373dd7e171aa747a69c577a5a6d6add34595812469ae161
                      • Instruction Fuzzy Hash: DD118F30A083046BFF676A6C941437E7695FB42220F244D3AE806CF2CADA65D8C58BC1
                      Function 015117C2 Relevance: .1, Instructions: 59COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0b571cd33c3f0e7b4a621562680fb08e0bf21ea199053a912aa2513e6427f0c4
                      • Instruction ID: 4b02fc5fad51af3b729647ed92a6da303a543da6e3003166f343fd15e0ce7add
                      • Opcode Fuzzy Hash: 0b571cd33c3f0e7b4a621562680fb08e0bf21ea199053a912aa2513e6427f0c4
                      • Instruction Fuzzy Hash: 96112C71F007119FDF61AF75A44826F7BE1FB89250F10493ADA15D7308EB349805CB80
                      Function 01511488 Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 34c109502ffdb10bf6c53af787dae503cf9e3a51399f76ddcd805eb986d1c50d
                      • Instruction ID: 3cea95f97cb1a7a603396f961868eefaeb8fa609f10c2eec3c0c506f48ecda03
                      • Opcode Fuzzy Hash: 34c109502ffdb10bf6c53af787dae503cf9e3a51399f76ddcd805eb986d1c50d
                      • Instruction Fuzzy Hash: 49117031A016168FEF22EFBC84916AE7BE5BB48210B1404B9E505EF245E636D882CB95
                      Function 01511498 Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: af0cedef342184609ed069745ff11ee4f016175de37e07f477f6186342ee889f
                      • Instruction ID: 6df17b51f84430302f2d622eafe3d43410aaf33cd3fa8f42a0ab62f8f034a24d
                      • Opcode Fuzzy Hash: af0cedef342184609ed069745ff11ee4f016175de37e07f477f6186342ee889f
                      • Instruction Fuzzy Hash: 12018431A016168FDF22EFBC849119D7BF5FB48210B1404B9D505EB345EB35D881CB91
                      Function 015180F0 Relevance: .0, Instructions: 37COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 165134357aa12132858d2607196568b25ad21126df36c81ca11ee0df6eaa2cf0
                      • Instruction ID: 9975e410201d4bc47bcc00fecea1be83a62cb6cfaef664915233b2456c8767e3
                      • Opcode Fuzzy Hash: 165134357aa12132858d2607196568b25ad21126df36c81ca11ee0df6eaa2cf0
                      • Instruction Fuzzy Hash: 830144349401499FCF55EFA8FA509DD7BB9EF41300F104675C4059B269EB356E49CB90
                      Function 01511524 Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 063abc19724167320e2302d0ce5811ca3deed308f82aaa04b6667a2abf5d55e7
                      • Instruction ID: 0904327395e50c4f778c644377e185c53f5fe3911504f5a07fa428d5c489efa0
                      • Opcode Fuzzy Hash: 063abc19724167320e2302d0ce5811ca3deed308f82aaa04b6667a2abf5d55e7
                      • Instruction Fuzzy Hash: A9F0F637A045518FE7238BB894D11ACBFA0FAA411171D00D7D602DF259D635D442CB11
                      Function 01517090 Relevance: .0, Instructions: 34COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8a20cb68db298f347731443d9a31b8988e539b3bc9716e2265285e03c0ffec9a
                      • Instruction ID: b6ea86782736ddc90e5cc903e437b1d1e9f22408472a89b05139a4aa68b31f0f
                      • Opcode Fuzzy Hash: 8a20cb68db298f347731443d9a31b8988e539b3bc9716e2265285e03c0ffec9a
                      • Instruction Fuzzy Hash: 35F0C439B00618CFC714DB68D598B6D77B2EF89615F1240A8E5069B3A8DB31AD46CF40
                      Function 01518100 Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3218975304.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_1510000_AddInProcess32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c12e41cfaadde061508945485434fc3cbbb60e55b850c6ffedf6dbc4fbdbff28
                      • Instruction ID: 76ccc2c83b2561c7805b94e2268e978e5b1e14c7b4ca26adc58902212fba100e
                      • Opcode Fuzzy Hash: c12e41cfaadde061508945485434fc3cbbb60e55b850c6ffedf6dbc4fbdbff28
                      • Instruction Fuzzy Hash: 8FF03C34940109AFCB09FFACFA9099D7BBDEF81300F504769C0059B268EB356E48CB90

                      Non-executed Functions

                      Function 05C426B2 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 05C4273E
                      • GetCurrentThread.KERNEL32 ref: 05C4277B
                      • GetCurrentProcess.KERNEL32 ref: 05C427B8
                      • GetCurrentThreadId.KERNEL32 ref: 05C42811
                      Memory Dump Source
                      • Source File: 00000002.00000002.3222732839.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_5c40000_AddInProcess32.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: 4045eddf8b2977966630bf33cccf42219347c4821f991094789a0f36db91df66
                      • Instruction ID: 727164171e7d24b7703e63eb3dc26ecc8518e958e26b0b2ca0112d31bed28739
                      • Opcode Fuzzy Hash: 4045eddf8b2977966630bf33cccf42219347c4821f991094789a0f36db91df66
                      • Instruction Fuzzy Hash: 3B5154B49003498FDB14DFAAD949BAEBBF1FF48304F248459E019A73A0D7389984CF65
                      Function 05C426C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 05C4273E
                      • GetCurrentThread.KERNEL32 ref: 05C4277B
                      • GetCurrentProcess.KERNEL32 ref: 05C427B8
                      • GetCurrentThreadId.KERNEL32 ref: 05C42811
                      Memory Dump Source
                      • Source File: 00000002.00000002.3222732839.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_5c40000_AddInProcess32.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: f10487411de04c7bfc69af8502d97703a33f05a1b2211041d12a2030dfe21f5f
                      • Instruction ID: d8348ad9fa72bfe5c9e51685b86cbde3e79dacb4c9b6ed45ef6cd6ef821c32d0
                      • Opcode Fuzzy Hash: f10487411de04c7bfc69af8502d97703a33f05a1b2211041d12a2030dfe21f5f
                      • Instruction Fuzzy Hash: 9E5164B49002498FDB14DFAAD548BAEBFF5FF88304F248419E019A7360D7389984CF65