Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
M.V TBN - VESSEL'S DETAILS.docx.scr.exe

Overview

General Information

Sample name:M.V TBN - VESSEL'S DETAILS.docx.scr.exe
Analysis ID:1467863
MD5:856076a266bf66744428123e379d6e54
SHA1:88e2e194d5944b748671fefa67c61d3c48af7cf6
SHA256:c09cba9da1f8a6c8fbda87ce1c29455118eb13876286388a7d768ba98585aa78
Tags:exescr
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://beirutrest.com", "Username": "belogs@beirutrest.com", "Password": "9yXQ39wz(uL+"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.4440040719.00000000033CC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.4438476357.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000005.00000002.4438476357.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.4440040719.00000000033A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000005.00000002.4440040719.00000000033A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.3903f90.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.3903f90.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.3903f90.4.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x312d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x31345:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x313cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31461:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x314cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3153d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x315d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31663:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.3903f90.4.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                • 0x2e6c6:$s2: GetPrivateProfileString
                • 0x2ddc5:$s3: get_OSFullName
                • 0x2f403:$s5: remove_Key
                • 0x2f592:$s5: remove_Key
                • 0x30473:$s6: FtpWebRequest
                • 0x312b5:$s7: logins
                • 0x31827:$s7: logins
                • 0x3450a:$s7: logins
                • 0x345ea:$s7: logins
                • 0x35ee6:$s7: logins
                • 0x35184:$s9: 1.85 (Hash, version 2, native byte-order)
                0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.38c9970.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 15 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exeAvira: detected
                  Found malware configuration
                  Source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.3903f90.4.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://beirutrest.com", "Username": "belogs@beirutrest.com", "Password": "9yXQ39wz(uL+"}
                  Multi AV Scanner detection for submitted file
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exeReversingLabs: Detection: 71%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exeJoe Sandbox ML: detected
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49706 version: TLS 1.2
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                  Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                  Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: global trafficDNS traffic detected: DNS query: beirutrest.com
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000005.00000002.4440040719.00000000033CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://beirutrest.com
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000005.00000002.4440040719.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000000.00000002.1993289609.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000005.00000002.4438476357.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000000.00000002.1993289609.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000005.00000002.4438476357.0000000000402000.00000040.00000400.00020000.00000000.sdmp, M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000005.00000002.4440040719.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000005.00000002.4440040719.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000005.00000002.4440040719.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                  Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49706 version: TLS 1.2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.3903f90.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.3903f90.4.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.38c9970.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.38c9970.3.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 5.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 5.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.3903f90.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.3903f90.4.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.38c9970.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.38c9970.3.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_00F2E0CC0_2_00F2E0CC
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_04DE153C0_2_04DE153C
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_04DE20D00_2_04DE20D0
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_04DE01300_2_04DE0130
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_04DE01230_2_04DE0123
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_04DE15680_2_04DE1568
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_04DE15300_2_04DE1530
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_04DFD7580_2_04DFD758
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_04DFD74B0_2_04DFD74B
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_04DFC0400_2_04DFC040
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_04DF5A8C0_2_04DF5A8C
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_0700C3200_2_0700C320
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_070038500_2_07003850
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_070084080_2_07008408
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_070064D10_2_070064D1
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_070064F00_2_070064F0
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_0700EF800_2_0700EF80
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_07007FC00_2_07007FC0
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_07007FD00_2_07007FD0
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_07008DA70_2_07008DA7
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_07008DB80_2_07008DB8
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_0700EB500_2_0700EB50
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_0700EB600_2_0700EB60
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_070069280_2_07006928
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_070038130_2_07003813
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_070038400_2_07003840
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 5_2_018AE5B85_2_018AE5B8
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 5_2_018AAA9B5_2_018AAA9B
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 5_2_018A4A585_2_018A4A58
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 5_2_018ADD385_2_018ADD38
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 5_2_018A3E405_2_018A3E40
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 5_2_018A41885_2_018A4188
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 5_2_070589705_2_07058970
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 5_2_0705B5F85_2_0705B5F8
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 5_2_070655A05_2_070655A0
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 5_2_070665F05_2_070665F0
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 5_2_0706B2385_2_0706B238
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 5_2_0706C1905_2_0706C190
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 5_2_070630605_2_07063060
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 5_2_07067D805_2_07067D80
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 5_2_070676A05_2_070676A0
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 5_2_070623405_2_07062340
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 5_2_0706E3A85_2_0706E3A8
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 5_2_070600405_2_07060040
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 5_2_07065CE35_2_07065CE3
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 5_2_070600065_2_07060006
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000000.00000000.1980651109.0000000000556000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBzsV.exeH vs M.V TBN - VESSEL'S DETAILS.docx.scr.exe
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000000.00000002.1992244928.0000000000B6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs M.V TBN - VESSEL'S DETAILS.docx.scr.exe
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000000.00000002.1996635975.0000000005480000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs M.V TBN - VESSEL'S DETAILS.docx.scr.exe
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000000.00000002.1992843072.00000000028C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs M.V TBN - VESSEL'S DETAILS.docx.scr.exe
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000000.00000002.1993289609.0000000003A9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs M.V TBN - VESSEL'S DETAILS.docx.scr.exe
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000000.00000002.1993289609.00000000038C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs M.V TBN - VESSEL'S DETAILS.docx.scr.exe
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000000.00000002.1992843072.0000000002923000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs M.V TBN - VESSEL'S DETAILS.docx.scr.exe
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000000.00000002.1997417808.00000000079C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs M.V TBN - VESSEL'S DETAILS.docx.scr.exe
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000005.00000002.4438476357.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs M.V TBN - VESSEL'S DETAILS.docx.scr.exe
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000005.00000002.4438863315.00000000014F9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs M.V TBN - VESSEL'S DETAILS.docx.scr.exe
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exeBinary or memory string: OriginalFilenameBzsV.exeH vs M.V TBN - VESSEL'S DETAILS.docx.scr.exe
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.3903f90.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.3903f90.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.38c9970.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.38c9970.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 5.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 5.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.3903f90.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.3903f90.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.38c9970.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.38c9970.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/1@2/2
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\M.V TBN - VESSEL'S DETAILS.docx.scr.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeMutant created: NULL
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exeReversingLabs: Detection: 71%
                  Source: unknownProcess created: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe "C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe"
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess created: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe "C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe"
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess created: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe "C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe"
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess created: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe "C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe"
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess created: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe "C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess created: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe "C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess created: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe "C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_070046D0 push E006E9F9h; ret 0_2_070046D5
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 0_2_0700BFC7 pushad ; retf 0_2_0700BFC9
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 5_2_018AA9E0 push eax; iretd 5_2_018AAA99
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 5_2_018A0C55 push edi; retf 5_2_018A0C7A
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeCode function: 5_2_0706E20D push cs; ret 5_2_0706E217
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exeStatic PE information: section name: .text entropy: 7.812674923163569
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: M.V TBN - VESSEL'S DETAILS.docx.scr.exe PID: 5528, type: MEMORYSTR
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeMemory allocated: EC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeMemory allocated: 28C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeMemory allocated: 26E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeMemory allocated: 7A40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeMemory allocated: 8A40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeMemory allocated: 8D00000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeMemory allocated: 9D00000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeMemory allocated: 1890000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeMemory allocated: 3350000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeMemory allocated: 5350000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 599765Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 599437Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 599328Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 599218Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 599109Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 599000Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 598890Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 598781Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 598671Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 598562Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 598453Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 598343Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 598234Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 598125Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 598015Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 597906Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 597796Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 597687Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 597578Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 597468Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 597359Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 597250Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 597140Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 597031Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 596921Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 596812Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 596702Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 596593Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 596484Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 596375Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 596265Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 596156Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 596047Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 595937Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 595828Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 595718Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 595613Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 595484Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 595375Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 595265Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 595155Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 595046Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 594937Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 594825Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 594707Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 594578Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeWindow / User API: threadDelayed 8513Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeWindow / User API: threadDelayed 1348Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 1288Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep count: 38 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -35048813740048126s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -599875s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7296Thread sleep count: 8513 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -599765s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -599656s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7296Thread sleep count: 1348 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -599547s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -599437s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -599328s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -599218s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -599109s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -599000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -598890s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -598781s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -598671s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -598562s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -598453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -598343s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -598234s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -598125s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -598015s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -597906s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -597796s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -597687s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -597578s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -597468s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -597359s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -597250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -597140s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -597031s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -596921s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -596812s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -596702s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -596593s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -596484s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -596375s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -596265s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -596156s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -596047s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -595937s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -595828s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -595718s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -595613s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -595484s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -595375s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -595265s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -595155s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -595046s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -594937s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -594825s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -594707s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe TID: 7292Thread sleep time: -594578s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 599765Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 599437Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 599328Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 599218Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 599109Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 599000Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 598890Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 598781Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 598671Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 598562Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 598453Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 598343Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 598234Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 598125Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 598015Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 597906Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 597796Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 597687Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 597578Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 597468Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 597359Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 597250Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 597140Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 597031Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 596921Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 596812Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 596702Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 596593Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 596484Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 596375Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 596265Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 596156Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 596047Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 595937Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 595828Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 595718Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 595613Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 595484Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 595375Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 595265Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 595155Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 595046Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 594937Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 594825Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 594707Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeThread delayed: delay time: 594578Jump to behavior
                  Source: M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000005.00000002.4438942608.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeMemory written: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess created: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe "C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess created: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe "C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeProcess created: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe "C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeQueries volume information: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeQueries volume information: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.3903f90.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.38c9970.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.3903f90.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.38c9970.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.4440040719.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4438476357.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4440040719.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1993289609.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: M.V TBN - VESSEL'S DETAILS.docx.scr.exe PID: 5528, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: M.V TBN - VESSEL'S DETAILS.docx.scr.exe PID: 1480, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.3903f90.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.38c9970.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.3903f90.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.38c9970.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.4438476357.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4440040719.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1993289609.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: M.V TBN - VESSEL'S DETAILS.docx.scr.exe PID: 5528, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: M.V TBN - VESSEL'S DETAILS.docx.scr.exe PID: 1480, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.3903f90.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.38c9970.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.3903f90.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.M.V TBN - VESSEL'S DETAILS.docx.scr.exe.38c9970.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.4440040719.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4438476357.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4440040719.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1993289609.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: M.V TBN - VESSEL'S DETAILS.docx.scr.exe PID: 5528, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: M.V TBN - VESSEL'S DETAILS.docx.scr.exe PID: 1480, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		111
                  Process Injection                  		1
                  Masquerading                  		2
                  OS Credential Dumping                  		1
                  Query Registry                  		Remote Services1
                  Email Collection                  		11
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  Credentials in Registry                  		111
                  Security Software Discovery                  		Remote Desktop Protocol1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)141
                  Virtualization/Sandbox Evasion                  		Security Account Manager1
                  Process Discovery                  		SMB/Windows Admin Shares2
                  Data from Local System                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                  Process Injection                  		NTDS141
                  Virtualization/Sandbox Evasion                  		Distributed Component Object ModelInput Capture13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                  Obfuscated Files or Information                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                  Software Packing                  		Cached Domain Credentials1
                  System Network Configuration Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSync1
                  File and Directory Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem24
                  System Information Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  M.V TBN - VESSEL'S DETAILS.docx.scr.exe71%ReversingLabsByteCode-MSIL.Spyware.Negasteal
                  M.V TBN - VESSEL'S DETAILS.docx.scr.exe100%AviraHEUR/AGEN.1309858
                  M.V TBN - VESSEL'S DETAILS.docx.scr.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://api.ipify.org/0%URL Reputationsafe
                  https://api.ipify.org0%URL Reputationsafe
                  https://account.dyn.com/0%URL Reputationsafe
                  https://api.ipify.org/t0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://beirutrest.com0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  beirutrest.com
                  		50.87.144.157
                  		truetrue
                    		unknown
                    api.ipify.org
                    		104.26.13.205
                    		truefalse
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/false
                      • URL Reputation: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://api.ipify.orgM.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000000.00000002.1993289609.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000005.00000002.4438476357.0000000000402000.00000040.00000400.00020000.00000000.sdmp, M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000005.00000002.4440040719.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://account.dyn.com/M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000000.00000002.1993289609.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000005.00000002.4438476357.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.ipify.org/tM.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000005.00000002.4440040719.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameM.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000005.00000002.4440040719.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://beirutrest.comM.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000005.00000002.4440040719.00000000033CC000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      104.26.13.205
                      		api.ipify.orgUnited States
                      		13335CLOUDFLARENETUSfalse
                      50.87.144.157
                      		beirutrest.comUnited States
                      		46606UNIFIEDLAYER-AS-1UStrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1467863
                      Start date and time:2024-07-04 23:38:03 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 7m 21s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:9
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:M.V TBN - VESSEL'S DETAILS.docx.scr.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@7/1@2/2
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 130
                      • Number of non-executed functions: 23
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: M.V TBN - VESSEL'S DETAILS.docx.scr.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      17:38:47API Interceptor13369655x Sleep call for process: M.V TBN - VESSEL'S DETAILS.docx.scr.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      104.26.13.205242764.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                      • api.ipify.org/?format=wef
                      Ransom.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                      • api.ipify.org/
                      ld.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                      • api.ipify.org/
                      ReturnLegend.exeGet hashmaliciousStealitBrowse
                      • api.ipify.org/?format=json
                      SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                      • api.ipify.org/
                      Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                      • api.ipify.org/?format=json
                      ArenaWarSetup.exeGet hashmaliciousStealitBrowse
                      • api.ipify.org/?format=json
                      Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                      • api.ipify.org/?format=json
                      E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                      • api.ipify.org/
                      E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                      • api.ipify.org/
                      50.87.144.157MV RIVA WIND - VESSEL's PARTICULARS.PDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                        SEACON MANILA V.2304 PARTICULARS(1).pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          Lx4YLX1D5O.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            beirutrest.comMV RIVA WIND - VESSEL's PARTICULARS.PDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                            • 50.87.144.157
                            SEACON MANILA V.2304 PARTICULARS(1).pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 50.87.144.157
                            Lx4YLX1D5O.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                            • 50.87.144.157
                            api.ipify.org0001.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 172.67.74.152
                            Zz3h8cOX1E.exeGet hashmaliciousQuasarBrowse
                            • 104.26.13.205
                            Luciana Alvarez CV.exeGet hashmaliciousAgentTeslaBrowse
                            • 104.26.13.205
                            Acal BFi UK - Products List 020240704.exeGet hashmaliciousAgentTesla, RedLine, StormKitty, XWormBrowse
                            • 172.67.74.152
                            z4XlS0wTQM.exeGet hashmaliciousQuasarBrowse
                            • 104.26.12.205
                            Zz3h8cOX1E.exeGet hashmaliciousQuasarBrowse
                            • 104.26.13.205
                            5gO02Ijl9V.exeGet hashmaliciousGuLoaderBrowse
                            • 104.26.12.205
                            0NJYTCJYLo.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 104.26.13.205
                            Order 0003994887588960600000.bat.exeGet hashmaliciousGuLoaderBrowse
                            • 172.67.74.152
                            3.bat.exeGet hashmaliciousGuLoaderBrowse
                            • 104.26.12.205

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            CLOUDFLARENETUShttps://www.google.com/url?q=https://authitca-adobue-sign.us-ord-1.linodeobjects.com/apts.html&sa=D&source=editors&ust=1720118061448441&usg=AOvVaw1WUHTIwDQHQCe4Um2Fp0tGGet hashmaliciousHTMLPhisherBrowse
                            • 104.17.25.14
                            am.exeGet hashmaliciousAmadeyBrowse
                            • 172.67.208.139
                            qeUaxJCA3FO.exeGet hashmaliciousLummaCBrowse
                            • 104.21.27.50
                            OVER DUE INVOICE PAYMENT.docx.docGet hashmaliciousSnake KeyloggerBrowse
                            • 188.114.96.3
                            https://1drv.ms/b/c/76a2f2769a0f2d92/EVBBlcPr69hPlwB4teIJkR8BhOEwtE3haDg1sSdukRfZrw?e=geYoLrGet hashmaliciousHTMLPhisherBrowse
                            • 1.1.1.1
                            https://1drv.ms/b/c/76a2f2769a0f2d92/EVBBlcPr69hPlwB4teIJkR8BhOEwtE3haDg1sSdukRfZrw?e=geYoLrGet hashmaliciousHTMLPhisherBrowse
                            • 1.1.1.1
                            file.exeGet hashmaliciousLummaC, SmokeLoaderBrowse
                            • 104.21.45.251
                            xJwSq336bs.pdfGet hashmaliciousUnknownBrowse
                            • 104.17.25.14
                            https://chorbie.com/services/Get hashmaliciousUnknownBrowse
                            • 188.114.96.3
                            https://share.mindmanager.com/#publish/mnPTcUqLfLnU6HRHMb6xC3qXYGZYU6tmBtOy3sS6Get hashmaliciousHTMLPhisherBrowse
                            • 104.17.25.14
                            UNIFIEDLAYER-AS-1USPO#RSB-8927393_2324.exeGet hashmaliciousFormBookBrowse
                            • 162.241.216.26
                            SecuriteInfo.com.Win32.MalwareX-gen.20684.5190.exeGet hashmaliciousAgentTeslaBrowse
                            • 162.241.62.63
                            80TeZdsbeA6B6j4.exeGet hashmaliciousFormBookBrowse
                            • 50.87.148.119
                            https://t.apemail.net/c/nqkr6vk3kzmvyhqvdmdrwaabbycqmbacainqogyhdmkxs5qvdmkqcvagayhveflk-nqdbwfkcivnrkgyvpf3bkgygamaa4bqedmcagbahdmdrwbqbaibq4aypdmdrwby3cupvkw2wlfob4fi3a4nvsqs3lmnrkyl6ojqbozlsm54gkyyvdmaacdqfaycaeaq3cvpugq2hiqgrqgc6ljdvwvsfkjjveu2skjmuixszlamviwc2dfkukgcai4nfiwczinjfsqyylnmfqryylzmvguspdfpugws3cunugrkckinqaaqcdmkxs5qvdnmuew23dnmuew23dnmuew23dnmuew23dmkqcvagayhveflkGet hashmaliciousHTMLPhisherBrowse
                            • 108.167.151.63
                            PMcyGpR57k.elfGet hashmaliciousUnknownBrowse
                            • 74.91.234.112
                            ztGOiA742S.elfGet hashmaliciousUnknownBrowse
                            • 142.5.50.93
                            Purchase order No. 1073 xls.wsfGet hashmaliciousUnknownBrowse
                            • 192.185.76.254
                            RFQ - MK FMHS.RFQ.24.101.exeGet hashmaliciousFormBookBrowse
                            • 162.241.253.174
                            http://customer-easyparkas.com/Get hashmaliciousUnknownBrowse
                            • 192.185.50.220
                            Electronic Slip_metroplus.org.htmlGet hashmaliciousHTMLPhisherBrowse
                            • 192.185.131.129

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousUnknownBrowse
                            • 104.26.13.205
                            TahsilatMakbuzu.cmd.exeGet hashmaliciousUnknownBrowse
                            • 104.26.13.205
                            TahsilatMakbuzu.cmd.exeGet hashmaliciousUnknownBrowse
                            • 104.26.13.205
                            hANEXOPDF.PDF40 234057.msiGet hashmaliciousUnknownBrowse
                            • 104.26.13.205
                            0001.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 104.26.13.205
                            Luciana Alvarez CV.exeGet hashmaliciousAgentTeslaBrowse
                            • 104.26.13.205
                            Acal BFi UK - Products List 020240704.exeGet hashmaliciousAgentTesla, RedLine, StormKitty, XWormBrowse
                            • 104.26.13.205
                            Zz3h8cOX1E.exeGet hashmaliciousQuasarBrowse
                            • 104.26.13.205
                            5gO02Ijl9V.exeGet hashmaliciousGuLoaderBrowse
                            • 104.26.13.205
                            0NJYTCJYLo.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 104.26.13.205

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\M.V TBN - VESSEL'S DETAILS.docx.scr.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1216
                            Entropy (8bit):5.34331486778365
                            Encrypted:false
                            SSDEEP:24:MLV1qE4jE4K5E4KlKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:Mp1qHjHK5HKlYHKh3oPtHo6hAHKze0HJ
                            MD5:B3F9683FD57A94D3C3F5E1AEC259CEAD
                            SHA1:EC2310112CBA894207F624FCC35E9C0FCE80EE2F
                            SHA-256:97FC8E1E4A9D08C91DEC78055942F0562C6EEC2480F5DDA2E7A9E9358AC86F94
                            SHA-512:37407216C4E44C3FFF758637D4661AA9CCAC1C34C9AFEDEAF4ACEFEE8F527921046004F90CD2AE304E1A0EAFB636AC7F0DDBCED579C6642E7C32746491E854F2
                            Malicious:true
                            Reputation:low
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.804922237700636
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            • Win32 Executable (generic) a (10002005/4) 49.75%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Windows Screen Saver (13104/52) 0.07%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            File name:M.V TBN - VESSEL'S DETAILS.docx.scr.exe
                            File size:734'720 bytes
                            MD5:856076a266bf66744428123e379d6e54
                            SHA1:88e2e194d5944b748671fefa67c61d3c48af7cf6
                            SHA256:c09cba9da1f8a6c8fbda87ce1c29455118eb13876286388a7d768ba98585aa78
                            SHA512:a5aeb1f440fb332eb5c8cac0ac2c2a5027984acf87c16716e5e96620fd4e379e0a07776e35c2099221ae21ad440d83ec98ca6f6bcd7bc163d6c56d91e52458da
                            SSDEEP:12288:4cxbJytLuL+vKDrPvBMVe/CPMvLM2isPhGCMQJ46Bh7zl:4cxbJnHegVTHisJYjUhN
                            TLSH:B7F4121DA6FD9F27C9BB5BBA219100080373D856F21BF7AE5ECC18E61F42780854A75B
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....yf.................,..........>J... ........@.. ....................................@................................

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x4b4a3e
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x667904A4 [Mon Jun 24 05:31:16 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb49e80x53.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xb60000x600.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xb80000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000xb2a440xb2c00c2ad31cad1851379ccb3c3add89f7c78False0.8979744864510489data7.812674923163569IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0xb60000x6000x600db63f569da53ef159fdbb76ef50bafd5False0.435546875data4.198235523205387IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xb80000xc0x200f5de5a97e8dd4f99e6e87df9187a1ec1False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0xb60900x358data0.4287383177570093
                            RT_MANIFEST0xb63f80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 4, 2024 23:38:50.090708971 CEST49706443192.168.2.5104.26.13.205
                            Jul 4, 2024 23:38:50.090759993 CEST44349706104.26.13.205192.168.2.5
                            Jul 4, 2024 23:38:50.090831995 CEST49706443192.168.2.5104.26.13.205
                            Jul 4, 2024 23:38:50.119729996 CEST49706443192.168.2.5104.26.13.205
                            Jul 4, 2024 23:38:50.119764090 CEST44349706104.26.13.205192.168.2.5
                            Jul 4, 2024 23:38:50.629751921 CEST44349706104.26.13.205192.168.2.5
                            Jul 4, 2024 23:38:50.629837990 CEST49706443192.168.2.5104.26.13.205
                            Jul 4, 2024 23:38:50.633759975 CEST49706443192.168.2.5104.26.13.205
                            Jul 4, 2024 23:38:50.633779049 CEST44349706104.26.13.205192.168.2.5
                            Jul 4, 2024 23:38:50.634067059 CEST44349706104.26.13.205192.168.2.5
                            Jul 4, 2024 23:38:50.676076889 CEST49706443192.168.2.5104.26.13.205
                            Jul 4, 2024 23:38:50.720499039 CEST44349706104.26.13.205192.168.2.5
                            Jul 4, 2024 23:38:50.791158915 CEST44349706104.26.13.205192.168.2.5
                            Jul 4, 2024 23:38:50.791208982 CEST44349706104.26.13.205192.168.2.5
                            Jul 4, 2024 23:38:50.791294098 CEST49706443192.168.2.5104.26.13.205
                            Jul 4, 2024 23:38:50.796081066 CEST49706443192.168.2.5104.26.13.205
                            Jul 4, 2024 23:38:51.651688099 CEST4970821192.168.2.550.87.144.157
                            Jul 4, 2024 23:38:51.656521082 CEST214970850.87.144.157192.168.2.5
                            Jul 4, 2024 23:38:51.656605005 CEST4970821192.168.2.550.87.144.157
                            Jul 4, 2024 23:38:51.659643888 CEST4970821192.168.2.550.87.144.157
                            Jul 4, 2024 23:38:51.664680004 CEST214970850.87.144.157192.168.2.5
                            Jul 4, 2024 23:38:51.664890051 CEST4970821192.168.2.550.87.144.157

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 4, 2024 23:38:50.077231884 CEST4940653192.168.2.51.1.1.1
                            Jul 4, 2024 23:38:50.084377050 CEST53494061.1.1.1192.168.2.5
                            Jul 4, 2024 23:38:51.320318937 CEST5458453192.168.2.51.1.1.1
                            Jul 4, 2024 23:38:51.650697947 CEST53545841.1.1.1192.168.2.5

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Jul 4, 2024 23:38:50.077231884 CEST192.168.2.51.1.1.10xc2a4Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                            Jul 4, 2024 23:38:51.320318937 CEST192.168.2.51.1.1.10xcc39Standard query (0)beirutrest.comA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Jul 4, 2024 23:38:50.084377050 CEST1.1.1.1192.168.2.50xc2a4No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                            Jul 4, 2024 23:38:50.084377050 CEST1.1.1.1192.168.2.50xc2a4No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                            Jul 4, 2024 23:38:50.084377050 CEST1.1.1.1192.168.2.50xc2a4No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                            Jul 4, 2024 23:38:51.650697947 CEST1.1.1.1192.168.2.50xcc39No error (0)beirutrest.com50.87.144.157A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • api.ipify.org

                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.549706104.26.13.2054431480C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe
                            TimestampBytes transferredDirectionData
                            2024-07-04 21:38:50 UTC155OUTGET / HTTP/1.1
                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                            Host: api.ipify.org
                            Connection: Keep-Alive
                            2024-07-04 21:38:50 UTC211INHTTP/1.1 200 OK
                            Date: Thu, 04 Jul 2024 21:38:50 GMT
                            Content-Type: text/plain
                            Content-Length: 11
                            Connection: close
                            Vary: Origin
                            CF-Cache-Status: DYNAMIC
                            Server: cloudflare
                            CF-RAY: 89e243bb0e3b4373-EWR
                            2024-07-04 21:38:50 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                            Data Ascii: 8.46.123.33


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:17:38:47
                            Start date:04/07/2024
                            Path:C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe"
                            Imagebase:0x4a0000
                            File size:734'720 bytes
                            MD5 hash:856076A266BF66744428123E379D6E54
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1993289609.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1993289609.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:3
                            Start time:17:38:48
                            Start date:04/07/2024
                            Path:C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe"
                            Imagebase:0x1c0000
                            File size:734'720 bytes
                            MD5 hash:856076A266BF66744428123E379D6E54
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:4
                            Start time:17:38:48
                            Start date:04/07/2024
                            Path:C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe"
                            Imagebase:0x3c0000
                            File size:734'720 bytes
                            MD5 hash:856076A266BF66744428123E379D6E54
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:5
                            Start time:17:38:48
                            Start date:04/07/2024
                            Path:C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe"
                            Imagebase:0xfc0000
                            File size:734'720 bytes
                            MD5 hash:856076A266BF66744428123E379D6E54
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4440040719.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.4438476357.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4438476357.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.4440040719.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4440040719.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:7.8%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:330
                              Total number of Limit Nodes:21
                              execution_graph 53921 700bcb0 53922 700be3b 53921->53922 53924 700bcd6 53921->53924 53924->53922 53925 70095dc 53924->53925 53926 700bf30 PostMessageW 53925->53926 53927 700bf9c 53926->53927 53927->53924 53737 f24b60 53738 f24b69 53737->53738 53739 f24b6f 53738->53739 53743 f25060 53738->53743 53748 f24894 53739->53748 53741 f24b8a 53744 f25085 53743->53744 53752 f25170 53744->53752 53756 f25160 53744->53756 53749 f2489f 53748->53749 53764 f2602c 53749->53764 53751 f278a5 53751->53741 53754 f25197 53752->53754 53753 f25274 53753->53753 53754->53753 53760 f24d78 53754->53760 53758 f25197 53756->53758 53757 f25274 53757->53757 53758->53757 53759 f24d78 CreateActCtxA 53758->53759 53759->53757 53761 f26200 CreateActCtxA 53760->53761 53763 f262c3 53761->53763 53765 f26037 53764->53765 53768 f26678 53765->53768 53767 f27945 53767->53751 53769 f26683 53768->53769 53772 f266a8 53769->53772 53771 f27a22 53771->53767 53773 f266b3 53772->53773 53776 f266d8 53773->53776 53775 f27b25 53775->53771 53777 f266e3 53776->53777 53779 f28b43 53777->53779 53783 f2adf0 53777->53783 53778 f28b81 53778->53775 53779->53778 53787 f2cef0 53779->53787 53792 f2cee0 53779->53792 53797 f2b230 53783->53797 53801 f2b220 53783->53801 53784 f2ae06 53784->53779 53788 f2cf11 53787->53788 53789 f2cf35 53788->53789 53843 f2d4a8 53788->53843 53847 f2d499 53788->53847 53789->53778 53793 f2cf11 53792->53793 53794 f2cf35 53793->53794 53795 f2d4a8 5 API calls 53793->53795 53796 f2d499 5 API calls 53793->53796 53794->53778 53795->53794 53796->53794 53805 f2b328 53797->53805 53815 f2b318 53797->53815 53798 f2b23f 53798->53784 53802 f2b23f 53801->53802 53803 f2b328 3 API calls 53801->53803 53804 f2b318 3 API calls 53801->53804 53802->53784 53803->53802 53804->53802 53806 f2b35c 53805->53806 53807 f2b339 53805->53807 53806->53798 53825 f28870 53807->53825 53810 f2b560 GetModuleHandleW 53812 f2b58d 53810->53812 53811 f2b354 53811->53806 53811->53810 53812->53798 53816 f2b339 53815->53816 53819 f2b35c 53815->53819 53817 f28870 GetModuleHandleW 53816->53817 53818 f2b344 53817->53818 53818->53819 53823 f2b5c0 2 API calls 53818->53823 53824 f2b5b0 2 API calls 53818->53824 53819->53798 53820 f2b354 53820->53819 53821 f2b560 GetModuleHandleW 53820->53821 53822 f2b58d 53821->53822 53822->53798 53823->53820 53824->53820 53826 f2b518 GetModuleHandleW 53825->53826 53828 f2b344 53826->53828 53828->53806 53829 f2b5b0 53828->53829 53834 f2b5c0 53828->53834 53830 f28870 GetModuleHandleW 53829->53830 53831 f2b5d4 53829->53831 53830->53831 53832 f2b5f9 53831->53832 53839 f2afe8 53831->53839 53832->53811 53835 f28870 GetModuleHandleW 53834->53835 53836 f2b5d4 53835->53836 53837 f2afe8 LoadLibraryExW 53836->53837 53838 f2b5f9 53836->53838 53837->53838 53838->53811 53840 f2b7a0 LoadLibraryExW 53839->53840 53842 f2b819 53840->53842 53842->53832 53844 f2d4b5 53843->53844 53846 f2d4ef 53844->53846 53851 f2d280 53844->53851 53846->53789 53849 f2d4b5 53847->53849 53848 f2d4ef 53848->53789 53849->53848 53850 f2d280 5 API calls 53849->53850 53850->53848 53852 f2d28b 53851->53852 53854 f2de00 53852->53854 53855 f2d39c 53852->53855 53854->53854 53856 f2d3a7 53855->53856 53857 f266d8 5 API calls 53856->53857 53858 f2de6f 53857->53858 53861 f2fc00 53858->53861 53859 f2dea9 53859->53854 53863 f2fc31 53861->53863 53864 f2fd31 53861->53864 53862 f2fc3d 53862->53859 53863->53862 53865 4de0ab0 CreateWindowExW 53863->53865 53866 4de0aa1 CreateWindowExW 53863->53866 53864->53859 53865->53864 53866->53864 53928 f2d5c0 53929 f2d606 53928->53929 53933 f2d7a0 53929->53933 53936 f2d78f 53929->53936 53930 f2d6f3 53939 f2b214 53933->53939 53937 f2d7ce 53936->53937 53938 f2b214 DuplicateHandle 53936->53938 53937->53930 53938->53937 53940 f2d808 DuplicateHandle 53939->53940 53941 f2d7ce 53940->53941 53941->53930 53570 700a186 53571 700a190 53570->53571 53573 7009e2f 53570->53573 53572 7009f55 53573->53572 53577 700a798 53573->53577 53592 700a80e 53573->53592 53608 700a7a8 53573->53608 53578 700a79d 53577->53578 53590 700a7ca 53578->53590 53623 700abed 53578->53623 53628 700acad 53578->53628 53633 700ae0c 53578->53633 53638 700aee7 53578->53638 53643 700ad01 53578->53643 53651 700ad60 53578->53651 53656 700ae9e 53578->53656 53661 700b21b 53578->53661 53666 700acdb 53578->53666 53675 700af16 53578->53675 53680 700b2d6 53578->53680 53685 700b374 53578->53685 53590->53572 53593 700a79c 53592->53593 53594 700a811 53592->53594 53595 700ad60 2 API calls 53593->53595 53596 700ad01 4 API calls 53593->53596 53597 700aee7 2 API calls 53593->53597 53598 700ae0c 2 API calls 53593->53598 53599 700acad 2 API calls 53593->53599 53600 700abed 2 API calls 53593->53600 53601 700b374 2 API calls 53593->53601 53602 700b2d6 2 API calls 53593->53602 53603 700af16 2 API calls 53593->53603 53604 700acdb 2 API calls 53593->53604 53605 700b21b 2 API calls 53593->53605 53606 700a7ca 53593->53606 53607 700ae9e 2 API calls 53593->53607 53594->53572 53595->53606 53596->53606 53597->53606 53598->53606 53599->53606 53600->53606 53601->53606 53602->53606 53603->53606 53604->53606 53605->53606 53606->53572 53607->53606 53609 700a7c2 53608->53609 53610 700ad60 2 API calls 53609->53610 53611 700ad01 4 API calls 53609->53611 53612 700aee7 2 API calls 53609->53612 53613 700ae0c 2 API calls 53609->53613 53614 700acad 2 API calls 53609->53614 53615 700abed 2 API calls 53609->53615 53616 700b374 2 API calls 53609->53616 53617 700b2d6 2 API calls 53609->53617 53618 700af16 2 API calls 53609->53618 53619 700acdb 2 API calls 53609->53619 53620 700b21b 2 API calls 53609->53620 53621 700a7ca 53609->53621 53622 700ae9e 2 API calls 53609->53622 53610->53621 53611->53621 53612->53621 53613->53621 53614->53621 53615->53621 53616->53621 53617->53621 53618->53621 53619->53621 53620->53621 53621->53572 53622->53621 53624 700abf3 53623->53624 53689 7009938 53624->53689 53693 700992d 53624->53693 53629 700acb9 53628->53629 53697 7008cdf 53629->53697 53701 7008ce0 53629->53701 53630 700b189 53634 700ae12 53633->53634 53705 7008c30 53634->53705 53709 7008c28 53634->53709 53639 700ae9d 53638->53639 53713 70092b0 53639->53713 53717 70092a8 53639->53717 53640 700b149 53640->53590 53644 700af7d 53643->53644 53646 700af35 53643->53646 53721 70093a0 53644->53721 53725 7009399 53644->53725 53645 700b507 53645->53590 53646->53645 53729 70091f0 53646->53729 53733 70091e8 53646->53733 53652 700b2d7 53651->53652 53654 70092b0 WriteProcessMemory 53652->53654 53655 70092a8 WriteProcessMemory 53652->53655 53653 700b1bf 53653->53590 53654->53653 53655->53653 53657 700aeae 53656->53657 53659 70092b0 WriteProcessMemory 53657->53659 53660 70092a8 WriteProcessMemory 53657->53660 53658 700b149 53658->53590 53659->53658 53660->53658 53663 700af35 53661->53663 53662 700b507 53663->53661 53663->53662 53664 70091f0 VirtualAllocEx 53663->53664 53665 70091e8 VirtualAllocEx 53663->53665 53664->53663 53665->53663 53667 700ace2 53666->53667 53669 700acb9 53667->53669 53673 7008ce0 Wow64SetThreadContext 53667->53673 53674 7008cdf Wow64SetThreadContext 53667->53674 53668 700b114 53669->53668 53671 7008ce0 Wow64SetThreadContext 53669->53671 53672 7008cdf Wow64SetThreadContext 53669->53672 53670 700b189 53671->53670 53672->53670 53673->53667 53674->53667 53676 700af24 53675->53676 53677 700b507 53676->53677 53678 70091f0 VirtualAllocEx 53676->53678 53679 70091e8 VirtualAllocEx 53676->53679 53678->53676 53679->53676 53681 700b2d7 53680->53681 53683 70092b0 WriteProcessMemory 53681->53683 53684 70092a8 WriteProcessMemory 53681->53684 53682 700b1bf 53682->53590 53683->53682 53684->53682 53687 70092b0 WriteProcessMemory 53685->53687 53688 70092a8 WriteProcessMemory 53685->53688 53686 700b39c 53687->53686 53688->53686 53690 70099c1 CreateProcessA 53689->53690 53692 7009b83 53690->53692 53694 7009938 CreateProcessA 53693->53694 53696 7009b83 53694->53696 53698 7008ce0 Wow64SetThreadContext 53697->53698 53700 7008d6d 53698->53700 53700->53630 53702 7008d25 Wow64SetThreadContext 53701->53702 53704 7008d6d 53702->53704 53704->53630 53706 7008c70 ResumeThread 53705->53706 53708 7008ca1 53706->53708 53710 7008c2e ResumeThread 53709->53710 53711 7008ca1 53709->53711 53710->53711 53714 70092f8 WriteProcessMemory 53713->53714 53716 700934f 53714->53716 53716->53640 53718 70092b0 WriteProcessMemory 53717->53718 53720 700934f 53718->53720 53720->53640 53722 70093eb ReadProcessMemory 53721->53722 53724 700942f 53722->53724 53724->53646 53726 70093a0 ReadProcessMemory 53725->53726 53728 700942f 53726->53728 53728->53646 53730 7009230 VirtualAllocEx 53729->53730 53732 700926d 53730->53732 53732->53646 53734 70091ee VirtualAllocEx 53733->53734 53736 700926d 53734->53736 53736->53646 53966 4dfc938 53967 4dfc8d9 53966->53967 53969 4dfc946 53966->53969 53967->53969 53971 f266d8 5 API calls 53967->53971 53973 f28882 53967->53973 53980 f2883f 53967->53980 53968 4dfc8ff 53971->53968 53974 f288bb 53973->53974 53976 f28b43 53974->53976 53979 f2adf0 4 API calls 53974->53979 53975 f28b81 53975->53968 53976->53975 53977 f2cef0 5 API calls 53976->53977 53978 f2cee0 5 API calls 53976->53978 53977->53975 53978->53975 53979->53976 53981 f288c0 53980->53981 53982 f28b43 53981->53982 53986 f2adf0 4 API calls 53981->53986 53983 f28b81 53982->53983 53984 f2cef0 5 API calls 53982->53984 53985 f2cee0 5 API calls 53982->53985 53983->53968 53984->53983 53985->53983 53986->53982 53987 700d368 FindCloseChangeNotification 53988 700d3cf 53987->53988 53989 4dea723 53990 4dea72d 53989->53990 53991 4dea2a0 5 API calls 53990->53991 53992 4dea772 53991->53992 53867 b2d01c 53868 b2d034 53867->53868 53869 b2d08e 53868->53869 53874 4de1f90 53868->53874 53878 4de1514 53868->53878 53886 4de2ce9 53868->53886 53894 4de1f81 53868->53894 53875 4de1fb6 53874->53875 53876 4de1514 CallWindowProcW 53875->53876 53877 4de1fd7 53876->53877 53877->53869 53879 4de151f 53878->53879 53880 4de2d59 53879->53880 53882 4de2d49 53879->53882 53908 4de163c 53880->53908 53898 4de2e80 53882->53898 53903 4de2e70 53882->53903 53883 4de2d57 53889 4de2d25 53886->53889 53887 4de2d59 53888 4de163c CallWindowProcW 53887->53888 53891 4de2d57 53888->53891 53889->53887 53890 4de2d49 53889->53890 53892 4de2e80 CallWindowProcW 53890->53892 53893 4de2e70 CallWindowProcW 53890->53893 53891->53891 53892->53891 53893->53891 53895 4de1fb6 53894->53895 53896 4de1514 CallWindowProcW 53895->53896 53897 4de1fd7 53896->53897 53897->53869 53900 4de2e94 53898->53900 53899 4de2f20 53899->53883 53912 4de2f38 53900->53912 53915 4de2f28 53900->53915 53905 4de2e94 53903->53905 53904 4de2f20 53904->53883 53906 4de2f38 CallWindowProcW 53905->53906 53907 4de2f28 CallWindowProcW 53905->53907 53906->53904 53907->53904 53909 4de1647 53908->53909 53910 4de443a CallWindowProcW 53909->53910 53911 4de43e9 53909->53911 53910->53911 53911->53883 53913 4de2f49 53912->53913 53918 4de437e 53912->53918 53913->53899 53916 4de2f49 53915->53916 53917 4de437e CallWindowProcW 53915->53917 53916->53899 53917->53916 53919 4de163c CallWindowProcW 53918->53919 53920 4de438a 53919->53920 53920->53913 53942 4dea660 53943 4dea697 53942->53943 53945 4dea69e 53943->53945 53946 4dea2a0 53943->53946 53947 4dea2ab 53946->53947 53952 4dee7b8 53947->53952 53950 4dee7b8 5 API calls 53951 4deec10 53950->53951 53951->53943 53953 4dee7c3 53952->53953 53956 4dee7d8 53953->53956 53955 4deebf0 53955->53950 53957 4dee7e3 53956->53957 53960 f266a8 5 API calls 53957->53960 53961 f27a72 53957->53961 53958 4deed3d 53958->53955 53960->53958 53962 f27a40 53961->53962 53963 f27a7a 53961->53963 53962->53958 53964 f266d8 5 API calls 53963->53964 53965 f27b25 53964->53965 53965->53958

                              Executed Functions

                              Function 0700C320 Relevance: .6, Instructions: 633COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a69a5e0542ffc7ce25481a45f5000895c3cb65d001a1df360b6600543f506408
                              • Instruction ID: 77da7571681e5ce631eaf0aa7e03a880a3ce9a612ed6aeb5c443edcf7bd18e0f
                              • Opcode Fuzzy Hash: a69a5e0542ffc7ce25481a45f5000895c3cb65d001a1df360b6600543f506408
                              • Instruction Fuzzy Hash: CD32CDB1B012158FEB18DB69D450BAF77F6AF89310F144669E046DB3A1CB34ED01CBA1
                              Function 04DFD758 Relevance: .6, Instructions: 596COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9fb9869b5d8df12247dfaf49d8368bf6a158e32eee1ba7eb9cbb2fae1ccc9dc9
                              • Instruction ID: c41e3ccf2eef5835570d2ef71b3a9a3991cfcc39937797bcdfcfd4d6a5641739
                              • Opcode Fuzzy Hash: 9fb9869b5d8df12247dfaf49d8368bf6a158e32eee1ba7eb9cbb2fae1ccc9dc9
                              • Instruction Fuzzy Hash: 69526D34A003458FDB14DF28C844B99B7F2EF89314F2582E9D5596F3A2DB75A986CF40
                              Function 04DFD74B Relevance: .6, Instructions: 584COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3d93f47250dae107d8e5365dadfe3123e570ea08249fd28726ddaa4473d2a69b
                              • Instruction ID: 0968418c199b37fde7ce6a1ecff646f18a8f50ff457743c91abade187891274b
                              • Opcode Fuzzy Hash: 3d93f47250dae107d8e5365dadfe3123e570ea08249fd28726ddaa4473d2a69b
                              • Instruction Fuzzy Hash: 34525D30A003458FDB14DF28C844B99B7F2EF89314F2582E9D5596F3A2DB75AA86CF40
                              Function 04DE153C Relevance: .3, Instructions: 253COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995207602.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4de0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5fbce001c3d39cd1fd4e5c9a839c2024567289d534c7c5f2160532534d4bd144
                              • Instruction ID: 6989c581575fbf84cb829c98e651ba6eb573b11a59445805d3932b295540c7da
                              • Opcode Fuzzy Hash: 5fbce001c3d39cd1fd4e5c9a839c2024567289d534c7c5f2160532534d4bd144
                              • Instruction Fuzzy Hash: 4FA17F35E00319CFCB04EFA5D8549EDBBBAFF8A314F148259E419AB261DB30E942CB51
                              Function 04DE1568 Relevance: .2, Instructions: 241COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995207602.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4de0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1523059a7c98e6ae1b9b4ec8136dd5c3a70df6ae5127dedb984f5501747ae061
                              • Instruction ID: f683e2cfcc6c0c148e70e8b0aa0471c42e1bccee52112d7ec332e4778fa9b4aa
                              • Opcode Fuzzy Hash: 1523059a7c98e6ae1b9b4ec8136dd5c3a70df6ae5127dedb984f5501747ae061
                              • Instruction Fuzzy Hash: 5191B235E00319CFCB04EFA5D8549EDB7BAFF8A310B148255E41AAB265DB30E942CB51
                              Function 04DE1530 Relevance: .2, Instructions: 221COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995207602.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4de0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ccaaddbba44ac84450099f77e9949be8956e58d8e793fdd56e955bd13119bfee
                              • Instruction ID: 396d1f5d1b89cba53d5cef70575c901bf9c7991c3f63e489c81cd43f75d94876
                              • Opcode Fuzzy Hash: ccaaddbba44ac84450099f77e9949be8956e58d8e793fdd56e955bd13119bfee
                              • Instruction Fuzzy Hash: 0A918035E00319DFCB04DFB4D8549EDBBBAFF8A310B148259E419AB2A5DB30E942CB51
                              Function 04DE20D0 Relevance: .2, Instructions: 218COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995207602.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4de0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3be79fd3436e15d598f5067844146540a4b38b5cc602de7f5d70dc815bec8e65
                              • Instruction ID: 390aae67b5fbe3dac3f8c478e7199f4190cae66d32cb3a050d04e1965d574185
                              • Opcode Fuzzy Hash: 3be79fd3436e15d598f5067844146540a4b38b5cc602de7f5d70dc815bec8e65
                              • Instruction Fuzzy Hash: 6C918135E00319DFCB04DFA4D8549EDFBBAFF8A310B158259E419AB265DB30E942CB51
                              Function 07003840 Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b6e38ff71e5c81de2a1bd5bd619e7bdd11474392504e92913c7bb9a85a5ced80
                              • Instruction ID: fb6fac02eb3482dfcd6fed07b30b55f6c9e08d633976becf3400ddcd97bdcee0
                              • Opcode Fuzzy Hash: b6e38ff71e5c81de2a1bd5bd619e7bdd11474392504e92913c7bb9a85a5ced80
                              • Instruction Fuzzy Hash: 09210EB1D146188BEB19CF57C9442EEFBF7AFCD310F14C56A9519B6294DB3005858B80
                              Function 07003850 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c3ba722bd3e7394807292d1a2fbc15fa3ebff1ba6c7ed8fb1bdf19a1a47f7f2d
                              • Instruction ID: 1e2b4109716b33f91d873c100be5ef493b2f9901f7660ef2251c1a3e992bdcc1
                              • Opcode Fuzzy Hash: c3ba722bd3e7394807292d1a2fbc15fa3ebff1ba6c7ed8fb1bdf19a1a47f7f2d
                              • Instruction Fuzzy Hash: 1C21EDB0D146588BEB19CF57C8442EEFEF7AFCE310F14C57A9519B62A4DB3009858B80
                              Function 07003813 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4c8ca51f41af36a371f3091e40f24769bd42ce231d7e5683fdd1640b8b5b269d
                              • Instruction ID: cd4d75f5a266e94c4e1faacec9523dddcea0b190e2f8845f928f2dbf8e3bb648
                              • Opcode Fuzzy Hash: 4c8ca51f41af36a371f3091e40f24769bd42ce231d7e5683fdd1640b8b5b269d
                              • Instruction Fuzzy Hash: B11130B5D186548BEB09CF67C8401FEFFB7AFCA310F08C56AD519A61A5DB3405468B80
                              Function 04DFC938 Relevance: 6.4, Strings: 5, Instructions: 107COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 526 4dfc938-4dfc942 527 4dfc948-4dfca58 call 4df9410 526->527 528 4dfc944 526->528 529 4dfc8d9-4dfc8f5 528->529 530 4dfc946 528->530 555 4dfc8fa call f28882 529->555 556 4dfc8fa call f266d8 529->556 557 4dfc8fa call f2883f 529->557 530->527 537 4dfc8ff-4dfc937 555->537 556->537 557->537
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: 4']q$4']q$4']q$4']q$4']q
                              • API String ID: 0-4248691736
                              • Opcode ID: 0a60cde78e6a0aac49d5a370a7d353b83cc344ac85f868b72728eacadc6142c9
                              • Instruction ID: 4deecc12dfcf8c389890fc944bdd2e73e76865564af3aa3e1e76496498fc1ff9
                              • Opcode Fuzzy Hash: 0a60cde78e6a0aac49d5a370a7d353b83cc344ac85f868b72728eacadc6142c9
                              • Instruction Fuzzy Hash: 36417130B1010A8BCF08EFB8E8516DDBBF6FF84710F5445B9D049AB255EB35AA45CBA1
                              Function 04DFD458 Relevance: 2.7, Strings: 2, Instructions: 171COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 749 4dfd458-4dfec9b 752 4dfec9d-4dfeca1 749->752 753 4dfeca2-4dfed01 749->753 759 4dfed0e 753->759 760 4dfed03-4dfed0c 753->760 761 4dfed10-4dfed15 759->761 760->761 762 4dfed5a-4dfed8f 761->762 763 4dfed17-4dfed19 761->763 765 4dfed96-4dfedca 762->765 764 4dfed1b-4dfed1e 763->764 763->765 764->765 766 4dfed20-4dfed23 764->766 782 4dfedcc-4dfedd1 765->782 766->765 768 4dfed25-4dfed28 766->768 768->765 770 4dfed2a-4dfed2e 768->770 772 4dfed35-4dfed4a 770->772 773 4dfed30-4dfed33 770->773 775 4dfed55-4dfed59 772->775 776 4dfed4c-4dfed50 call 4dfd474 772->776 773->772 773->775 776->775 783 4dfedd4-4dfedf8 782->783 783->782 788 4dfedfa 783->788 789 4dfedfc-4dfedfe 788->789 790 4dfee00 788->790 789->790 790->783 791 4dfee02 790->791 792 4dfee08-4dfee22 791->792 793 4dfee04-4dfee07 791->793 794 4dfee74-4dfee76 792->794 795 4dfee24-4dfee2a 792->795 793->792 796 4dfee3f-4dfee45 795->796 797 4dfee2c-4dfee34 795->797 798 4dfee5b-4dfee61 796->798 799 4dfee47-4dfee5a 796->799 803 4dfee3a call 4dfee88 797->803 804 4dfee3a call 4dfee77 797->804 798->794 800 4dfee63-4dfee6b 798->800 800->794 801 4dfee3c-4dfee3e 803->801 804->801
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: (aq$Haq
                              • API String ID: 0-3785302501
                              • Opcode ID: af655818ed994ea7c9abc262c7e43ae2e4f63a51eb2340b12edcd1c9c3aa7856
                              • Instruction ID: e997a2ec5ee073690ffbc1d58deb2538a2aec5fb7b928dd2fda90dfa99e5f9ad
                              • Opcode Fuzzy Hash: af655818ed994ea7c9abc262c7e43ae2e4f63a51eb2340b12edcd1c9c3aa7856
                              • Instruction Fuzzy Hash: 505122316042109FC325AF28D8946AD7BE6FFC5300B1A84AAD5499BB66CE35FC46C791
                              Function 0700992D Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 827 700992d-70099cd 830 7009a06-7009a26 827->830 831 70099cf-70099d9 827->831 838 7009a28-7009a32 830->838 839 7009a5f-7009a8e 830->839 831->830 832 70099db-70099dd 831->832 833 7009a00-7009a03 832->833 834 70099df-70099e9 832->834 833->830 836 70099eb 834->836 837 70099ed-70099fc 834->837 836->837 837->837 840 70099fe 837->840 838->839 841 7009a34-7009a36 838->841 845 7009a90-7009a9a 839->845 846 7009ac7-7009b81 CreateProcessA 839->846 840->833 843 7009a38-7009a42 841->843 844 7009a59-7009a5c 841->844 847 7009a44 843->847 848 7009a46-7009a55 843->848 844->839 845->846 849 7009a9c-7009a9e 845->849 859 7009b83-7009b89 846->859 860 7009b8a-7009c10 846->860 847->848 848->848 850 7009a57 848->850 851 7009aa0-7009aaa 849->851 852 7009ac1-7009ac4 849->852 850->844 854 7009aac 851->854 855 7009aae-7009abd 851->855 852->846 854->855 855->855 856 7009abf 855->856 856->852 859->860 870 7009c20-7009c24 860->870 871 7009c12-7009c16 860->871 873 7009c34-7009c38 870->873 874 7009c26-7009c2a 870->874 871->870 872 7009c18 871->872 872->870 876 7009c48-7009c4c 873->876 877 7009c3a-7009c3e 873->877 874->873 875 7009c2c 874->875 875->873 878 7009c5e-7009c65 876->878 879 7009c4e-7009c54 876->879 877->876 880 7009c40 877->880 881 7009c67-7009c76 878->881 882 7009c7c 878->882 879->878 880->876 881->882 884 7009c7d 882->884 884->884
                              APIs
                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07009B6E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: 9f74b6e0981d50d8a24df78060316d1c24c9ccdefc9efe4829a057b46b3043bb
                              • Instruction ID: 87ffcfc6fdcff4aae473e28a7fe769338c19f32643049e0d257a0b6e7800d1e2
                              • Opcode Fuzzy Hash: 9f74b6e0981d50d8a24df78060316d1c24c9ccdefc9efe4829a057b46b3043bb
                              • Instruction Fuzzy Hash: 6EA180B1D1021ACFEB24CF68C841BDDBBF2BF45314F148269D848A7281DB75A995CF92
                              Function 07009938 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 885 7009938-70099cd 887 7009a06-7009a26 885->887 888 70099cf-70099d9 885->888 895 7009a28-7009a32 887->895 896 7009a5f-7009a8e 887->896 888->887 889 70099db-70099dd 888->889 890 7009a00-7009a03 889->890 891 70099df-70099e9 889->891 890->887 893 70099eb 891->893 894 70099ed-70099fc 891->894 893->894 894->894 897 70099fe 894->897 895->896 898 7009a34-7009a36 895->898 902 7009a90-7009a9a 896->902 903 7009ac7-7009b81 CreateProcessA 896->903 897->890 900 7009a38-7009a42 898->900 901 7009a59-7009a5c 898->901 904 7009a44 900->904 905 7009a46-7009a55 900->905 901->896 902->903 906 7009a9c-7009a9e 902->906 916 7009b83-7009b89 903->916 917 7009b8a-7009c10 903->917 904->905 905->905 907 7009a57 905->907 908 7009aa0-7009aaa 906->908 909 7009ac1-7009ac4 906->909 907->901 911 7009aac 908->911 912 7009aae-7009abd 908->912 909->903 911->912 912->912 913 7009abf 912->913 913->909 916->917 927 7009c20-7009c24 917->927 928 7009c12-7009c16 917->928 930 7009c34-7009c38 927->930 931 7009c26-7009c2a 927->931 928->927 929 7009c18 928->929 929->927 933 7009c48-7009c4c 930->933 934 7009c3a-7009c3e 930->934 931->930 932 7009c2c 931->932 932->930 935 7009c5e-7009c65 933->935 936 7009c4e-7009c54 933->936 934->933 937 7009c40 934->937 938 7009c67-7009c76 935->938 939 7009c7c 935->939 936->935 937->933 938->939 941 7009c7d 939->941 941->941
                              APIs
                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07009B6E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: 73bdd2f9be52525f817f1bd53c1490a31850de694b2e0f0691207a878c1729fe
                              • Instruction ID: 94028e98bf3896e8717fa95bcb1f1f2251c3b428470b4986d5fc40c34d736f54
                              • Opcode Fuzzy Hash: 73bdd2f9be52525f817f1bd53c1490a31850de694b2e0f0691207a878c1729fe
                              • Instruction Fuzzy Hash: A3918FB1D1021ACFEB24CF68C841BEDBBF2BF45310F148269D858A7291DB74A995CF91
                              Function 00F2B328 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 942 f2b328-f2b337 943 f2b363-f2b367 942->943 944 f2b339-f2b346 call f28870 942->944 945 f2b37b-f2b3bc 943->945 946 f2b369-f2b373 943->946 951 f2b348 944->951 952 f2b35c 944->952 953 f2b3c9-f2b3d7 945->953 954 f2b3be-f2b3c6 945->954 946->945 997 f2b34e call f2b5c0 951->997 998 f2b34e call f2b5b0 951->998 952->943 955 f2b3fb-f2b3fd 953->955 956 f2b3d9-f2b3de 953->956 954->953 958 f2b400-f2b407 955->958 959 f2b3e0-f2b3e7 call f2af90 956->959 960 f2b3e9 956->960 957 f2b354-f2b356 957->952 961 f2b498-f2b558 957->961 962 f2b414-f2b41b 958->962 963 f2b409-f2b411 958->963 965 f2b3eb-f2b3f9 959->965 960->965 992 f2b560-f2b58b GetModuleHandleW 961->992 993 f2b55a-f2b55d 961->993 966 f2b428-f2b431 call f2afa0 962->966 967 f2b41d-f2b425 962->967 963->962 965->958 973 f2b433-f2b43b 966->973 974 f2b43e-f2b443 966->974 967->966 973->974 975 f2b461-f2b46e 974->975 976 f2b445-f2b44c 974->976 982 f2b470-f2b48e 975->982 983 f2b491-f2b497 975->983 976->975 978 f2b44e-f2b45e call f2afb0 call f2afc0 976->978 978->975 982->983 994 f2b594-f2b5a8 992->994 995 f2b58d-f2b593 992->995 993->992 995->994 997->957 998->957
                              Memory Dump Source
                              • Source File: 00000000.00000002.1992599088.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_f20000_M.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 69b3e7db4a70dfd973d8eb5d1c6588dc1876e8eccb6302d8f55b5ba9ce94d9af
                              • Instruction ID: ada9d3b0c00baa6bf8a6542246fdf0fc0c3b913fa2dde48aaad2021453f22499
                              • Opcode Fuzzy Hash: 69b3e7db4a70dfd973d8eb5d1c6588dc1876e8eccb6302d8f55b5ba9ce94d9af
                              • Instruction Fuzzy Hash: F7714670A00B158FD724DF29E49579ABBF1FF88314F00892DD84AD7A50EB78E945CB91
                              Function 04DE14E8 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 999 4de14e8-4de1e3e 1001 4de1e49-4de1e50 999->1001 1002 4de1e40-4de1e46 999->1002 1003 4de1e5b-4de1efa CreateWindowExW 1001->1003 1004 4de1e52-4de1e58 1001->1004 1002->1001 1006 4de1efc-4de1f02 1003->1006 1007 4de1f03-4de1f3b 1003->1007 1004->1003 1006->1007 1011 4de1f3d-4de1f40 1007->1011 1012 4de1f48 1007->1012 1011->1012 1013 4de1f49 1012->1013 1013->1013
                              APIs
                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04DE1EEA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995207602.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4de0000_M.jbxd
                              Similarity
                              • API ID: CreateWindow
                              • String ID:
                              • API String ID: 716092398-0
                              • Opcode ID: 38b31fb48633c9ba54b897b0bd243b192e77d935b6b048bb111feea434dd7ede
                              • Instruction ID: 0dfd3f1588332e1dcf64a013c361b0b059ecea0b84f349132d74f4d68415bb78
                              • Opcode Fuzzy Hash: 38b31fb48633c9ba54b897b0bd243b192e77d935b6b048bb111feea434dd7ede
                              • Instruction Fuzzy Hash: 2A51B2B1D10309DFDB14DF9AC884ADEBBB5FF48310F24812AE819AB250D775A885CF90
                              Function 04DE1DCC Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1014 4de1dcc-4de1e3e 1015 4de1e49-4de1e50 1014->1015 1016 4de1e40-4de1e46 1014->1016 1017 4de1e5b-4de1e93 1015->1017 1018 4de1e52-4de1e58 1015->1018 1016->1015 1019 4de1e9b-4de1efa CreateWindowExW 1017->1019 1018->1017 1020 4de1efc-4de1f02 1019->1020 1021 4de1f03-4de1f3b 1019->1021 1020->1021 1025 4de1f3d-4de1f40 1021->1025 1026 4de1f48 1021->1026 1025->1026 1027 4de1f49 1026->1027 1027->1027
                              APIs
                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04DE1EEA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995207602.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4de0000_M.jbxd
                              Similarity
                              • API ID: CreateWindow
                              • String ID:
                              • API String ID: 716092398-0
                              • Opcode ID: 0ca4cf21b8b88bd8cf0eee97459a1ca5d10e7589652173d5b4d083e7d7d83c35
                              • Instruction ID: e6131ea2dd81c1a820174b7ced89498ef7b8b52040e4965379a741835c324b11
                              • Opcode Fuzzy Hash: 0ca4cf21b8b88bd8cf0eee97459a1ca5d10e7589652173d5b4d083e7d7d83c35
                              • Instruction Fuzzy Hash: 7751C1B1D00309DFDB14DF9AD884ADDBBB6BF48300F24812AE419AB250DB75A885CF90
                              Function 00F261F5 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 00F262B1
                              Memory Dump Source
                              • Source File: 00000000.00000002.1992599088.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_f20000_M.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 514cd8d8881fd89860eea2aca9ab8e1a6c6944f205df185d9e1c4019c8dbc808
                              • Instruction ID: 68500316b3b8697722b0ccb70f7d6831841651655c4c203388c1dc886f25c71f
                              • Opcode Fuzzy Hash: 514cd8d8881fd89860eea2aca9ab8e1a6c6944f205df185d9e1c4019c8dbc808
                              • Instruction Fuzzy Hash: 7E4104B0C00719CFDB24DFA9C9447CDBBB1BF88304F20806AD418AB255DB75A94ACF90
                              Function 04DE163C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                              Download Yara Rule
                              APIs
                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 04DE4461
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995207602.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4de0000_M.jbxd
                              Similarity
                              • API ID: CallProcWindow
                              • String ID:
                              • API String ID: 2714655100-0
                              • Opcode ID: 79a781937c6557ca1b97864da169ac553f646105f6ab0a6e1f117b205a14bff2
                              • Instruction ID: be044d12c6f5ef8ae4f61a2d48fe219283795e10826987dc16acad4df13e2f6b
                              • Opcode Fuzzy Hash: 79a781937c6557ca1b97864da169ac553f646105f6ab0a6e1f117b205a14bff2
                              • Instruction Fuzzy Hash: 994117B5A00209CFDB14DF9AC488AAABBF5FF88318F24C459D519A7321D774E845CFA0
                              Function 00F24D78 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 00F262B1
                              Memory Dump Source
                              • Source File: 00000000.00000002.1992599088.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_f20000_M.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: cb504f89bd60d401002ee5d64ee4f0d20386ba560241c3e7442e21f446f82e73
                              • Instruction ID: 47cce809d3056c0f6a96fc49bf000553916ffe9a385fc6da5340bd47b32d8eea
                              • Opcode Fuzzy Hash: cb504f89bd60d401002ee5d64ee4f0d20386ba560241c3e7442e21f446f82e73
                              • Instruction Fuzzy Hash: B541E0B0C0071DCBDB24DFA9C944B9DBBF5BF88304F20806AD419AB255DB75A94ACF91
                              Function 070092A8 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                              Download Yara Rule
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07009340
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: 54bc59443126abf6ab61c8c421a32e8e459f2424c45614cba853ab186c5a3adb
                              • Instruction ID: 4ce992525ea09fe60e33068ae38062e38c6f633b35385234d95bbb26a3a83686
                              • Opcode Fuzzy Hash: 54bc59443126abf6ab61c8c421a32e8e459f2424c45614cba853ab186c5a3adb
                              • Instruction Fuzzy Hash: BB2148B59003499FDB10CFA9C845BEEBBF5FF48310F508429E559A7281C778A544CFA0
                              Function 070092B0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                              Download Yara Rule
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07009340
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: cceac1cf8876c089b0c53de95c5f12fbca2d0a1bfb16ab1899cf6f07502a217e
                              • Instruction ID: 3c974009f2c58e2f9fd7fd8f5b303be748c4183d662ef526cf490d60def27453
                              • Opcode Fuzzy Hash: cceac1cf8876c089b0c53de95c5f12fbca2d0a1bfb16ab1899cf6f07502a217e
                              • Instruction Fuzzy Hash: 5E212AB19003099FDB10DFA9C845BEEBBF5FF48310F108429E519A7241C778A544CFA4
                              Function 07009399 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                              Download Yara Rule
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07009420
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: d1ce66f73e162ebdcbed50e8db37ba158fe40608593b39ae9832ceaf7f4db4ab
                              • Instruction ID: 0d534c1d275f8af42e88f58db820f00a7578a62e22f3e313ec7f013b61e84d81
                              • Opcode Fuzzy Hash: d1ce66f73e162ebdcbed50e8db37ba158fe40608593b39ae9832ceaf7f4db4ab
                              • Instruction Fuzzy Hash: 63214AB1C003499FCB10DFAAC845AEEFBF5FF48310F508429E518A7240C779A540CBA1
                              Function 00F2B214 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F2D7CE,?,?,?,?,?), ref: 00F2D88F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1992599088.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_f20000_M.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 8aa18c4bbaba889b3954d56065956688d913e03423641eaac982d2823b4cae4f
                              • Instruction ID: a76eb1d6d55dba8a8f81594dd97887ef74c6e58ff15e463d31b2c542a0201b1c
                              • Opcode Fuzzy Hash: 8aa18c4bbaba889b3954d56065956688d913e03423641eaac982d2823b4cae4f
                              • Instruction Fuzzy Hash: D821E4B5D00218DFDB10DF9AD584AEEBBF8FB48310F14842AE958A7350D378A950DFA0
                              Function 00F2D800 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F2D7CE,?,?,?,?,?), ref: 00F2D88F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1992599088.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_f20000_M.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 6b6ee02b78affbddfa60c2002b39609ce0a71feeab4a54b28da0ad79b66a5d7b
                              • Instruction ID: 99167662984a4c7fdc74e02b1c05a70221c3b30fdae5b575ae48a502cdcf1201
                              • Opcode Fuzzy Hash: 6b6ee02b78affbddfa60c2002b39609ce0a71feeab4a54b28da0ad79b66a5d7b
                              • Instruction Fuzzy Hash: 7521F4B59002089FDB10CF99D484ADEBBF4FB48310F10841AE958A7310D378A941DFA0
                              Function 07008CDF Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                              Download Yara Rule
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07008D5E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: fc9d7ba3c7c0100b756228664240e63235c391dfb402934ee16f71157bd67a11
                              • Instruction ID: 2b1b9860d3e61498d705aff845179885e745067f9297e0a40ad7c82dc0e4bf36
                              • Opcode Fuzzy Hash: fc9d7ba3c7c0100b756228664240e63235c391dfb402934ee16f71157bd67a11
                              • Instruction Fuzzy Hash: EF2138B19003098FDB10DFAAC4857EEBBF4FF48324F10842AD419A7280DB78A945CFA1
                              Function 070093A0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07009420
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: 1e51d7cee42475ac382ecf41335da8cb71bc40b199366bd5829553556fa3e807
                              • Instruction ID: 1f8981d96ff952cb56a6ed841d0f7213f555dde554b62adcc89364b6249cb5b4
                              • Opcode Fuzzy Hash: 1e51d7cee42475ac382ecf41335da8cb71bc40b199366bd5829553556fa3e807
                              • Instruction Fuzzy Hash: AE2139B1C003499FDB10DFAAC845AEEFBF5FF48310F508429E519A7240C778A940CBA0
                              Function 07008CE0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                              Download Yara Rule
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07008D5E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: e07f78f647c68b14ee3f37cbd29ac16e3e0d19c2d5861e8873639f24d9e6c553
                              • Instruction ID: 85c27dd041a5b2ecad497ad348e7f84903ebe2b25abc192c6d1ea3aedd5ee3f5
                              • Opcode Fuzzy Hash: e07f78f647c68b14ee3f37cbd29ac16e3e0d19c2d5861e8873639f24d9e6c553
                              • Instruction Fuzzy Hash: 8A2138B19003098FDB10DFAAC4857EEBBF4FF48324F10842AD419A7280DB78A945CFA1
                              Function 070091E8 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0700925E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: 96cae726f4895805c631df38fec956ab182453b9284cd2fdb33b3c60bf059bf5
                              • Instruction ID: 18db1cc81dfd8c82a8355c48e60a534655e6f766322ade029fed4406f83b85e8
                              • Opcode Fuzzy Hash: 96cae726f4895805c631df38fec956ab182453b9284cd2fdb33b3c60bf059bf5
                              • Instruction Fuzzy Hash: 27114AB19002499FDB20DFAAC844AEEFBF5EF48320F108419E519A7250C779A540CFA0
                              Function 00F2AFE8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F2B5F9,00000800,00000000,00000000), ref: 00F2B80A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1992599088.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_f20000_M.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 3d37650dd0a496b8d939cd61614f527365c95f0ce1f8f922a80dbe2babf6a5ed
                              • Instruction ID: e9e6c520b3c1693f72de82fb7eeafc1d6f6bdad03e5dc8dc5ec60ae12933ad1f
                              • Opcode Fuzzy Hash: 3d37650dd0a496b8d939cd61614f527365c95f0ce1f8f922a80dbe2babf6a5ed
                              • Instruction Fuzzy Hash: 2E11E7B6D003599FDB10DF9AD444ADEFBF8EB88310F10842AE919A7200C379A545CFA5
                              Function 070091F0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0700925E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: 17ecff534f6affdd0b7d37d2ea219c37c2bbd14c2553b6ed6c0e6e7faa14acce
                              • Instruction ID: 04e4a93f14ea24f3ee1f6506cf6c4a257b8fdad202c70e889bf5d7d702ab240c
                              • Opcode Fuzzy Hash: 17ecff534f6affdd0b7d37d2ea219c37c2bbd14c2553b6ed6c0e6e7faa14acce
                              • Instruction Fuzzy Hash: 031137B19002499FDB20DFAAC844AEEFFF5EF88320F108419E519A7250CB79A540CFA0
                              Function 00F2B798 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F2B5F9,00000800,00000000,00000000), ref: 00F2B80A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1992599088.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_f20000_M.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 2a951c7c4f475640a9024e05f5db9d872be97d927e59125ac3ea024bd55c1b91
                              • Instruction ID: da5dff09afd6dcda28b40a48460b96a510a4a433c00fc25ee2481a76f9f593da
                              • Opcode Fuzzy Hash: 2a951c7c4f475640a9024e05f5db9d872be97d927e59125ac3ea024bd55c1b91
                              • Instruction Fuzzy Hash: F211F3B6D00209CFDB14CFAAD444ADEFBF9EB88320F10842AD959A7250C779A545CFA4
                              Function 0700BF28 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0700BF8D
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: 83ffc7fc711a923a84d9864c3ceab82790eba720a18585a08e5041333ada3c11
                              • Instruction ID: 40f5828e766d65973a9b48e60983bdaffefe56eab74a192eaf57adb52be4fe18
                              • Opcode Fuzzy Hash: 83ffc7fc711a923a84d9864c3ceab82790eba720a18585a08e5041333ada3c11
                              • Instruction Fuzzy Hash: 5B11A4B58003499FDB10DF99D845BEEBBF8EB58320F20841AE558A7240D3756994CFA5
                              Function 00F28870 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,00F2B344), ref: 00F2B57E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1992599088.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_f20000_M.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 88326e35c55bd42b6324a80c5d16c61be3dba77a5a595982f7d75a6077e1b9d1
                              • Instruction ID: 5eea56d463a5238bd3d44fd99b7da171952f2adfc07eecc6e76a04bb1c972f1b
                              • Opcode Fuzzy Hash: 88326e35c55bd42b6324a80c5d16c61be3dba77a5a595982f7d75a6077e1b9d1
                              • Instruction Fuzzy Hash: 771132B1C00749CFCB20CF9AD444A9EFBF4EF88324F14802AD819A7214D379A945CFA0
                              Function 0700D360 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                              Download Yara Rule
                              APIs
                              • FindCloseChangeNotification.KERNELBASE(?), ref: 0700D3C0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID: ChangeCloseFindNotification
                              • String ID:
                              • API String ID: 2591292051-0
                              • Opcode ID: c2c40f10b401cbe74af02fbfe566e5e1f12a5e05d28295f3292f4207bf47a5bf
                              • Instruction ID: 15f9f639dc5adcf5fb874aad694cb41f054033fc2361601c5ff0cf4b31a38efa
                              • Opcode Fuzzy Hash: c2c40f10b401cbe74af02fbfe566e5e1f12a5e05d28295f3292f4207bf47a5bf
                              • Instruction Fuzzy Hash: 1A1113B59003498FDB20DF99C449BEEBBF4EB48320F108469D968A7240D738A544CFA5
                              Function 070095DC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0700BF8D
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: 2ba05e5461610aec7041883bbb42fde96ea873f7c41c81a04971cb9b6f02d404
                              • Instruction ID: 6094d9d0358a553761ae26ee6f9eb42b5159e6cb7e464c32c24d5d5f054ae779
                              • Opcode Fuzzy Hash: 2ba05e5461610aec7041883bbb42fde96ea873f7c41c81a04971cb9b6f02d404
                              • Instruction Fuzzy Hash: EC1106B5800349DFDB10DF99D848BEEBBF8EB48320F108419E519A7240C375A944CFE5
                              Function 0700D368 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • FindCloseChangeNotification.KERNELBASE(?), ref: 0700D3C0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID: ChangeCloseFindNotification
                              • String ID:
                              • API String ID: 2591292051-0
                              • Opcode ID: 00113c36578bbfb0476b1c5ec0375482892f6345fa2f9ed798a926c8936ff134
                              • Instruction ID: afd6c9abcda306bfe9916235019e7e2ece035227d9b9f99408526bbe91b9e8fd
                              • Opcode Fuzzy Hash: 00113c36578bbfb0476b1c5ec0375482892f6345fa2f9ed798a926c8936ff134
                              • Instruction Fuzzy Hash: 811103B5900749CFDB20DF9AD549BEEBBF4EB48320F10842AD568A7240D778A544CFA5
                              Function 07008C28 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: f2204ce7c63931113ac3685a65927ceaa57a8be9b53931cce741cede8349df5f
                              • Instruction ID: 8ffbd096d8754b7b22af0a1d9bb6617c90e547c477debbd53248ca639baeff36
                              • Opcode Fuzzy Hash: f2204ce7c63931113ac3685a65927ceaa57a8be9b53931cce741cede8349df5f
                              • Instruction Fuzzy Hash: 68112AB0800349CFDB64DFAAC449BAEBFF9FF49714F208419D55967280DB786540CBA5
                              Function 07008C30 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: 6c8228b61ab7dc75b9a82519adba8e848553f73c2d49f4993f174594483b2fd6
                              • Instruction ID: 7f8503e1f82bab791457ffda09ddd29d2914211587d8196c4a32d5c040dd05ef
                              • Opcode Fuzzy Hash: 6c8228b61ab7dc75b9a82519adba8e848553f73c2d49f4993f174594483b2fd6
                              • Instruction Fuzzy Hash: EB0108B08003498EDB24DFAAC449BAEBFF8EF49714F108419D559A7280DB786544CBA5
                              Function 04DFF3C0 Relevance: .6, Instructions: 551COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 43b9f0902edca05f943f69197dff4a1ac02125931d281fca078779f337f2fc70
                              • Instruction ID: 9c21f39067f100dafcd6a4dc3aed1370fb9c277f63e7016a1c6641d9e0f1ff33
                              • Opcode Fuzzy Hash: 43b9f0902edca05f943f69197dff4a1ac02125931d281fca078779f337f2fc70
                              • Instruction Fuzzy Hash: 0A42D631E10619CFCB24DF69C8946DDB7B1FF89304F1186AAD559BB261EB30AA85CF40
                              Function 04DFF3B2 Relevance: .3, Instructions: 336COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4b57e1400f4cb7e80955ab45d635b5c66153df184023fb33c288e0ea197c246a
                              • Instruction ID: ae5e68bc9ecc5ae28d15a87b8978a8c232a8884120f14251d250320e0f6480f0
                              • Opcode Fuzzy Hash: 4b57e1400f4cb7e80955ab45d635b5c66153df184023fb33c288e0ea197c246a
                              • Instruction Fuzzy Hash: C0E1F531E106198FCB24DF68CC946EDB7B1FF49314F1186AAD559AB361EB30AA85CB40
                              Function 04DFAE88 Relevance: .3, Instructions: 290COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 36cd97ee17e640f2a469ed0425fc53c81e4e9663b111d43fe78ce39149008157
                              • Instruction ID: 9a0bbb4f85792d0e31aa99dfdfdbb0aef2ccdb7540274bf20c0fd302773b55f1
                              • Opcode Fuzzy Hash: 36cd97ee17e640f2a469ed0425fc53c81e4e9663b111d43fe78ce39149008157
                              • Instruction Fuzzy Hash: 0DB17171B012089FCB14DFA8D994AED7BF2FF88310F1641A5E909AB395DA34BD41CB90
                              Function 00B1D4C4 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1991615851.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b1d000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d3c910171c20409a78fb89890109778dfd3b246474b0118e28dc686503329fe5
                              • Instruction ID: b9043be20c103a928d2f259e358cd492eaf26f0e91344fc90136115678561475
                              • Opcode Fuzzy Hash: d3c910171c20409a78fb89890109778dfd3b246474b0118e28dc686503329fe5
                              • Instruction Fuzzy Hash: A3213471500240DFDB15DF14D9C0F66BFA6FBA8318F60C5A9E9090B256C33AD896DBB2
                              Function 04DFB839 Relevance: .1, Instructions: 73COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 187c8323b5f71eed10ca7fae78e1bad54a690f9166415d125c6f9842d4c05d8d
                              • Instruction ID: 51aeaa1043a0b9d58c0351aa1cd1c5f2f02d4fabd6db70f5afc75d1031766be0
                              • Opcode Fuzzy Hash: 187c8323b5f71eed10ca7fae78e1bad54a690f9166415d125c6f9842d4c05d8d
                              • Instruction Fuzzy Hash: 9F215E343006108FDB299B39D854A6A77E9FF85714B5580AEE646CB371DB76FC02CB50
                              Function 04DFC830 Relevance: .1, Instructions: 73COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fd6cdbf37783ab8311b276e90b13b7f48e93a996ad5db3336f24e6504a40e43b
                              • Instruction ID: db051b878ad4569bef7fe9880658545c95b4d968f0e6f768bc6527e9f7998156
                              • Opcode Fuzzy Hash: fd6cdbf37783ab8311b276e90b13b7f48e93a996ad5db3336f24e6504a40e43b
                              • Instruction Fuzzy Hash: 8821BC71A10B058BDB00AF68D880385B7B5FF88310F1482B9E84C6B34AEB74B949CB90
                              Function 00B2D1D4 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1991653122.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b2d000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 45221d2f2ca2d2579934ee13db397087375104fce3dfa0973f4312e54f19dbcb
                              • Instruction ID: 037bbb6e4ecaf9d7252d9cc29de37992c7628fc7abb3c6d8ff8256d4cbed1a1d
                              • Opcode Fuzzy Hash: 45221d2f2ca2d2579934ee13db397087375104fce3dfa0973f4312e54f19dbcb
                              • Instruction Fuzzy Hash: A9210471604204EFDB05DF24E9C0F26BBA5FB88314F20C9ADE90D4B296C33AD806CA61
                              Function 00B2D01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1991653122.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b2d000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ef398dabc6f1fcc9e6a9f4f5235dbdf34543eafe252caaac94107e321408a78b
                              • Instruction ID: f3a6dcb02b9fa39733639b446c1c47a5ba99141937a37917492cbeb5270012b4
                              • Opcode Fuzzy Hash: ef398dabc6f1fcc9e6a9f4f5235dbdf34543eafe252caaac94107e321408a78b
                              • Instruction Fuzzy Hash: 9B21D371504244DFCB14DF24E5D4B17BBA5EB88314F20C5A9D94D4B2A6C33AD807CA61
                              Function 04DFB848 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: beed409bb0ee92833de4631075cc97ed2dc0bfb6d6f233d0cb5131d4b7225b37
                              • Instruction ID: d229a2012a2c97a31cfb8e91a10dacf489bb8ff6aaf5db8c13756c8762b173b4
                              • Opcode Fuzzy Hash: beed409bb0ee92833de4631075cc97ed2dc0bfb6d6f233d0cb5131d4b7225b37
                              • Instruction Fuzzy Hash: AF215B303006108FDB289B39C854A6A73EAEF85714B5584AEE606CB375DB76FC06CB90
                              Function 04DFB570 Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5e47ce5ad8e764de1e03eaddb456fdec9fffe6f42734e4942f62a59cb6680cbc
                              • Instruction ID: 8d78dbcc28a7f5b30469a2e47a9b196afca65acde893a6e65d129bb044d73ce0
                              • Opcode Fuzzy Hash: 5e47ce5ad8e764de1e03eaddb456fdec9fffe6f42734e4942f62a59cb6680cbc
                              • Instruction Fuzzy Hash: 16119031F106154BDB20EFA9D8452BEB7B2EB85710F05852AD609A7305EA78B9018781
                              Function 04DFB560 Relevance: .1, Instructions: 66COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e2993eab741cc1d9fe8e7850ad3eecab9abc53676aec3c5bd8141e294700efc2
                              • Instruction ID: 1d0e1cc8fd15100059e4819d5e623742cb1f730ec46d5a37c1dda8ef0ce7c196
                              • Opcode Fuzzy Hash: e2993eab741cc1d9fe8e7850ad3eecab9abc53676aec3c5bd8141e294700efc2
                              • Instruction Fuzzy Hash: CF11D072F106158BDB309F69DC456BEB7A2EB85714F15802ACA05D7345EA38BD0187C1
                              Function 04DFEE77 Relevance: .1, Instructions: 64COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ece51997f839f733b2ba570a162cd8e9d08971435ceebf0dc55c69583e83793f
                              • Instruction ID: ce002546fe13ded1658f46151970cc7ae052e9c73a608b9ed95c6f88a22ff41a
                              • Opcode Fuzzy Hash: ece51997f839f733b2ba570a162cd8e9d08971435ceebf0dc55c69583e83793f
                              • Instruction Fuzzy Hash: B01122303043008FD734AA25DC91B6AB7A6FFC5310F55846AE9498B2A6CB74F8068780
                              Function 00B2D006 Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1991653122.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b2d000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 28911295abaaea766997444fad376872dfce37ca7e6560a45992606700ed04f4
                              • Instruction ID: 1c97cd86030dafa09e18331260620d654fb7dca7d8a24563087078be0968b27b
                              • Opcode Fuzzy Hash: 28911295abaaea766997444fad376872dfce37ca7e6560a45992606700ed04f4
                              • Instruction Fuzzy Hash: E421A4755083809FCB02CF14D994B12BFB1FB46314F28C5DAD8498F2A7C33A980ACB62
                              Function 04DFC840 Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 31cd83089d21c1e40af3ec1b6e7fbd575b8fb4909cf040b8e1a3a2386290ec10
                              • Instruction ID: fd591dbb46a4539dfaae1a5af7ce13b3f6bc2a293cc0a8632ea65461161e73a6
                              • Opcode Fuzzy Hash: 31cd83089d21c1e40af3ec1b6e7fbd575b8fb4909cf040b8e1a3a2386290ec10
                              • Instruction Fuzzy Hash: 3D219A31A10A118BDB00AF68D880785B3A5FF88320F1486B9EC4D7B34AEB75B845CB90
                              Function 04DFEE88 Relevance: .1, Instructions: 59COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d2110098dd7615c91306e15769f62585cec85e096ae249e21473e575a9746fb5
                              • Instruction ID: 22d4f3298b463df9f03ef5a764ff3b794306fbd2db50552996ace90cef5c6b3d
                              • Opcode Fuzzy Hash: d2110098dd7615c91306e15769f62585cec85e096ae249e21473e575a9746fb5
                              • Instruction Fuzzy Hash: 531182303003009BD739EA65DC91B6AB3D6FFC5714F55C47AE949872A4CB75F8468790
                              Function 00B1D4BF Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1991615851.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b1d000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                              • Instruction ID: 9bdc1c9caf17d8ea49a38860db2dd98900a5ac37010fcf288a41bb4d99e9896c
                              • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                              • Instruction Fuzzy Hash: E511D376504280CFCB16CF14D5C4B56BFB2FBA8314F24C6A9D9490B656C336D85ACBA2
                              Function 00B2D1CF Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1991653122.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b2d000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                              • Instruction ID: 2896b91285c2616ba3133837fdb1941bf79877c1b76bbd4b9ffb1c66e15a00f9
                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                              • Instruction Fuzzy Hash: 8F118B75504280DFDB16CF14D5C4B15BBA1FB84314F24CAA9D8494B696C33AD84ACB62
                              Function 04DFA8CB Relevance: .0, Instructions: 50COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2d30523a2685783016102bc5551f24444e8f366dd71ffc45f4b227089d0965d1
                              • Instruction ID: e6b908afd2368e5596435c91b5338130398e6900dcb1c5b6f2f38540ebd0a9a0
                              • Opcode Fuzzy Hash: 2d30523a2685783016102bc5551f24444e8f366dd71ffc45f4b227089d0965d1
                              • Instruction Fuzzy Hash: 5111A030A00214DBDB28EBA4D845BAFB7F5EF45300F018439E55AA77A1DB74BC09CB80
                              Function 04DF76F0 Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 48e96619dff19853a1affb2acb0ce56aa428b8ef8c0e32c2f8744bbf2f748815
                              • Instruction ID: d3044daf813f103560ef125e3f4c4ad37dfe73680453787161fe09ecbc39ee0c
                              • Opcode Fuzzy Hash: 48e96619dff19853a1affb2acb0ce56aa428b8ef8c0e32c2f8744bbf2f748815
                              • Instruction Fuzzy Hash: 8D11CE30A00218DBDB28EB64D855BAEB7F5FF45300F018829E556A73A0DF74BC08CB81
                              Function 04DFECE8 Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9beb1c1e597b28af60beb60e09c3d67bc6d1e7859c07c7d7afd60e0b3de5a52a
                              • Instruction ID: 7740847e199f298c036b5ac6223822e98ef86fce23737a4f5e45743d0391e26a
                              • Opcode Fuzzy Hash: 9beb1c1e597b28af60beb60e09c3d67bc6d1e7859c07c7d7afd60e0b3de5a52a
                              • Instruction Fuzzy Hash: 0B01D472A02621BBD7359F09DC00269FBA4BF45B14B0A421BD66853E21C770F490CBE1
                              Function 04DFB4C7 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1b5d681d0b80701298406df832c6908788d36f2fe94f7e9885d94219deedcd97
                              • Instruction ID: 93059339f040dff26930cdfb83315a041fbb20e178e02da042b2fee1eafdf97a
                              • Opcode Fuzzy Hash: 1b5d681d0b80701298406df832c6908788d36f2fe94f7e9885d94219deedcd97
                              • Instruction Fuzzy Hash: 4B016D343006008FC7509B6DD86896937EAEFCE614B1A40ABE60ACB361CE24FC05CBA1
                              Function 04DFFF41 Relevance: .0, Instructions: 40COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f40b2cb83e5dfcfc2bc7e73e8f9ffd064f97fa9b08a46c2034574355f393816d
                              • Instruction ID: fadbdebe20ee40dc1f111918414690ece912e7172010e8b35ce4018f76d6a7d4
                              • Opcode Fuzzy Hash: f40b2cb83e5dfcfc2bc7e73e8f9ffd064f97fa9b08a46c2034574355f393816d
                              • Instruction Fuzzy Hash: B1F0F6313016008FC725AF29F88485ABBB6FF8A325715066FE50A87266DF39EC07CB51
                              Function 04DFB4D8 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ad0dd5b3900f50da4b15e576c424809b0e02d8fa3c3604155e97f1cc0d58cb73
                              • Instruction ID: 7b04e2c26d70f954a852f3a8b7d9ebd576781bc91cc3074f59420fcbec4dcfc7
                              • Opcode Fuzzy Hash: ad0dd5b3900f50da4b15e576c424809b0e02d8fa3c3604155e97f1cc0d58cb73
                              • Instruction Fuzzy Hash: B6F01D343101108FC6449B6DD85C96977EAEFCD715B1940ABE60ACB364CE64FC018B90
                              Function 04DFFF50 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bab99777d9d1f5260ddabf0b00b90848f85d36858361e34f12fc352e228c93bd
                              • Instruction ID: 77473a116b8c198897d2ae0fa353666c3d0efc33b203553aacafdb16fac996fb
                              • Opcode Fuzzy Hash: bab99777d9d1f5260ddabf0b00b90848f85d36858361e34f12fc352e228c93bd
                              • Instruction Fuzzy Hash: F0F054313006108FC725AB1AE84495AB7BAFFCA725751066EE50687725DF35EC46CB90
                              Function 04DFD468 Relevance: .0, Instructions: 30COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f2258972678ad8b060778ff6f6f3e19d913a700dd096cff542db26d209cac9fa
                              • Instruction ID: b9afc45204ddf412af20e853042d798619c777e5ea42d2b31c5a166573a91fbe
                              • Opcode Fuzzy Hash: f2258972678ad8b060778ff6f6f3e19d913a700dd096cff542db26d209cac9fa
                              • Instruction Fuzzy Hash: 3DF02B321501508FC321E62CD8C8AC937A8EF46350F0A41B3E645DB236D539B887C785
                              Function 04DFB480 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4e453de2267ce5b62c20f82f049c506b7306ea8ef4281182c644e8f979c010e5
                              • Instruction ID: 815540e455079dd89a2b291fddf35549f9a80547a115d1d4fa7145c2c82b594e
                              • Opcode Fuzzy Hash: 4e453de2267ce5b62c20f82f049c506b7306ea8ef4281182c644e8f979c010e5
                              • Instruction Fuzzy Hash: 53E09271B10A240B5718FB6ABC0186AFADFAFC8614318C27FE90DCB726ED30BD014684
                              Function 04DFB470 Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 57967d0d98ec5a50f0a30e380cda30ea4d206682d153a01cffcb5d4fb1327490
                              • Instruction ID: 7d56058270ebf166cdc4adb93811fd9de1a865d6eab610d2056523d397e66968
                              • Opcode Fuzzy Hash: 57967d0d98ec5a50f0a30e380cda30ea4d206682d153a01cffcb5d4fb1327490
                              • Instruction Fuzzy Hash: 95E0D8B1315B549F8725966AED014627BEEAFC520430681AFD749CB762D530BC0287D5
                              Function 04DFD474 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8c5439fd02b5de2fb9e4394e8650aff97e2447f653f062ef5acf25bf8f468e57
                              • Instruction ID: 1f5caef3703ee3ea27cb5803d6fc31bb1a658e130f360e0d24d02171214e0bbf
                              • Opcode Fuzzy Hash: 8c5439fd02b5de2fb9e4394e8650aff97e2447f653f062ef5acf25bf8f468e57
                              • Instruction Fuzzy Hash: 8AE04F322500148FC721EA1CE989BE573A8FB8A354F1A45B3F659EB235C635F882C781
                              Function 04DFFFA9 Relevance: .0, Instructions: 22COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4048d537df22dc9fbae2c76dfe2826fac4a7474bb74f6499dfba780c5ad35e86
                              • Instruction ID: 7883c9c9d15078b72a6d393138e05e24f3a0487d07670d44caf45ef940ba2e17
                              • Opcode Fuzzy Hash: 4048d537df22dc9fbae2c76dfe2826fac4a7474bb74f6499dfba780c5ad35e86
                              • Instruction Fuzzy Hash: F6D0C71276A1601BE706237D78570AC2FD5D58B99235A40E7E141D7347DC548D4B4392
                              Function 04DFB910 Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b65c0fd13cde9da375870afa348887284b6a587797278863c6ae37de73198652
                              • Instruction ID: 81563b007692ce7730bd99f284e4b75848e76e5816f1a7da3ed02102f0b0e062
                              • Opcode Fuzzy Hash: b65c0fd13cde9da375870afa348887284b6a587797278863c6ae37de73198652
                              • Instruction Fuzzy Hash: 84E02B717002149FE325672CD910C6A3FDDEF5E2603114067FE04CB362CAA4EC0083D9
                              Function 04DFB920 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 51e862ed84c1b27eed9654fe16527ba94d73d86ad955b9a279a1cc5e2bcb4102
                              • Instruction ID: 1f2705db950559d3be190cd0273017085381477f8b682849fc6b7547356764fb
                              • Opcode Fuzzy Hash: 51e862ed84c1b27eed9654fe16527ba94d73d86ad955b9a279a1cc5e2bcb4102
                              • Instruction Fuzzy Hash: 58D012367101249F8704AB6CE804CAA7BEDDF5D660311806AFA09CB361CE71EC1197D4
                              Function 04DF7700 Relevance: .0, Instructions: 7COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 66ff890f19cf94cec1ee44371a78e8195bcc278cb967eebc12349630cda5d2db
                              • Instruction ID: 22fa04798c255f663b5e9b56624825cf50f125c7dec9352dcda71eab0d0bc675
                              • Opcode Fuzzy Hash: 66ff890f19cf94cec1ee44371a78e8195bcc278cb967eebc12349630cda5d2db
                              • Instruction Fuzzy Hash: A0A0122068400443F50063D44CC537B1000DFC4300FD08811110041206544CE806D087
                              Function 04DFD2F4 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 61f5efaee77e654912b843377e0025bded9edfea87ae3e7465757bd13b510d5e
                              • Instruction ID: fc896396e9bfe360452187310153d8cd3715ca5052bf9c1c2ebde2a967c93878
                              • Opcode Fuzzy Hash: 61f5efaee77e654912b843377e0025bded9edfea87ae3e7465757bd13b510d5e
                              • Instruction Fuzzy Hash: B5A002187A690552B935B2691E9953D8916FFD170C7D2AC75534291435981CF4489027

                              Non-executed Functions

                              Function 0700EF80 Relevance: 2.8, Strings: 2, Instructions: 298COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: PH]q$PH]q
                              • API String ID: 0-1166926398
                              • Opcode ID: e40545a319c214046d75c3c3116dfb6072662c5ed89164b75ab3f62efd832452
                              • Instruction ID: 89a5e95ee1cc17d3b5f0f9755f0b12923a0a0df4f4ca0474d138f78d0d6a3dc0
                              • Opcode Fuzzy Hash: e40545a319c214046d75c3c3116dfb6072662c5ed89164b75ab3f62efd832452
                              • Instruction Fuzzy Hash: 01D1D474A00206CFEB58DF69C598AA9B7F1BF4D310F2581A8E505EB3B1DB31AD41CB60
                              Function 07008DB8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: }K9I
                              • API String ID: 0-3311055346
                              • Opcode ID: bd38f741614642f75e5b871676d7d10a8abc9a31c90f1375f1d182bb4efa5711
                              • Instruction ID: 167df4a7de6985a73200492da03377d113d029c0ef5404b01e466362aa699765
                              • Opcode Fuzzy Hash: bd38f741614642f75e5b871676d7d10a8abc9a31c90f1375f1d182bb4efa5711
                              • Instruction Fuzzy Hash: 1AE108B4E101198FDB14DFA9C5809AEFBF2BF89315F24C269D514AB356D730A981CFA0
                              Function 07008DA7 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: }K9I
                              • API String ID: 0-3311055346
                              • Opcode ID: 6f297307f7d4eebb7d47b64acf90c1f94ace78fbce8303c450429e38c3b6e2d2
                              • Instruction ID: fe673d8a1a5296644397c07a7cddd8c0ef7e61990db24b5cda3b8cfb8a91bc54
                              • Opcode Fuzzy Hash: 6f297307f7d4eebb7d47b64acf90c1f94ace78fbce8303c450429e38c3b6e2d2
                              • Instruction Fuzzy Hash: BB5129B0E102198FDB14DFA9C5805AEFBF2BF89314F24C26AD418A7356D7309A41CFA1
                              Function 04DF5A8C Relevance: .7, Instructions: 716COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d76aa2eb13d2ebfcb3c11704648f5d8cf2330421ba8aa003bd5637647b3c2e7c
                              • Instruction ID: e6f23bab80d650958afa8815e0aaacf9f5d133e1bc075b6685b8e8fb7696d4ff
                              • Opcode Fuzzy Hash: d76aa2eb13d2ebfcb3c11704648f5d8cf2330421ba8aa003bd5637647b3c2e7c
                              • Instruction Fuzzy Hash: BE721530A10219CFCB25EF28C994AE8B7B1FF95304F1646E9D6496B211EB71ADC5CF90
                              Function 04DFC040 Relevance: .5, Instructions: 501COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a8547c02c14e14358aca53c6c7e82ae71c38b7ae77a7a19c32238d0331fba1d0
                              • Instruction ID: 491adec42ad7385a7965fb9d431031a545387308ea4c19a3a15e183e1fbbec43
                              • Opcode Fuzzy Hash: a8547c02c14e14358aca53c6c7e82ae71c38b7ae77a7a19c32238d0331fba1d0
                              • Instruction Fuzzy Hash: E5321830E20619CFDB24EF78C854BA8B7B1FF85304F1685E9D5496B222EB31A995CF50
                              Function 04DE0130 Relevance: .3, Instructions: 315COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995207602.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4de0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 485cf64e84ccc923305d7086fc1d5de0dc1c924e844c7fd40f127abc71c58052
                              • Instruction ID: 97e073a05a694106977778528c24f36f3d57426b699fc1a66b671e19ca055040
                              • Opcode Fuzzy Hash: 485cf64e84ccc923305d7086fc1d5de0dc1c924e844c7fd40f127abc71c58052
                              • Instruction Fuzzy Hash: 77128FB8401746ABE710CF65F97C2893BA1FBC1328B944219D3A52B3E5DBBD194ACF44
                              Function 07008408 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b5926fe1d0be290489eef4a92591bd50dde6bdb44485a5cec8060d4c4b25555a
                              • Instruction ID: 863139d5bc45ee213a3662ec50264942b69e3bc580ce46b3c0b4375ec8274857
                              • Opcode Fuzzy Hash: b5926fe1d0be290489eef4a92591bd50dde6bdb44485a5cec8060d4c4b25555a
                              • Instruction Fuzzy Hash: 6AE109B4E101198FDB14DFA8C5809AEFBF2BF89315F24C269D514A7396D730A981CFA1
                              Function 070064F0 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e28238f1352ffe07653194cc778d3fdc602e52d381c881eb3cab671a4d0f060d
                              • Instruction ID: 698c01c93c4b43092a6b7bf8626e3d4ace4b4040ec17f28bec46127e994fdd8c
                              • Opcode Fuzzy Hash: e28238f1352ffe07653194cc778d3fdc602e52d381c881eb3cab671a4d0f060d
                              • Instruction Fuzzy Hash: 59E11AB4E101198FDB14DFA8C5809AEFBF2FF89315F248269D414AB356D731A981CFA1
                              Function 07007FD0 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 138020c898f0984c2a1cd16b42dcfc3d7c68dcdea398332042723a857e55e4ed
                              • Instruction ID: 24b4732cce53a3a6917143ec8c024509e4905fff8ad380104d99bee71ae046e5
                              • Opcode Fuzzy Hash: 138020c898f0984c2a1cd16b42dcfc3d7c68dcdea398332042723a857e55e4ed
                              • Instruction Fuzzy Hash: 96E10BB4E105198FDB14DFA8C5809AEFBF2BF89315F24C269D414A7396D730A981CFA1
                              Function 07006928 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3796bfde5f75df01d8af011073c007a73d5f231e67238d80242c7c6925f6c84a
                              • Instruction ID: c24728455a253cf17daae6246e8c977fbf657b39a940960856c0b8652e4d10f8
                              • Opcode Fuzzy Hash: 3796bfde5f75df01d8af011073c007a73d5f231e67238d80242c7c6925f6c84a
                              • Instruction Fuzzy Hash: A7E117B4E001198FDB14DFA8C5809AEFBF2FF89315F248269D414AB356D731A981CFA0
                              Function 00F2E0CC Relevance: .3, Instructions: 264COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1992599088.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_f20000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7793fb9d68c6a5355e145665313af2df8c04d67aa13b2e8d01707fd27d3c2096
                              • Instruction ID: 77370fbd7a32a4aa26e0d636d976e11b49dcef5926600f9efe1559efee51c314
                              • Opcode Fuzzy Hash: 7793fb9d68c6a5355e145665313af2df8c04d67aa13b2e8d01707fd27d3c2096
                              • Instruction Fuzzy Hash: 26A1AD32E102298FCF05DFB4D88459EB7B2FF85310B24417AE806AB221DB35ED5ADB50
                              Function 04DE0123 Relevance: .2, Instructions: 235COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995207602.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4de0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d45a5f34fc08c33eff94aa06c5468bc8ba927e2339e3e89e24b4dca0ba2c40a5
                              • Instruction ID: fb01834f96896e8f46eb969f11bc02de08f981cb2eba5926e2560229848b07c5
                              • Opcode Fuzzy Hash: d45a5f34fc08c33eff94aa06c5468bc8ba927e2339e3e89e24b4dca0ba2c40a5
                              • Instruction Fuzzy Hash: 81C1D0B9810646ABE710CF69F8781897BB1FFC5328B544219D3616B3E5DBBC188ACF44
                              Function 0700EB60 Relevance: .2, Instructions: 198COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fca5fb1af5d27ff86396b3f8af7f150ab2e6cf49e29699bafd7ce2b89ff90747
                              • Instruction ID: cc7185e759f0d6e2f8fd1f5bab10c850856ba8b336c071ec97761afa754f23e7
                              • Opcode Fuzzy Hash: fca5fb1af5d27ff86396b3f8af7f150ab2e6cf49e29699bafd7ce2b89ff90747
                              • Instruction Fuzzy Hash: F67141B0701A018FE369DF3AD444B66B7E2FF89310F19C96DD05A9B2A1DB31E845CB41
                              Function 0700EB50 Relevance: .1, Instructions: 145COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 679304c57ac58ba06512e4eabfc6aa8022c74c2ba37a82c9c6211b174cea8e05
                              • Instruction ID: a3eacfb9deca516523f424088d90932e1b2681bf2f80b346cb16b717cf44ffd8
                              • Opcode Fuzzy Hash: 679304c57ac58ba06512e4eabfc6aa8022c74c2ba37a82c9c6211b174cea8e05
                              • Instruction Fuzzy Hash: FF513EB0601A02CFE368DF3AC544BA6B7E2BF89311F19C96DD05E972A1DB31E841CB41
                              Function 070064D1 Relevance: .1, Instructions: 140COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c6067dcb290f24df62dc209ade0a3c4e4a9a91b68abdc1908d6ff5b85e2b078a
                              • Instruction ID: d9add11b1d35357ec1132a8440f51ce0683acc1c21e3c4c43a81ae615a803352
                              • Opcode Fuzzy Hash: c6067dcb290f24df62dc209ade0a3c4e4a9a91b68abdc1908d6ff5b85e2b078a
                              • Instruction Fuzzy Hash: 005150B4E042198FDB14DFA9C5405AEFBF2BF89315F24C26AD418A7356C7319A41CFA1
                              Function 07007FC0 Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1997249629.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7000000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bf1c56808c9500a273a022ff953f417848dc0c23fa8cc64b938aa84e004ae7f8
                              • Instruction ID: 5b0feb5eece3678ce7a334aef805c601a87a717a5392f6d8685f577cd7743a2b
                              • Opcode Fuzzy Hash: bf1c56808c9500a273a022ff953f417848dc0c23fa8cc64b938aa84e004ae7f8
                              • Instruction Fuzzy Hash: 835118B0E106198FDB14DFA9C9805AEFBF2BF89311F24C16AD418A7356D7319942CFA1
                              Function 04DFC948 Relevance: 6.3, Strings: 5, Instructions: 72COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1995237816.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4df0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: 4']q$4']q$4']q$4']q$4']q
                              • API String ID: 0-4248691736
                              • Opcode ID: 67c701ce49b6f8898db2ed11fa3866afd793897554e244dc30c6d8924181229d
                              • Instruction ID: f659f7b688eb22bf8afff324ca5e86521a9fd784e673bcf163b95b9a6fc99519
                              • Opcode Fuzzy Hash: 67c701ce49b6f8898db2ed11fa3866afd793897554e244dc30c6d8924181229d
                              • Instruction Fuzzy Hash: AA215C30E1010A8BCF08EFB8E8509DEB7F6FF84710F5445A5D04577254EB35AA45CBA1

                              Execution Graph

                              Execution Coverage:10.7%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:178
                              Total number of Limit Nodes:19
                              execution_graph 37252 18a0848 37254 18a084e 37252->37254 37253 18a091b 37254->37253 37260 7051b60 37254->37260 37264 7051b70 37254->37264 37268 7051ba8 37254->37268 37273 7051bf2 37254->37273 37279 18a1343 37254->37279 37261 7051b7f 37260->37261 37283 705175c 37261->37283 37265 7051b7f 37264->37265 37266 705175c 3 API calls 37265->37266 37267 7051ba0 37266->37267 37267->37254 37269 7051bc7 37268->37269 37270 7051b6d 37268->37270 37269->37254 37271 705175c 3 API calls 37270->37271 37272 7051ba0 37271->37272 37272->37254 37274 7051bfa 37273->37274 37275 7051b6d 37273->37275 37274->37254 37276 7051bc7 37275->37276 37277 705175c 3 API calls 37275->37277 37276->37254 37278 7051ba0 37277->37278 37278->37254 37281 18a1356 37279->37281 37280 18a1440 37280->37254 37281->37280 37359 18a7e71 37281->37359 37284 7051767 37283->37284 37287 705271c 37284->37287 37286 7053126 37286->37286 37288 7052727 37287->37288 37289 705384c 37288->37289 37291 70554e0 37288->37291 37289->37286 37292 7055501 37291->37292 37293 7055525 37292->37293 37295 7055690 37292->37295 37293->37289 37296 705569d 37295->37296 37297 70556d6 37296->37297 37299 705416c 37296->37299 37297->37293 37300 7054177 37299->37300 37302 7055748 37300->37302 37303 70541a0 37300->37303 37302->37302 37304 70541ab 37303->37304 37310 70541b0 37304->37310 37306 70557b7 37314 705ac58 37306->37314 37323 705ac40 37306->37323 37307 70557f1 37307->37302 37313 70541bb 37310->37313 37311 7056bb8 37311->37306 37312 70554e0 3 API calls 37312->37311 37313->37311 37313->37312 37316 705ac89 37314->37316 37318 705ad89 37314->37318 37315 705ac95 37315->37307 37316->37315 37331 705aec0 37316->37331 37335 705aed0 37316->37335 37317 705acd5 37338 705c1c1 37317->37338 37342 705c1d0 37317->37342 37318->37307 37324 705ac58 37323->37324 37326 705ac95 37324->37326 37329 705aec0 2 API calls 37324->37329 37330 705aed0 2 API calls 37324->37330 37325 705acd5 37327 705c1c1 CreateWindowExW 37325->37327 37328 705c1d0 CreateWindowExW 37325->37328 37326->37307 37327->37326 37328->37326 37329->37325 37330->37325 37332 705aed0 37331->37332 37346 705af10 37332->37346 37333 705aeda 37333->37317 37337 705af10 2 API calls 37335->37337 37336 705aeda 37336->37317 37337->37336 37339 705c1d0 37338->37339 37340 705c2aa 37339->37340 37354 705d090 37339->37354 37344 705c1fb 37342->37344 37343 705c2aa 37343->37343 37344->37343 37345 705d090 CreateWindowExW 37344->37345 37345->37343 37347 705af15 37346->37347 37348 705af54 37347->37348 37352 705b1b8 LoadLibraryExW 37347->37352 37353 705b1aa LoadLibraryExW 37347->37353 37348->37333 37349 705af4c 37349->37348 37350 705b158 GetModuleHandleW 37349->37350 37351 705b185 37350->37351 37351->37333 37352->37349 37353->37349 37355 705d0a6 37354->37355 37356 705d0de CreateWindowExW 37354->37356 37355->37340 37358 705d214 37356->37358 37358->37358 37360 18a7e7b 37359->37360 37361 18a7f31 37360->37361 37365 706fbb8 37360->37365 37374 706f978 37360->37374 37378 706f968 37360->37378 37361->37281 37368 706fbbe 37365->37368 37369 706f98d 37365->37369 37366 706fc53 37366->37361 37367 706fba2 37367->37361 37368->37366 37382 18aea28 37368->37382 37385 18aea21 37368->37385 37369->37367 37373 706fbb8 GlobalMemoryStatusEx 37369->37373 37370 706fd10 37370->37361 37373->37369 37375 706f98d 37374->37375 37376 706fba2 37375->37376 37377 706fbb8 GlobalMemoryStatusEx 37375->37377 37376->37361 37377->37375 37379 706f98d 37378->37379 37380 706fba2 37379->37380 37381 706fbb8 GlobalMemoryStatusEx 37379->37381 37380->37361 37381->37379 37389 18aea51 37382->37389 37383 18aea36 37383->37370 37386 18aea28 37385->37386 37388 18aea51 GlobalMemoryStatusEx 37386->37388 37387 18aea36 37387->37370 37388->37387 37390 18aea6d 37389->37390 37393 18aea95 37389->37393 37390->37383 37391 18aeab6 37391->37383 37392 18aeb1b 37392->37383 37393->37391 37393->37392 37394 18aeb7e GlobalMemoryStatusEx 37393->37394 37395 18aebae 37394->37395 37395->37383 37398 184d030 37399 184d048 37398->37399 37400 184d0a2 37399->37400 37405 705a4c4 37399->37405 37414 705d2a8 37399->37414 37418 705e3f8 37399->37418 37427 705d297 37399->37427 37406 705a4cf 37405->37406 37407 705e469 37406->37407 37409 705e459 37406->37409 37447 705a5ec 37407->37447 37431 705e580 37409->37431 37436 705e65c 37409->37436 37442 705e590 37409->37442 37410 705e467 37410->37410 37415 705d2ce 37414->37415 37416 705a4c4 CallWindowProcW 37415->37416 37417 705d2ef 37416->37417 37417->37400 37419 705e408 37418->37419 37420 705e469 37419->37420 37422 705e459 37419->37422 37421 705a5ec CallWindowProcW 37420->37421 37423 705e467 37421->37423 37424 705e580 CallWindowProcW 37422->37424 37425 705e590 CallWindowProcW 37422->37425 37426 705e65c CallWindowProcW 37422->37426 37423->37423 37424->37423 37425->37423 37426->37423 37428 705d2a8 37427->37428 37429 705a4c4 CallWindowProcW 37428->37429 37430 705d2ef 37429->37430 37430->37400 37433 705e590 37431->37433 37432 705e630 37432->37410 37451 705e638 37433->37451 37455 705e648 37433->37455 37437 705e61a 37436->37437 37438 705e66a 37436->37438 37440 705e638 CallWindowProcW 37437->37440 37441 705e648 CallWindowProcW 37437->37441 37439 705e630 37439->37410 37440->37439 37441->37439 37443 705e5a4 37442->37443 37445 705e638 CallWindowProcW 37443->37445 37446 705e648 CallWindowProcW 37443->37446 37444 705e630 37444->37410 37445->37444 37446->37444 37448 705a5f7 37447->37448 37449 705f8ca CallWindowProcW 37448->37449 37450 705f879 37448->37450 37449->37450 37450->37410 37452 705e648 37451->37452 37453 705e659 37452->37453 37458 705f800 37452->37458 37453->37432 37456 705e659 37455->37456 37457 705f800 CallWindowProcW 37455->37457 37456->37432 37457->37456 37459 705a5ec CallWindowProcW 37458->37459 37460 705f81a 37459->37460 37460->37453 37396 7052ac0 DuplicateHandle 37397 7052b56 37396->37397 37461 7052878 37462 70528be GetCurrentProcess 37461->37462 37464 7052910 GetCurrentThread 37462->37464 37466 7052909 37462->37466 37465 705294d GetCurrentProcess 37464->37465 37467 7052946 37464->37467 37470 7052983 37465->37470 37466->37464 37467->37465 37468 70529ab GetCurrentThreadId 37469 70529dc 37468->37469 37470->37468

                              Executed Functions

                              Function 07063060 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 657 7063060-7063081 658 7063083-7063086 657->658 659 70630ac-70630af 658->659 660 7063088-70630a7 658->660 661 70630b5-70630d4 659->661 662 7063850-7063852 659->662 660->659 670 70630d6-70630d9 661->670 671 70630ed-70630f7 661->671 664 7063854 662->664 665 7063859-706385c 662->665 664->665 665->658 666 7063862-706386b 665->666 670->671 672 70630db-70630eb 670->672 674 70630fd-706310c 671->674 672->674 783 706310e call 7063880 674->783 784 706310e call 7063878 674->784 676 7063113-7063118 677 7063125-7063402 676->677 678 706311a-7063120 676->678 699 7063842-706384f 677->699 700 7063408-70634b7 677->700 678->666 709 70634e0 700->709 710 70634b9-70634de 700->710 712 70634e9-70634fc 709->712 710->712 714 7063502-7063524 712->714 715 7063829-7063835 712->715 714->715 718 706352a-7063534 714->718 715->700 716 706383b 715->716 716->699 718->715 719 706353a-7063545 718->719 719->715 720 706354b-7063621 719->720 732 7063623-7063625 720->732 733 706362f-706365f 720->733 732->733 737 7063661-7063663 733->737 738 706366d-7063679 733->738 737->738 739 706367b-706367f 738->739 740 70636d9-70636dd 738->740 739->740 743 7063681-70636ab 739->743 741 70636e3-706371f 740->741 742 706381a-7063823 740->742 754 7063721-7063723 741->754 755 706372d-706373b 741->755 742->715 742->720 750 70636ad-70636af 743->750 751 70636b9-70636d6 743->751 750->751 751->740 754->755 757 7063752-706375d 755->757 758 706373d-7063748 755->758 762 7063775-7063786 757->762 763 706375f-7063765 757->763 758->757 761 706374a 758->761 761->757 767 706379e-70637aa 762->767 768 7063788-706378e 762->768 764 7063767 763->764 765 7063769-706376b 763->765 764->762 765->762 772 70637c2-7063813 767->772 773 70637ac-70637b2 767->773 769 7063792-7063794 768->769 770 7063790 768->770 769->767 770->767 772->742 774 70637b6-70637b8 773->774 775 70637b4 773->775 774->772 775->772 783->676 784->676
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                              • API String ID: 0-3723351465
                              • Opcode ID: 81759375b47788156db37eee93865c2cc5cd1a1d9cede87a0af644721dcb030b
                              • Instruction ID: 77ea9a9fdb0a91d0f7e2b34e8ff56770224b91f34728b8be57053be65351c988
                              • Opcode Fuzzy Hash: 81759375b47788156db37eee93865c2cc5cd1a1d9cede87a0af644721dcb030b
                              • Instruction Fuzzy Hash: C1323D31E1061A8FCB14EF79D89469DF7B6FF89300F10D66AD409A7264EF34A985CB81
                              Function 07067D80 Relevance: 3.0, Strings: 2, Instructions: 471COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1380 7067d80-7067d9e 1381 7067da0-7067da3 1380->1381 1382 7067dc4-7067dc7 1381->1382 1383 7067da5-7067dbf 1381->1383 1384 7067dde-7067de1 1382->1384 1385 7067dc9-7067dd7 1382->1385 1383->1382 1386 7067e04-7067e07 1384->1386 1387 7067de3-7067dff 1384->1387 1392 7067e26-7067e3c 1385->1392 1393 7067dd9 1385->1393 1390 7067e14-7067e16 1386->1390 1391 7067e09-7067e13 1386->1391 1387->1386 1394 7067e1d-7067e20 1390->1394 1395 7067e18 1390->1395 1400 7068057-7068061 1392->1400 1401 7067e42-7067e4b 1392->1401 1393->1384 1394->1381 1394->1392 1395->1394 1402 7068062-7068097 1401->1402 1403 7067e51-7067e6e 1401->1403 1406 7068099-706809c 1402->1406 1412 7068044-7068051 1403->1412 1413 7067e74-7067e9c 1403->1413 1407 70680a2-70680b1 1406->1407 1408 70682d1-70682d4 1406->1408 1417 70680b3-70680ce 1407->1417 1418 70680d0-7068114 1407->1418 1410 70682d6-70682f2 1408->1410 1411 70682f7-70682fa 1408->1411 1410->1411 1415 70683a5-70683a7 1411->1415 1416 7068300-706830c 1411->1416 1412->1400 1412->1401 1413->1412 1431 7067ea2-7067eab 1413->1431 1419 70683ae-70683b1 1415->1419 1420 70683a9 1415->1420 1423 7068317-7068319 1416->1423 1417->1418 1436 70682a5-70682bb 1418->1436 1437 706811a-706812b 1418->1437 1419->1406 1424 70683b7-70683c0 1419->1424 1420->1419 1428 7068331-7068335 1423->1428 1429 706831b-7068321 1423->1429 1434 7068337-7068341 1428->1434 1435 7068343 1428->1435 1432 7068325-7068327 1429->1432 1433 7068323 1429->1433 1431->1402 1439 7067eb1-7067ecd 1431->1439 1432->1428 1433->1428 1438 7068348-706834a 1434->1438 1435->1438 1436->1408 1447 7068290-706829f 1437->1447 1448 7068131-706814e 1437->1448 1442 706834c-706834f 1438->1442 1443 706835b-7068394 1438->1443 1450 7068032-706803e 1439->1450 1451 7067ed3-7067efd 1439->1451 1442->1424 1443->1407 1463 706839a-70683a4 1443->1463 1447->1436 1447->1437 1448->1447 1457 7068154-706824a call 70665a0 1448->1457 1450->1412 1450->1431 1464 7067f03-7067f2b 1451->1464 1465 7068028-706802d 1451->1465 1513 706824c-7068256 1457->1513 1514 7068258 1457->1514 1464->1465 1471 7067f31-7067f5f 1464->1471 1465->1450 1471->1465 1477 7067f65-7067f6e 1471->1477 1477->1465 1479 7067f74-7067fa6 1477->1479 1486 7067fb1-7067fcd 1479->1486 1487 7067fa8-7067fac 1479->1487 1486->1450 1489 7067fcf-7068026 call 70665a0 1486->1489 1487->1465 1488 7067fae 1487->1488 1488->1486 1489->1450 1515 706825d-706825f 1513->1515 1514->1515 1515->1447 1516 7068261-7068266 1515->1516 1517 7068274 1516->1517 1518 7068268-7068272 1516->1518 1519 7068279-706827b 1517->1519 1518->1519 1519->1447 1520 706827d-7068289 1519->1520 1520->1447
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: $]q$$]q
                              • API String ID: 0-127220927
                              • Opcode ID: 1cba03d624099c1bc8c34b425d28e69504a6319c89669b47848ec22bcc5d05c0
                              • Instruction ID: c8dc444c8a755884441d32cc159c39dd720a6239319a74c926ea5fb215ccc279
                              • Opcode Fuzzy Hash: 1cba03d624099c1bc8c34b425d28e69504a6319c89669b47848ec22bcc5d05c0
                              • Instruction Fuzzy Hash: C5028D70B002068FDB54DB68D4A4A6EB7E6FF88304F14CA29D909DB394DB75ED46CB81
                              Function 070655A0 Relevance: 1.9, Strings: 1, Instructions: 602COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: $
                              • API String ID: 0-3993045852
                              • Opcode ID: fe40b3e40cf522906afd050be8a266e0811c36342c9e566765325d696343e529
                              • Instruction ID: 03c0c2c8d255197b7ae8476ef9c8172351697937db5e0d9557cad1f77e71a64a
                              • Opcode Fuzzy Hash: fe40b3e40cf522906afd050be8a266e0811c36342c9e566765325d696343e529
                              • Instruction Fuzzy Hash: 5C22D4B5E002068FDF24CFA4C8A46AEB7F2FF85314F248569D445AB344DA35DD52CB91
                              Function 07062340 Relevance: 1.0, Instructions: 1018COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c7a29e668aeb6ac5ebef6c0345b5578fd4b41dee125f88e0e1d6476aad2c1f67
                              • Instruction ID: f06882da2daa50d7c57bae35d8ba0c7fd4ae81937ddb426b0a473d972c7dc2f8
                              • Opcode Fuzzy Hash: c7a29e668aeb6ac5ebef6c0345b5578fd4b41dee125f88e0e1d6476aad2c1f67
                              • Instruction Fuzzy Hash: AB925574A002058FDB64CB68C5A8AADB7F2FF49314F5486A9D409EB361DB35EC85CF81
                              Function 070665F0 Relevance: .8, Instructions: 828COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8001da4d3838e8059b1bf5382786e76a753b8660aaf0197e741a38f3ea5b26a3
                              • Instruction ID: fa577c3845bddbd20dcb7cda2415012250aa3d76cf56f18fd0ddf7312567eb6a
                              • Opcode Fuzzy Hash: 8001da4d3838e8059b1bf5382786e76a753b8660aaf0197e741a38f3ea5b26a3
                              • Instruction Fuzzy Hash: 0462B070B002058FDB14DB68D5A8AADB7F6EF88314F148669D906DB390DB36ED42CB91
                              Function 0706C190 Relevance: .6, Instructions: 640COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d311c21a0223ce8b38275811023d55bb69a68b8b1b13b5426c3f90f66522609b
                              • Instruction ID: 4d2523e8e1abf7b7e7511ba3d7364688478801b02aa5f421e7bb17bc687985ec
                              • Opcode Fuzzy Hash: d311c21a0223ce8b38275811023d55bb69a68b8b1b13b5426c3f90f66522609b
                              • Instruction Fuzzy Hash: B6327E70A0020A8FEB14DF68D994BAEB7F6FB88314F108629D545EB354DB34EC45CBA1
                              Function 0706B238 Relevance: .6, Instructions: 568COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 16f3e2d6ed2e2d616b3c89edc8a79432b1ae3dee0856d7b821c33b8b3e002773
                              • Instruction ID: c7a2a15f36baf70c3c1fe94732ef860e9b71e31d71109d0d57b633b87b3abed6
                              • Opcode Fuzzy Hash: 16f3e2d6ed2e2d616b3c89edc8a79432b1ae3dee0856d7b821c33b8b3e002773
                              • Instruction Fuzzy Hash: 3E224FF0A0010A9FDF64CA6DD5A87ADB7F6FB45310F248A25E405DB391DA38DC85CB92
                              Function 0706ACE0 Relevance: 10.4, Strings: 8, Instructions: 397COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 527 706ace0-706acfe 528 706ad00-706ad03 527->528 529 706ad14-706ad17 528->529 530 706ad05-706ad09 528->530 533 706ad21-706ad24 529->533 534 706ad19-706ad1e 529->534 531 706ad0f 530->531 532 706af0c-706af16 530->532 531->529 535 706ad26-706ad39 533->535 536 706ad3e-706ad41 533->536 534->533 535->536 537 706ad47-706ad4a 536->537 538 706aefd-706af06 536->538 540 706ad4c-706ad55 537->540 541 706ad5a-706ad5d 537->541 538->532 542 706ad5f-706ad68 538->542 540->541 541->542 543 706ad77-706ad7a 541->543 544 706af17-706af1f 542->544 545 706ad6e-706ad72 542->545 546 706ad8e-706ad91 543->546 547 706ad7c-706ad89 543->547 553 706af21 544->553 545->543 549 706adb4-706adb6 546->549 550 706ad93-706adaf 546->550 547->546 551 706adbd-706adc0 549->551 552 706adb8 549->552 550->549 551->528 556 706adc6-706adea 551->556 552->551 553->553 557 706af23-706af24 553->557 568 706adf0-706adff 556->568 569 706aefa 556->569 558 706af25 557->558 558->558 561 706af27-706af2c 558->561 562 706af3e-706af4e 561->562 563 706af2e-706af3b 561->563 565 706af50-706af53 562->565 563->562 566 706af55-706af59 565->566 567 706af60-706af63 565->567 570 706af5b 566->570 571 706af79-706afb4 566->571 572 706af65-706af6f 567->572 573 706af70-706af73 567->573 579 706ae17-706ae52 call 70665a0 568->579 580 706ae01-706ae07 568->580 569->538 570->567 585 706b1a7-706b1ba 571->585 586 706afba-706afc6 571->586 573->571 574 706b1dc-706b1df 573->574 577 706b1e1 call 706b238 574->577 578 706b1ee-706b1f1 574->578 587 706b1e7-706b1e9 577->587 583 706b214-706b216 578->583 584 706b1f3-706b20f 578->584 606 706ae54-706ae5a 579->606 607 706ae6a-706ae81 579->607 581 706ae0b-706ae0d 580->581 582 706ae09 580->582 581->579 582->579 589 706b21d-706b220 583->589 590 706b218 583->590 584->583 591 706b1bc 585->591 596 706afe6-706b02a 586->596 597 706afc8-706afe1 586->597 587->578 589->565 593 706b226-706b230 589->593 590->589 591->574 614 706b046-706b085 596->614 615 706b02c-706b03e 596->615 597->591 609 706ae5e-706ae60 606->609 610 706ae5c 606->610 616 706ae83-706ae89 607->616 617 706ae99-706aeaa 607->617 609->607 610->607 622 706b16c-706b181 614->622 623 706b08b-706b166 call 70665a0 614->623 615->614 618 706ae8d-706ae8f 616->618 619 706ae8b 616->619 626 706aec2-706aef3 617->626 627 706aeac-706aeb2 617->627 618->617 619->617 622->585 623->622 626->569 630 706aeb6-706aeb8 627->630 631 706aeb4 627->631 630->626 631->626
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                              • API String ID: 0-1273862796
                              • Opcode ID: 543e2e73fba3c6ab447c19ab70d94957dbb64a0c7cdc0ae46a7f0f2737f43649
                              • Instruction ID: 3ea6abc0aeee5ddf2a20b0039e68564205320fa898c7a401e58e4b0cb0f7e776
                              • Opcode Fuzzy Hash: 543e2e73fba3c6ab447c19ab70d94957dbb64a0c7cdc0ae46a7f0f2737f43649
                              • Instruction Fuzzy Hash: 55E17EB0B0020A8FDB55EF68D4A46AEB7F6EF85304F208629D505EB354DB35EC46CB91
                              Function 0706B658 Relevance: 8.0, Strings: 6, Instructions: 473COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 785 706b658-706b67a 786 706b67c-706b67f 785->786 787 706b691-706b694 786->787 788 706b681 786->788 789 706b696-706b6f3 call 70665a0 787->789 790 706b6f8-706b6fb 787->790 791 706b689-706b68c 788->791 789->790 792 706b702-706b705 790->792 793 706b6fd-706b6ff 790->793 791->787 794 706b707-706b71c 792->794 795 706b743-706b746 792->795 793->792 804 706b722-706b73e 794->804 805 706b9f3-706ba2e 794->805 798 706b750-706b753 795->798 799 706b748-706b74b 795->799 802 706b755-706b759 798->802 803 706b76a-706b76d 798->803 799->798 802->805 806 706b75f-706b765 802->806 807 706b76f-706b778 803->807 808 706b78a-706b78d 803->808 804->795 819 706ba30-706ba33 805->819 806->803 807->805 810 706b77e-706b785 807->810 811 706b7a0-706b7a3 808->811 812 706b78f-706b79b 808->812 810->808 811->799 813 706b7a5-706b7a8 811->813 812->811 817 706b7bf-706b7c2 813->817 818 706b7aa-706b7ae 813->818 824 706b8e3-706b8ec 817->824 825 706b7c8-706b7cb 817->825 818->805 821 706b7b4-706b7ba 818->821 822 706ba56-706ba59 819->822 823 706ba35-706ba51 819->823 821->817 829 706bcc5-706bcc7 822->829 830 706ba5f-706ba87 822->830 823->822 824->807 831 706b8f2 824->831 826 706b7ed-706b7f0 825->826 827 706b7cd-706b7e8 825->827 835 706b7f2-706b7f5 826->835 836 706b800-706b803 826->836 827->826 833 706bcce-706bcd1 829->833 834 706bcc9 829->834 880 706ba91-706bad5 830->880 881 706ba89-706ba8c 830->881 837 706b8f7-706b8fa 831->837 833->819 844 706bcd7-706bce0 833->844 834->833 846 706b9b2-706b9b5 835->846 847 706b7fb 835->847 838 706b805-706b80e 836->838 839 706b813-706b816 836->839 840 706b904-706b907 837->840 841 706b8fc-706b901 837->841 838->839 839->799 848 706b81c-706b81f 839->848 849 706b92a-706b92d 840->849 850 706b909-706b90d 840->850 841->840 846->805 852 706b9b7-706b9be 846->852 847->836 853 706b827-706b82a 848->853 854 706b821-706b822 848->854 856 706b92f-706b935 849->856 857 706b93a-706b93d 849->857 850->805 855 706b913-706b923 850->855 858 706b9c3-706b9c6 852->858 862 706b851-706b854 853->862 863 706b82c-706b830 853->863 854->853 876 706b959-706b95d 855->876 883 706b925 855->883 856->857 864 706b954-706b957 857->864 865 706b93f-706b943 857->865 866 706b9d6-706b9d8 858->866 867 706b9c8-706b9cf 858->867 862->835 871 706b856-706b859 862->871 863->805 870 706b836-706b846 863->870 875 706b97e-706b981 864->875 864->876 865->805 872 706b949-706b94f 865->872 877 706b9df-706b9e2 866->877 878 706b9da 866->878 873 706b983-706b98c 867->873 874 706b9d1 867->874 870->850 897 706b84c 870->897 884 706b87c-706b87f 871->884 885 706b85b-706b877 871->885 872->864 882 706b991-706b994 873->882 874->866 875->873 875->882 876->805 886 706b963-706b973 876->886 877->786 879 706b9e8-706b9f2 877->879 878->877 908 706bcba-706bcc4 880->908 909 706badb-706bae4 880->909 881->844 889 706b996-706b99f 882->889 890 706b9a4-706b9a7 882->890 883->849 887 706b881-706b896 884->887 888 706b8be-706b8c1 884->888 885->884 886->799 899 706b979 886->899 887->805 904 706b89c-706b8b9 887->904 895 706b8c3-706b8c6 888->895 896 706b8cb-706b8ce 888->896 889->890 890->799 894 706b9ad-706b9b0 890->894 894->846 894->858 895->896 901 706b8d0-706b8d9 896->901 902 706b8de-706b8e1 896->902 897->862 899->875 901->902 902->824 902->837 904->888 910 706bcb0-706bcb5 909->910 911 706baea-706bb56 call 70665a0 909->911 910->908 919 706bc50-706bc65 911->919 920 706bb5c-706bb61 911->920 919->910 922 706bb63-706bb69 920->922 923 706bb7d 920->923 924 706bb6f-706bb71 922->924 925 706bb6b-706bb6d 922->925 926 706bb7f-706bb85 923->926 927 706bb7b 924->927 925->927 928 706bb87-706bb8d 926->928 929 706bb9a-706bba7 926->929 927->926 930 706bb93 928->930 931 706bc3b-706bc4a 928->931 936 706bbbf-706bbcc 929->936 937 706bba9-706bbaf 929->937 930->929 932 706bc02-706bc0f 930->932 933 706bbce-706bbdb 930->933 931->919 931->920 942 706bc27-706bc34 932->942 943 706bc11-706bc17 932->943 945 706bbf3-706bc00 933->945 946 706bbdd-706bbe3 933->946 936->931 938 706bbb3-706bbb5 937->938 939 706bbb1 937->939 938->936 939->936 942->931 947 706bc1b-706bc1d 943->947 948 706bc19 943->948 945->931 949 706bbe7-706bbe9 946->949 950 706bbe5 946->950 947->942 948->942 949->945 950->945
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                              • API String ID: 0-3723351465
                              • Opcode ID: c1fa9aaf0fdd7846995cbf7219fa78301ec8cc16333d862298ef584f29f94d5f
                              • Instruction ID: 767c72dbe46e59cafaed20e67474373917720cc69c226c4ad8805a381f596481
                              • Opcode Fuzzy Hash: c1fa9aaf0fdd7846995cbf7219fa78301ec8cc16333d862298ef584f29f94d5f
                              • Instruction Fuzzy Hash: B1027BF0A0020A8FDB64CF68D4A87ADB7F6FB85310F20862AD415DB255DB74ED85CB91
                              Function 07052872 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 953 7052872-7052907 GetCurrentProcess 957 7052910-7052944 GetCurrentThread 953->957 958 7052909-705290f 953->958 959 7052946-705294c 957->959 960 705294d-7052981 GetCurrentProcess 957->960 958->957 959->960 961 7052983-7052989 960->961 962 705298a-70529a2 960->962 961->962 976 70529a5 call 7052e28 962->976 977 70529a5 call 7052e38 962->977 978 70529a5 call 7052a48 962->978 966 70529ab-70529da GetCurrentThreadId 967 70529e3-7052a45 966->967 968 70529dc-70529e2 966->968 968->967 976->966 977->966 978->966
                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 070528F6
                              • GetCurrentThread.KERNEL32 ref: 07052933
                              • GetCurrentProcess.KERNEL32 ref: 07052970
                              • GetCurrentThreadId.KERNEL32 ref: 070529C9
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443762306.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7050000_M.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: affc0275a0529ca66030791fcde757b11b8630b3fe911f85bddfcff4f8f14472
                              • Instruction ID: 68bd92527d5af477c26b59e8d4a43c07bab350e71e7542db442d61060269d0ad
                              • Opcode Fuzzy Hash: affc0275a0529ca66030791fcde757b11b8630b3fe911f85bddfcff4f8f14472
                              • Instruction Fuzzy Hash: B65156F09002499FDB14DFA9D548BAEBBF1FF88304F248569E409A7360D739A944CF65
                              Function 07052878 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 979 7052878-7052907 GetCurrentProcess 983 7052910-7052944 GetCurrentThread 979->983 984 7052909-705290f 979->984 985 7052946-705294c 983->985 986 705294d-7052981 GetCurrentProcess 983->986 984->983 985->986 987 7052983-7052989 986->987 988 705298a-70529a2 986->988 987->988 1002 70529a5 call 7052e28 988->1002 1003 70529a5 call 7052e38 988->1003 1004 70529a5 call 7052a48 988->1004 992 70529ab-70529da GetCurrentThreadId 993 70529e3-7052a45 992->993 994 70529dc-70529e2 992->994 994->993 1002->992 1003->992 1004->992
                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 070528F6
                              • GetCurrentThread.KERNEL32 ref: 07052933
                              • GetCurrentProcess.KERNEL32 ref: 07052970
                              • GetCurrentThreadId.KERNEL32 ref: 070529C9
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443762306.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7050000_M.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: 0bb1cc836007c1952825ea539d30f35eb206fbd649f29ea89cc324e46d783c70
                              • Instruction ID: a1f96f7ccb60dc4aeec7245d6d2e88c56da3482f7497ce965270084030ea5d96
                              • Opcode Fuzzy Hash: 0bb1cc836007c1952825ea539d30f35eb206fbd649f29ea89cc324e46d783c70
                              • Instruction Fuzzy Hash: 785165F09003499FDB04DFAAD548BAEBBF5FF88300F208569E409A7360D739A944CB65
                              Function 07069158 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1005 7069158-706917d 1006 706917f-7069182 1005->1006 1007 7069184-70691a3 1006->1007 1008 70691a8-70691ab 1006->1008 1007->1008 1009 70691b1-70691c6 1008->1009 1010 7069a6b-7069a6d 1008->1010 1016 70691de-70691f4 1009->1016 1017 70691c8-70691ce 1009->1017 1011 7069a74-7069a77 1010->1011 1012 7069a6f 1010->1012 1011->1006 1015 7069a7d-7069a87 1011->1015 1012->1011 1022 70691ff-7069201 1016->1022 1019 70691d2-70691d4 1017->1019 1020 70691d0 1017->1020 1019->1016 1020->1016 1023 7069203-7069209 1022->1023 1024 7069219-706928a 1022->1024 1025 706920d-706920f 1023->1025 1026 706920b 1023->1026 1035 70692b6-70692d2 1024->1035 1036 706928c-70692af 1024->1036 1025->1024 1026->1024 1041 70692d4-70692f7 1035->1041 1042 70692fe-7069319 1035->1042 1036->1035 1041->1042 1047 7069344-706935f 1042->1047 1048 706931b-706933d 1042->1048 1053 7069361-7069383 1047->1053 1054 706938a-7069394 1047->1054 1048->1047 1053->1054 1055 7069396-706939f 1054->1055 1056 70693a4-706941e 1054->1056 1055->1015 1062 7069420-706943e 1056->1062 1063 706946b-7069480 1056->1063 1067 7069440-706944f 1062->1067 1068 706945a-7069469 1062->1068 1063->1010 1067->1068 1068->1062 1068->1063
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: $]q$$]q$$]q$$]q
                              • API String ID: 0-858218434
                              • Opcode ID: bfcafb04fd32f80ebb5b664ece787fc34be7d87021b2b34af4830edce2df8b27
                              • Instruction ID: 72ab9d7ee00b362da7e0dcc349ffab037a5b449600b2115ec54e16da5dae9baf
                              • Opcode Fuzzy Hash: bfcafb04fd32f80ebb5b664ece787fc34be7d87021b2b34af4830edce2df8b27
                              • Instruction Fuzzy Hash: 64916170B1020A8FDB54DB65D864BAEB3F6FF88304F108569C909DB744EE74ED468B91
                              Function 0706CF48 Relevance: 4.6, Strings: 3, Instructions: 800COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1071 706cf48-706cf63 1072 706cf65-706cf68 1071->1072 1073 706cfb1-706cfb4 1072->1073 1074 706cf6a-706cfac 1072->1074 1075 706cfb6-706cfd2 1073->1075 1076 706cfd7-706cfda 1073->1076 1074->1073 1075->1076 1077 706d023-706d026 1076->1077 1078 706cfdc-706d01e 1076->1078 1081 706d06f-706d072 1077->1081 1082 706d028-706d037 1077->1082 1078->1077 1087 706d074-706d083 1081->1087 1088 706d0bb-706d0be 1081->1088 1083 706d046-706d052 1082->1083 1084 706d039-706d03e 1082->1084 1092 706d965-706d99e 1083->1092 1093 706d058-706d06a 1083->1093 1084->1083 1094 706d085-706d08a 1087->1094 1095 706d092-706d09e 1087->1095 1089 706d107-706d10a 1088->1089 1090 706d0c0-706d102 1088->1090 1098 706d434-706d440 1089->1098 1099 706d110-706d113 1089->1099 1090->1089 1110 706d9a0-706d9a3 1092->1110 1093->1081 1094->1095 1095->1092 1100 706d0a4-706d0b6 1095->1100 1098->1082 1103 706d446-706d733 1098->1103 1105 706d115-706d11a 1099->1105 1106 706d11d-706d120 1099->1106 1100->1088 1284 706d95a-706d964 1103->1284 1285 706d739-706d73f 1103->1285 1105->1106 1108 706d122-706d124 1106->1108 1109 706d12f-706d132 1106->1109 1113 706d2ef-706d2f8 1108->1113 1114 706d12a 1108->1114 1115 706d134-706d176 1109->1115 1116 706d17b-706d17e 1109->1116 1118 706d9c6-706d9c9 1110->1118 1119 706d9a5-706d9c1 1110->1119 1123 706d307-706d313 1113->1123 1124 706d2fa-706d2ff 1113->1124 1114->1109 1115->1116 1121 706d1c7-706d1ca 1116->1121 1122 706d180-706d1c2 1116->1122 1125 706d9fc-706d9ff 1118->1125 1126 706d9cb-706d9f7 1118->1126 1119->1118 1133 706d213-706d216 1121->1133 1134 706d1cc-706d20e 1121->1134 1122->1121 1135 706d424-706d429 1123->1135 1136 706d319-706d32d 1123->1136 1124->1123 1137 706da01 call 706dabd 1125->1137 1138 706da0e-706da10 1125->1138 1126->1125 1140 706d25f-706d262 1133->1140 1141 706d218-706d25a 1133->1141 1134->1133 1158 706d431 1135->1158 1136->1158 1160 706d333-706d345 1136->1160 1149 706da07-706da09 1137->1149 1143 706da17-706da1a 1138->1143 1144 706da12 1138->1144 1150 706d264-706d2a6 1140->1150 1151 706d2ab-706d2ae 1140->1151 1141->1140 1143->1110 1152 706da1c-706da2b 1143->1152 1144->1143 1149->1138 1150->1151 1156 706d2b0-706d2b2 1151->1156 1157 706d2bd-706d2c0 1151->1157 1176 706da92-706daa7 1152->1176 1177 706da2d-706da90 call 70665a0 1152->1177 1156->1158 1163 706d2b8 1156->1163 1164 706d2c2-706d2d8 1157->1164 1165 706d2dd-706d2df 1157->1165 1158->1098 1183 706d347-706d34d 1160->1183 1184 706d369-706d36b 1160->1184 1163->1157 1164->1165 1171 706d2e6-706d2e9 1165->1171 1172 706d2e1 1165->1172 1171->1072 1171->1113 1172->1171 1195 706daa8 1176->1195 1177->1176 1188 706d351-706d35d 1183->1188 1189 706d34f 1183->1189 1186 706d375-706d381 1184->1186 1209 706d383-706d38d 1186->1209 1210 706d38f 1186->1210 1197 706d35f-706d367 1188->1197 1189->1197 1195->1195 1197->1186 1211 706d394-706d396 1209->1211 1210->1211 1211->1158 1216 706d39c-706d3b8 call 70665a0 1211->1216 1224 706d3c7-706d3d3 1216->1224 1225 706d3ba-706d3bf 1216->1225 1224->1135 1227 706d3d5-706d422 1224->1227 1225->1224 1227->1158 1286 706d741-706d746 1285->1286 1287 706d74e-706d757 1285->1287 1286->1287 1287->1092 1288 706d75d-706d770 1287->1288 1290 706d776-706d77c 1288->1290 1291 706d94a-706d954 1288->1291 1292 706d77e-706d783 1290->1292 1293 706d78b-706d794 1290->1293 1291->1284 1291->1285 1292->1293 1293->1092 1294 706d79a-706d7bb 1293->1294 1297 706d7bd-706d7c2 1294->1297 1298 706d7ca-706d7d3 1294->1298 1297->1298 1298->1092 1299 706d7d9-706d7f6 1298->1299 1299->1291 1302 706d7fc-706d802 1299->1302 1302->1092 1303 706d808-706d821 1302->1303 1305 706d827-706d84e 1303->1305 1306 706d93d-706d944 1303->1306 1305->1092 1309 706d854-706d85e 1305->1309 1306->1291 1306->1302 1309->1092 1310 706d864-706d87b 1309->1310 1312 706d87d-706d888 1310->1312 1313 706d88a-706d8a5 1310->1313 1312->1313 1313->1306 1318 706d8ab-706d8c4 call 70665a0 1313->1318 1322 706d8c6-706d8cb 1318->1322 1323 706d8d3-706d8dc 1318->1323 1322->1323 1323->1092 1324 706d8e2-706d936 1323->1324 1324->1306
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: $]q$$]q$$]q
                              • API String ID: 0-182748909
                              • Opcode ID: 1eefe1bf0d5cce536570b040ca6bdb1cbd668841146afe541530fb3b202e6b1b
                              • Instruction ID: d151cbedfc2f9f71666db6cfcb8243cdc44d732cd80580574ff5d010910df271
                              • Opcode Fuzzy Hash: 1eefe1bf0d5cce536570b040ca6bdb1cbd668841146afe541530fb3b202e6b1b
                              • Instruction Fuzzy Hash: 3E623A7070020A8FCB15DF68E594A5DB7EAFF84304F248A68D4099F369DB75ED46CB81
                              Function 07064B70 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1332 7064b70-7064b94 1334 7064b96-7064b99 1332->1334 1335 7064b9f-7064c97 1334->1335 1336 7065278-706527b 1334->1336 1356 7064c9d-7064cea call 7065419 1335->1356 1357 7064d1a-7064d21 1335->1357 1337 706529c-706529e 1336->1337 1338 706527d-7065297 1336->1338 1340 70652a5-70652a8 1337->1340 1341 70652a0 1337->1341 1338->1337 1340->1334 1343 70652ae-70652bb 1340->1343 1341->1340 1370 7064cf0-7064d0c 1356->1370 1358 7064d27-7064d97 1357->1358 1359 7064da5-7064dae 1357->1359 1376 7064da2 1358->1376 1377 7064d99 1358->1377 1359->1343 1373 7064d17-7064d18 1370->1373 1374 7064d0e 1370->1374 1373->1357 1374->1373 1376->1359 1377->1376
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: fbq$XPbq$\Obq
                              • API String ID: 0-4057264190
                              • Opcode ID: e5d105b9cf96cd393ff3eca4696897eac00554bde0067622548f4e279e15fcad
                              • Instruction ID: b4ec3b2a9237bb1b690d92bcb3b116764bee90a2710c7370ad561ee205934b2f
                              • Opcode Fuzzy Hash: e5d105b9cf96cd393ff3eca4696897eac00554bde0067622548f4e279e15fcad
                              • Instruction Fuzzy Hash: 7F618170F002199FEB549FA9C8547AEBBF6FF88300F208529E606EB394DA755D418B91
                              Function 07069149 Relevance: 2.7, Strings: 2, Instructions: 175COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2132 7069149-706917d 2134 706917f-7069182 2132->2134 2135 7069184-70691a3 2134->2135 2136 70691a8-70691ab 2134->2136 2135->2136 2137 70691b1-70691c6 2136->2137 2138 7069a6b-7069a6d 2136->2138 2144 70691de-70691f4 2137->2144 2145 70691c8-70691ce 2137->2145 2139 7069a74-7069a77 2138->2139 2140 7069a6f 2138->2140 2139->2134 2143 7069a7d-7069a87 2139->2143 2140->2139 2150 70691ff-7069201 2144->2150 2147 70691d2-70691d4 2145->2147 2148 70691d0 2145->2148 2147->2144 2148->2144 2151 7069203-7069209 2150->2151 2152 7069219-706928a 2150->2152 2153 706920d-706920f 2151->2153 2154 706920b 2151->2154 2163 70692b6-70692d2 2152->2163 2164 706928c-70692af 2152->2164 2153->2152 2154->2152 2169 70692d4-70692f7 2163->2169 2170 70692fe-7069319 2163->2170 2164->2163 2169->2170 2175 7069344-706935f 2170->2175 2176 706931b-706933d 2170->2176 2181 7069361-7069383 2175->2181 2182 706938a-7069394 2175->2182 2176->2175 2181->2182 2183 7069396-706939f 2182->2183 2184 70693a4-706941e 2182->2184 2183->2143 2190 7069420-706943e 2184->2190 2191 706946b-7069480 2184->2191 2195 7069440-706944f 2190->2195 2196 706945a-7069469 2190->2196 2191->2138 2195->2196 2196->2190 2196->2191
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: $]q$$]q
                              • API String ID: 0-127220927
                              • Opcode ID: db9f95365389269d0a1db7b7bd6255cf7f80ef70c646985e9386c739f38faee4
                              • Instruction ID: c0ab46472273f3ee0f7d74de7d6fc342fbbc5eff18c6f8af724960bdf038d72e
                              • Opcode Fuzzy Hash: db9f95365389269d0a1db7b7bd6255cf7f80ef70c646985e9386c739f38faee4
                              • Instruction Fuzzy Hash: FD518F70B101069FDB54DB78D8A4B6EB3F6EF88304F108529C909DB794EE34EC068B92
                              Function 0705AF10 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0705B176
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443762306.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7050000_M.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: f82513532c068e0a7379d6326caec3792766c482ee38f205e03eeebf3fe0c5e4
                              • Instruction ID: 3b2b50201c818946bcecb8377fe8a7734bf2ed66eb722c8feaa2601000779cc3
                              • Opcode Fuzzy Hash: f82513532c068e0a7379d6326caec3792766c482ee38f205e03eeebf3fe0c5e4
                              • Instruction Fuzzy Hash: 9C8157B0A00B058FD764DF69D04475BBBF5FF88300F008A2AE85AC7A50DB75E945CB91
                              Function 0705D090 Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                              Download Yara Rule
                              APIs
                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0705D202
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443762306.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7050000_M.jbxd
                              Similarity
                              • API ID: CreateWindow
                              • String ID:
                              • API String ID: 716092398-0
                              • Opcode ID: 916fff8d4c3c7b5dda959c292c83c4ec53a951bd5b67baee2fb57a7aefe3683a
                              • Instruction ID: d882054a6fc06770ca4e73985636753a887dd2e1e96e6a3e72004362dd903cfd
                              • Opcode Fuzzy Hash: 916fff8d4c3c7b5dda959c292c83c4ec53a951bd5b67baee2fb57a7aefe3683a
                              • Instruction Fuzzy Hash: CE5102B1D00249AFCF11CF99C984ADEBFB6FF49314F14816AE818AB220D7759995CF90
                              Function 018AEA51 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4439753740.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_18a0000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d22247416330330a628994ba79660bfadf1eb11d675826227d0ae6dc2b07f578
                              • Instruction ID: 40e7c6ba0a249ad39f73f05ba5adec099b6f3042695fa779a5f3c3034f29daeb
                              • Opcode Fuzzy Hash: d22247416330330a628994ba79660bfadf1eb11d675826227d0ae6dc2b07f578
                              • Instruction Fuzzy Hash: AF413471D0035A8FCB10CF79D8042EABBB6EF89310F1485AAD805E7241DB78A945CBE1
                              Function 0705D0F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                              Download Yara Rule
                              APIs
                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0705D202
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443762306.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7050000_M.jbxd
                              Similarity
                              • API ID: CreateWindow
                              • String ID:
                              • API String ID: 716092398-0
                              • Opcode ID: 15f4f0b23a3e04d1931fb225f5b11ba88b35aea286a3875d40057cdde1501b35
                              • Instruction ID: ec6497e26dd2e2ab007c4511c0b17fc7f7ca6bcc09694cf6008d574b97d9d798
                              • Opcode Fuzzy Hash: 15f4f0b23a3e04d1931fb225f5b11ba88b35aea286a3875d40057cdde1501b35
                              • Instruction Fuzzy Hash: 4741B1B1D00349AFDB14CF99C884ADEBBB5BF49310F24822AE819AB210D7759885CF90
                              Function 0705A5EC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                              Download Yara Rule
                              APIs
                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 0705F8F1
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443762306.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7050000_M.jbxd
                              Similarity
                              • API ID: CallProcWindow
                              • String ID:
                              • API String ID: 2714655100-0
                              • Opcode ID: f9b9035f782e3a6465d2622ca47856feb3bc9d6921b7356f61fbcfd9c3cd5332
                              • Instruction ID: 4e94f8ced6cb316812b19a5e25b0396c3a40912263c371e7c0cd6509c2e868bd
                              • Opcode Fuzzy Hash: f9b9035f782e3a6465d2622ca47856feb3bc9d6921b7356f61fbcfd9c3cd5332
                              • Instruction Fuzzy Hash: 49412CB490030ADFCB14DF99C448AAABBF5FF88314F14C959D919AB321D738A845CFA0
                              Function 07052AB8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 07052B47
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443762306.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7050000_M.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 29ccf8ed5fb65281fcc1870da3888911e5bfad8c09e65108eb174008ad9089d5
                              • Instruction ID: c8bf86a5d6f377bc7741d87a75a26080ad9218281d28ec1d04c425a46982ea46
                              • Opcode Fuzzy Hash: 29ccf8ed5fb65281fcc1870da3888911e5bfad8c09e65108eb174008ad9089d5
                              • Instruction Fuzzy Hash: 8B2114B5900248DFDB10CFAAD984AEEBBF5FF48310F14801AE919A7310C378A940CFA0
                              Function 07052AC0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 07052B47
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443762306.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7050000_M.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 62ec806c0f6706194fe6d1c03d7fdec57dc728c29122ba0b07736871399eb090
                              • Instruction ID: 20a06da22bdb3cebb8d898125eef568086e0adc900a66272cd36bfd421ff339e
                              • Opcode Fuzzy Hash: 62ec806c0f6706194fe6d1c03d7fdec57dc728c29122ba0b07736871399eb090
                              • Instruction Fuzzy Hash: 0921E4B5900249AFDB10CF9AD984ADEFBF9FF48310F14841AE918A7310D378A944CFA0
                              Function 0705A328 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0705B1F1,00000800,00000000,00000000), ref: 0705B3E2
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443762306.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7050000_M.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 0863472dba406876d1eaec19a23faf16e6543666b2cee87e3344e775ac05fb63
                              • Instruction ID: ac45445cb3b983e587439ac189d11779ae69602431f0f7670c57c6ae4a9d38c1
                              • Opcode Fuzzy Hash: 0863472dba406876d1eaec19a23faf16e6543666b2cee87e3344e775ac05fb63
                              • Instruction Fuzzy Hash: EA11E4B69003499FDB10DF9AC444AAEFBF8EF48310F10856AE919B7600C779A945CFA5
                              Function 0705B372 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0705B1F1,00000800,00000000,00000000), ref: 0705B3E2
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443762306.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7050000_M.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 91937c029edbfd55ee142d3b755eaa5392f421f6393fddee40266580ed4cdc2b
                              • Instruction ID: 60c028685e97405f1056d1c4fda83966ef49bb79dd91f28ff9a3d18e89b0bd4e
                              • Opcode Fuzzy Hash: 91937c029edbfd55ee142d3b755eaa5392f421f6393fddee40266580ed4cdc2b
                              • Instruction Fuzzy Hash: 7911E4B68003499FDB14CF9AD844ADEFBF8EF48310F10851AE919A7610C779A545CFA5
                              Function 018AEB38 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                              Download Yara Rule
                              APIs
                              • GlobalMemoryStatusEx.KERNELBASE ref: 018AEB9F
                              Memory Dump Source
                              • Source File: 00000005.00000002.4439753740.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_18a0000_M.jbxd
                              Similarity
                              • API ID: GlobalMemoryStatus
                              • String ID:
                              • API String ID: 1890195054-0
                              • Opcode ID: 462cda6c6dcc06b569d5e09bc916dc23f19a2f7a9bea9ab2d7d163046e94986f
                              • Instruction ID: d234208bd3dcd79a7a5f867147b608de0614f76ccf835882d5f2ec32b430f69c
                              • Opcode Fuzzy Hash: 462cda6c6dcc06b569d5e09bc916dc23f19a2f7a9bea9ab2d7d163046e94986f
                              • Instruction Fuzzy Hash: 0C11E2B1C006599BDB10DF9AC544A9EFBF4AF48320F14856AD918B7240D778A944CFE5
                              Function 0705B110 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0705B176
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443762306.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7050000_M.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 724547fc79d627bc98a46bd97fb632dfa2ca752533e4b618a145f4f41f80387e
                              • Instruction ID: bc77fa0f77ba6da9f6ac53ba4952b1fe459c889bcac06a7f20297f11e6aea26e
                              • Opcode Fuzzy Hash: 724547fc79d627bc98a46bd97fb632dfa2ca752533e4b618a145f4f41f80387e
                              • Instruction Fuzzy Hash: DC11DFB5C002499FCB10DF9AC844A9EFBF9EF89214F10855AD829A7710C379A545CFA5
                              Function 07064B60 Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: XPbq
                              • API String ID: 0-864591470
                              • Opcode ID: 22229d0829a2f369a8deb9234baf1953db0b2df358c2f165043a7c85c2b995ce
                              • Instruction ID: 38284af3000d7db0334637ca4eb4d40ed53ffee5c71a0973e8c8812cb904dcad
                              • Opcode Fuzzy Hash: 22229d0829a2f369a8deb9234baf1953db0b2df358c2f165043a7c85c2b995ce
                              • Instruction Fuzzy Hash: 0C519071B002099FDB549FB9C854B9EBBF7FF89700F208529E105AB395DA749D01CB91
                              Function 0706DABD Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: PH]q
                              • API String ID: 0-3168235125
                              • Opcode ID: 00b78e4006d047bc240e004e52ea292c36076fbfc739892d8b49f9345f832cc1
                              • Instruction ID: 0636ce20080e538f8ff0f9f8f14a8c4fd08f51e07f2e6439852e83264acf4a8e
                              • Opcode Fuzzy Hash: 00b78e4006d047bc240e004e52ea292c36076fbfc739892d8b49f9345f832cc1
                              • Instruction Fuzzy Hash: 1A418FB0B0030AEFDF659F65D8A869EBBF6EF85300F104629E405DB244DB74A946CB91
                              Function 070621C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: PH]q
                              • API String ID: 0-3168235125
                              • Opcode ID: 5c2deff3011b33e67eed8d30edb7927ef089e35594faeb1c34a449b207fb02f2
                              • Instruction ID: 61412bc9255fec17cd68512dc430fd736525532f5268f21db9c660e849efe3b2
                              • Opcode Fuzzy Hash: 5c2deff3011b33e67eed8d30edb7927ef089e35594faeb1c34a449b207fb02f2
                              • Instruction Fuzzy Hash: 6131AB70B002069FCB589B74D46866E7BE7FF89310F248628D406DB394DE39DD46CBA6
                              Function 070682D0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: $]q
                              • API String ID: 0-1007455737
                              • Opcode ID: 7b94a029c2b4c26335f3816fd6f89c6f2b38f83ff7c165e796f2582050df0c47
                              • Instruction ID: efee13bf32216aa10a56c02d716563b9e205a65c0989b76dfaaf34348f68bc34
                              • Opcode Fuzzy Hash: 7b94a029c2b4c26335f3816fd6f89c6f2b38f83ff7c165e796f2582050df0c47
                              • Instruction Fuzzy Hash: 32F0C2B1700226CFCF688A58F9A867CB3F9EB45314F14C265DA19CB291C775EE06C791
                              Function 070661F0 Relevance: .2, Instructions: 229COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 803e804296654440b0205644a6bc34a1914f57b20756138346da9db07eaf28d9
                              • Instruction ID: 0ff95c6313afe041996ccf61ffbe2b8e0751d1291e2fef7d934ec8d2e879a398
                              • Opcode Fuzzy Hash: 803e804296654440b0205644a6bc34a1914f57b20756138346da9db07eaf28d9
                              • Instruction Fuzzy Hash: D661D0B1F004124FDB149A6EC89466FBADBAFD4210F154079D80EDB360DE7ADD0287D2
                              Function 070642A1 Relevance: .2, Instructions: 226COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 58a03f83bd04015dff395c4c7178f93f7eedeca39295b8397b2141099f6dba7d
                              • Instruction ID: bc66c56c6e93cb1b256af05e07f3a1f9de7b272019d447459ee03644962cf802
                              • Opcode Fuzzy Hash: 58a03f83bd04015dff395c4c7178f93f7eedeca39295b8397b2141099f6dba7d
                              • Instruction Fuzzy Hash: 76817F70B0024A8FCB44DF68D4647AEB7F6EF89304F108529E509DB395DB74ED468B92
                              Function 070645C4 Relevance: .2, Instructions: 220COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ce02b6dd683200ff39cb09ab3ca5f63db9022e4c39b2d202a108479276a4f8a4
                              • Instruction ID: 1c17c68dd0b71f477f7736587a088517167daf84e42b3187a40062814bfd51c9
                              • Opcode Fuzzy Hash: ce02b6dd683200ff39cb09ab3ca5f63db9022e4c39b2d202a108479276a4f8a4
                              • Instruction Fuzzy Hash: 3B914070E0025A8FDF60DF68C890B9DB7B1FF85300F208695D54DAB255DB71AA85CF91
                              Function 070645D8 Relevance: .2, Instructions: 210COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d87fcbf1f22eb9e2fa05a0b9f87c7e288d781815969edad70e50fef462384f56
                              • Instruction ID: 7c28111fe65fecfebe184d0261f6db66918940595de05a883db05ab8788d4c14
                              • Opcode Fuzzy Hash: d87fcbf1f22eb9e2fa05a0b9f87c7e288d781815969edad70e50fef462384f56
                              • Instruction Fuzzy Hash: C9913E70E0021A8FDF60DF68C890B9DB7B1FF89304F208699D54DAB255DB71AA85CF91
                              Function 0706EB19 Relevance: .2, Instructions: 206COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f6db674f33a61572abc54760498a1027c7e520490e3a79507fd7464631edf235
                              • Instruction ID: 97d4d56809cd43a902549e908bc9129862b188e07b6bc794b8f4e9ec9b2546a5
                              • Opcode Fuzzy Hash: f6db674f33a61572abc54760498a1027c7e520490e3a79507fd7464631edf235
                              • Instruction Fuzzy Hash: E3713D74A002099FDB14DFA9D994AAEBBFAFF88300F148529D405EB354DB31ED46CB91
                              Function 0706FBB8 Relevance: .2, Instructions: 206COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d577f4ad0ec3e39e69081a652ca220a414ce78918cc3a84716fbb897f15e5052
                              • Instruction ID: 0965684028b5ce7211d2e72dff5fc135997ff7762a57bff67fbb28cb8753c7dd
                              • Opcode Fuzzy Hash: d577f4ad0ec3e39e69081a652ca220a414ce78918cc3a84716fbb897f15e5052
                              • Instruction Fuzzy Hash: 326126B1A00107DFDB149F78F8682ADB7B6EF84321F104969E506DB240CB35A955CB81
                              Function 0706EB28 Relevance: .2, Instructions: 201COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ad2f1c8d4f21bf7ef79f8ac70b2d196ba9a7b24c8a58d16ffcf1371289f13aa8
                              • Instruction ID: ab719ffeae304bad1fd148ba8402b799f41c88a9c9f560b9c572689d7881c046
                              • Opcode Fuzzy Hash: ad2f1c8d4f21bf7ef79f8ac70b2d196ba9a7b24c8a58d16ffcf1371289f13aa8
                              • Instruction Fuzzy Hash: 6C714C74A002099FDB14DFA8D9A4AAEBBFAFF88310F148529D405EB354DB34ED46CB51
                              Function 0706F968 Relevance: .2, Instructions: 169COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7306657ff3b94335f1d8b136b3bd8d7e835bedea50ef193ede154bd58206ef1f
                              • Instruction ID: af9f7a01e058199616f949d290a8b78723bb5a60d493748242408a34957ac2aa
                              • Opcode Fuzzy Hash: 7306657ff3b94335f1d8b136b3bd8d7e835bedea50ef193ede154bd58206ef1f
                              • Instruction Fuzzy Hash: 6951B6F47003069FEF645A6CE86873F269EDB89310F20592AD40AC33D5C96CDC4987A2
                              Function 0706F978 Relevance: .2, Instructions: 163COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: da852dc0804b5c2bc40edb9e418dc4201f56a1df9291b913aac120faeb569407
                              • Instruction ID: 5bc8d679a5a60470b423c2c46b1eba9d8f5508cdaa5357e838b30a0a981ceff0
                              • Opcode Fuzzy Hash: da852dc0804b5c2bc40edb9e418dc4201f56a1df9291b913aac120faeb569407
                              • Instruction Fuzzy Hash: DC51C5F07003069FEF645A6CF86873F269FEB89310F205926E50AC3395C96CDC4587A2
                              Function 07065419 Relevance: .1, Instructions: 132COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8511a0e571a5fda80003c8a8469901201cd219eceff4905e8fe7b6ea0720acde
                              • Instruction ID: 268c3256dc0e520a36d08af651c7893263186dcc75a04a508cb2969febdccdf6
                              • Opcode Fuzzy Hash: 8511a0e571a5fda80003c8a8469901201cd219eceff4905e8fe7b6ea0720acde
                              • Instruction Fuzzy Hash: F44181B1A002068FCB70CEA9DCD46AFFBF2FB45310F204A6AE259D7214D731E9558B91
                              Function 0706D970 Relevance: .1, Instructions: 100COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 20c2e0e1803f7268fd8f12ee5af26d8a508d33235a8d008630f3b180af1c48ed
                              • Instruction ID: a153739f4e4bb95f0c45057dbe24de00d7711e30ef25b8f765303f5a974d8424
                              • Opcode Fuzzy Hash: 20c2e0e1803f7268fd8f12ee5af26d8a508d33235a8d008630f3b180af1c48ed
                              • Instruction Fuzzy Hash: 2A31A770B1430A8BCF14CF69D49069EBBBAFF85304F148629D805EB304EB74E946CB91
                              Function 0706207B Relevance: .1, Instructions: 94COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b789587fcab41aa04c13a3ff98310346ce9c77d2804b0594d77a4e6bdc901ce8
                              • Instruction ID: 9ad548f87211df99632651611947aff9916066c3d41e6bacd682694ec63376a9
                              • Opcode Fuzzy Hash: b789587fcab41aa04c13a3ff98310346ce9c77d2804b0594d77a4e6bdc901ce8
                              • Instruction Fuzzy Hash: 52317E70E0020A9BCB05CF65D8A869EB7F2FF89300F148519EA06EB350DB70AD46CB91
                              Function 07062088 Relevance: .1, Instructions: 91COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 33cded959795d999f69608f14d4012da44a8ebe4f3c431be03e745a82746cac5
                              • Instruction ID: de1ad935c474d71fb49028e2bdbdb010ba668164cf493ddb4c6103e27df90a6f
                              • Opcode Fuzzy Hash: 33cded959795d999f69608f14d4012da44a8ebe4f3c431be03e745a82746cac5
                              • Instruction Fuzzy Hash: E4316070E0420A9BCB15CF65D8A869EB7F6FF89300F10C529E916EB350DB71AD46CB91
                              Function 07063AA1 Relevance: .1, Instructions: 82COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 40edaf7cf7fde17b3339fb1964353fcbc5860df47a39feba94a80ab342bd00d1
                              • Instruction ID: f7687871b3e5cf0cd06d06562e0c8d2559f885413a41feb5c8b42e2a4fe57852
                              • Opcode Fuzzy Hash: 40edaf7cf7fde17b3339fb1964353fcbc5860df47a39feba94a80ab342bd00d1
                              • Instruction Fuzzy Hash: 03218DB5F002169FDB50CF68D981AAEFBF5EB48710F049129EA05E7381DB35DD418B91
                              Function 07063AB0 Relevance: .1, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0e05bd48fad7b12a32caf19b873a76e77db4b0bb7042444f97d9c765f657a918
                              • Instruction ID: bb91d170df546d7e054bf18541a1f2a737f7fb268dac40814411fb3554424293
                              • Opcode Fuzzy Hash: 0e05bd48fad7b12a32caf19b873a76e77db4b0bb7042444f97d9c765f657a918
                              • Instruction Fuzzy Hash: 3D21A1B1F002159FDB50CF69D890AAEF7F5EB48710F105129EA09E7381DB35DD018B91
                              Function 0184D030 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4439554243.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_184d000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 055198721668445592b8213da608125395b3042d005ed7510189945e34fb884c
                              • Instruction ID: d5c5263d1c371bd3ba05db0a9a69f920908d6c83877748efd0a082e266052b1f
                              • Opcode Fuzzy Hash: 055198721668445592b8213da608125395b3042d005ed7510189945e34fb884c
                              • Instruction Fuzzy Hash: E5212271604208DFCB15DF98D9C0B26BBA5FB94318F20C66DE9098B256CB3AD506CA62
                              Function 07064200 Relevance: .1, Instructions: 61COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: df1099e0e61838a5e41eef8e147bec205da4fab85611c5279328913bdbf00e73
                              • Instruction ID: 8786aa7bf51b21e33f0e30a11618ac9e3644a0b158d7879374f2c6e203dbd2d3
                              • Opcode Fuzzy Hash: df1099e0e61838a5e41eef8e147bec205da4fab85611c5279328913bdbf00e73
                              • Instruction Fuzzy Hash: E91145313041520BDB628A7DD868B2FBBEFDBCA710F24842AF10ACB341DD15DD4283A2
                              Function 07063BC0 Relevance: .1, Instructions: 59COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b043b262cba504e45b504cabac6992c9c5fa1d6756fa62061749230468f48680
                              • Instruction ID: 20da5e6f3406e45e1db02949f8c90ee452ef944dee07bbb402205a698efbc0d4
                              • Opcode Fuzzy Hash: b043b262cba504e45b504cabac6992c9c5fa1d6756fa62061749230468f48680
                              • Instruction Fuzzy Hash: 1511A571B000194FDB549A78D8186AEB3FBEBC8350F008139D90AE7350DE35DC068BD1
                              Function 0706ED99 Relevance: .1, Instructions: 59COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4ec9fc4780edb054eebaa48788f702820f17d1c60a1b2446bd0a76269c0afc08
                              • Instruction ID: b3956a7410a6758b3516cd1dc53670a3ed53adaaefc11f900125f40e2e30165f
                              • Opcode Fuzzy Hash: 4ec9fc4780edb054eebaa48788f702820f17d1c60a1b2446bd0a76269c0afc08
                              • Instruction Fuzzy Hash: BD01F9357002115BCB21997DD464B6A7BEFEBCA710F14852AE609C7340DD64DC068392
                              Function 07063878 Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 09cb5929b08dcafef271271ca3ebada4227176a028d118bdf33e614085d43815
                              • Instruction ID: b25cc69de26e7145fca5a8047d137773a1dcc50d2ad3de574fbfdd67ea301447
                              • Opcode Fuzzy Hash: 09cb5929b08dcafef271271ca3ebada4227176a028d118bdf33e614085d43815
                              • Instruction Fuzzy Hash: A321C2B5D01259AFCB10DF9AD884ADEFFB8FB49350F50822AE518A7200C374A554CFE5
                              Function 0706A311 Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 39bc2e716c5606e6144aa9aab8af22d1522afb8231ba0e25d24a0c22309aca34
                              • Instruction ID: 4b868e18ba334fc8e9366291636a1c1c318a8b300f085d8fd91c81261497ba78
                              • Opcode Fuzzy Hash: 39bc2e716c5606e6144aa9aab8af22d1522afb8231ba0e25d24a0c22309aca34
                              • Instruction Fuzzy Hash: 710128707001660FC712D67CE864B1FBBEAEB8B700F108469F14AD7351DE15ED018382
                              Function 0184D02B Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4439554243.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_184d000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                              • Instruction ID: b50460b5fb5db4c8458e61440bb5211ab650591ef021742511ee30bfcd77ad55
                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                              • Instruction Fuzzy Hash: A011BB75504284CFDB12CF58D5C4B15FFA1FB84314F28C6AAD9498B656C33AD44ACB62
                              Function 07063BAF Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 97da400a3e1b6e8a961ea55eea69aee39779d78a8a5a02fc061caaf8f2f4c872
                              • Instruction ID: e694666bfff9388d0504d0099ec3ef763b62cb32df947a11400d45be3e53bcc9
                              • Opcode Fuzzy Hash: 97da400a3e1b6e8a961ea55eea69aee39779d78a8a5a02fc061caaf8f2f4c872
                              • Instruction Fuzzy Hash: 5601D472B040195BDB54897CDC287EFBAEBEBC8310F04413ADA0AD3280EE65DC0647D2
                              Function 07063880 Relevance: .1, Instructions: 52COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ed0b7df6b12488bc1ebee1d25c0898990d26b15b58c7bcaf40b3e904a193dbe3
                              • Instruction ID: 5afb187c85bec03c2ecbdaf17effb7782c03831f68e2a215c31568382c32b3fa
                              • Opcode Fuzzy Hash: ed0b7df6b12488bc1ebee1d25c0898990d26b15b58c7bcaf40b3e904a193dbe3
                              • Instruction Fuzzy Hash: CF11A2B5D01259AFCB00DF9AD884ADEFFB8FB49310F50812AE518A7240D375A554CFE5
                              Function 07064210 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8e8b2ea2606d28c4f484e8330ee31886285cef7ff5aee8a85057f146bd77993a
                              • Instruction ID: 1cf15fc605b24989a0a2f3744793eb9a14769bdd22cc9b0fcf79876d93e2af83
                              • Opcode Fuzzy Hash: 8e8b2ea2606d28c4f484e8330ee31886285cef7ff5aee8a85057f146bd77993a
                              • Instruction Fuzzy Hash: 2D016D317001160BDB6499BED468B2FB7DBEBC9711F608539E60EC7344DD65DD424392
                              Function 0706EDA8 Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b7cbcc987a22d07eeed4a02d61baf7713aecbc4f7fb8c27ee2993f84be4d2dad
                              • Instruction ID: c5e8507ecb9c7ffcdaea18fbb927e5476370a59bf5177f4b9e91f08fd5bddca5
                              • Opcode Fuzzy Hash: b7cbcc987a22d07eeed4a02d61baf7713aecbc4f7fb8c27ee2993f84be4d2dad
                              • Instruction Fuzzy Hash: 9701F439B001164BCB65D97DE46872E73EBEBC9610F148539E60EC7340DE65EC034382
                              Function 0706A320 Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5f521d0ede9ea631475d814d589546b25ae00528057321785b7f24dd9d7e5601
                              • Instruction ID: c1680350c1936f204892785915f5c94341b1249d679ff31ab98a3512b02fd297
                              • Opcode Fuzzy Hash: 5f521d0ede9ea631475d814d589546b25ae00528057321785b7f24dd9d7e5601
                              • Instruction Fuzzy Hash: 4B0181B07001264BCB51E6BDE464B2FB3DAEB8A751F108929E60ED7350DE25ED028781
                              Function 07066470 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 41ba3de562e985521a32faf7f4752823fb5e0748623a22e3cda70e7320e8a3bd
                              • Instruction ID: c8790308ea81a2600119f003b8b9c7f31cd5fd7576c49c5f3e478aa82138bb95
                              • Opcode Fuzzy Hash: 41ba3de562e985521a32faf7f4752823fb5e0748623a22e3cda70e7320e8a3bd
                              • Instruction Fuzzy Hash: A7E0D8B1A4520ABFEF10DEF0DD2EB9B7BADDB01214F1089A5D404CB182F5B3CA458791

                              Non-executed Functions

                              Function 070676A0 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                              • API String ID: 0-2843079600
                              • Opcode ID: ac60ecb802ad99ac7198e192e0e3d9c48d72b77bc00444ede7e88c7475dea8c0
                              • Instruction ID: 8c3e36b531d28a5ed37d127f632eb7e5c410470caffbb66f4c73e2567ad934a5
                              • Opcode Fuzzy Hash: ac60ecb802ad99ac7198e192e0e3d9c48d72b77bc00444ede7e88c7475dea8c0
                              • Instruction Fuzzy Hash: 9F126070A00219CFDB28DF68C894A9DB7F6FF88314F209A69D509AB354DB34AD41CF81
                              Function 0706A948 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                              • API String ID: 0-1273862796
                              • Opcode ID: 44d4dfce0af99bbff20f158742c583fca09326f428d870336a75c9edcd53f974
                              • Instruction ID: 62724ff4806a5ee1eae9ad37407c81d0852ece5f33f81a000fc8647165bf9325
                              • Opcode Fuzzy Hash: 44d4dfce0af99bbff20f158742c583fca09326f428d870336a75c9edcd53f974
                              • Instruction Fuzzy Hash: 909141B0B1020A9FDB18EF68D5A8B6EB7F6EF44310F148629D401AB394DB78DD45CB91
                              Function 070670A0 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
                              • API String ID: 0-981061697
                              • Opcode ID: 0e9dbad097063e56da6252710c3e4091482fa250a9726f505bca63889a58096f
                              • Instruction ID: 6e0cc5aed4efd5e38caef898fc4129c09363d20895c20116b4da65cda7a1934e
                              • Opcode Fuzzy Hash: 0e9dbad097063e56da6252710c3e4091482fa250a9726f505bca63889a58096f
                              • Instruction Fuzzy Hash: A7F16E70B00205CFDB19DFA8D5A4A6EB7BAFF88304F249568D4059B364CB79ED42CB91
                              Function 070683D8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: $]q$$]q$$]q$$]q
                              • API String ID: 0-858218434
                              • Opcode ID: 580297960c6dcd8eeaca38441c32e7d20e678d1ba79e11db4339cd2aec53978a
                              • Instruction ID: 4c687a67b36027a3f230594d391fff6d411053054a3c34fddcf8f5b47a711271
                              • Opcode Fuzzy Hash: 580297960c6dcd8eeaca38441c32e7d20e678d1ba79e11db4339cd2aec53978a
                              • Instruction Fuzzy Hash: 5DB12970A0020A8FDB68DFA8D5A46AEB7F6EF84304F64C529D405DB394DB75DD82CB81
                              Function 070687F0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: LR]q$LR]q$$]q$$]q
                              • API String ID: 0-3527005858
                              • Opcode ID: b6b5195564957bd18247efacbe56cb74e8bb4ebc3e4f00ff225806d7db92cb51
                              • Instruction ID: 5caac5f5fdcd7b7c98635fcfc7f5d3978da265771f96c1620361b1a3726a1041
                              • Opcode Fuzzy Hash: b6b5195564957bd18247efacbe56cb74e8bb4ebc3e4f00ff225806d7db92cb51
                              • Instruction Fuzzy Hash: 8B51B2707002069FDB18DB68D9A4A6EB7FAFF88704F14C668D5069B3A0DA34EC45CB91
                              Function 0706ACD0 Relevance: 5.2, Strings: 4, Instructions: 165COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.4443807025.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7060000_M.jbxd
                              Similarity
                              • API ID:
                              • String ID: $]q$$]q$$]q$$]q
                              • API String ID: 0-858218434
                              • Opcode ID: e0605e1bb39063c9b1fe296f58f27ec465a541c5af46b4babe375c8fa1c86939
                              • Instruction ID: acc6f25edbd68ada4ee2498ff8ef71de66a78a39644f9e760ca84e4e5c3e171d
                              • Opcode Fuzzy Hash: e0605e1bb39063c9b1fe296f58f27ec465a541c5af46b4babe375c8fa1c86939
                              • Instruction Fuzzy Hash: 3451BFB4B002058FDF65EF68D4A4AAEB3F6EB89304F208629D406E7350DB35EC41CB91