Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe

Overview

General Information

Sample name:95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe
Analysis ID:1479851
MD5:f653eb1fb00fe3d29d270f7ac7d5bf1d
SHA1:72759ad39425e85a9c8a766db75b7e6ec8c80b10
SHA256:cfbeebd8641fc2fdffcc1056365ccfe165db87c12ca0c6d5c3ae3f3e8db58048
Tags:exe
Infos:

Detection

AgentTesla, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.wapination.net", "Username": "pop@wapination.net", "Password": "sync@#1235"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x700:$s3: 83 EC 38 53 B0 CA 88 44 24 2B 88 44 24 2F B0 5F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1e9d0:$s5: delete[]
  • 0x1de88:$s6: constructor or from DllMain.

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.3279694943.0000000004B20000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.3279694943.0000000004B20000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.3279694943.0000000004B20000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          00000000.00000002.3279694943.0000000004B20000.00000004.08000000.00040000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
          • 0x3efdf:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
          • 0x3f051:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
          • 0x3f0db:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
          • 0x3f16d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
          • 0x3f1d7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
          • 0x3f249:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
          • 0x3f2df:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
          • 0x3f36f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
          00000000.00000002.3279694943.0000000004B20000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
          • 0x3922c:$s2: GetPrivateProfileString
          • 0x3c3c1:$s3: get_OSFullName
          • 0x3982d:$s5: remove_Key
          • 0x3984d:$s5: remove_Key
          • 0x3c836:$s6: FtpWebRequest
          • 0x3efc1:$s7: logins
          • 0x3f533:$s7: logins
          • 0x42244:$s7: logins
          • 0x422f6:$s7: logins
          • 0x452be:$s7: logins
          • 0x42e9a:$s9: 1.85 (Hash, version 2, native byte-order)
          Click to see the 19 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x700:$s3: 83 EC 38 53 B0 CA 88 44 24 2B 88 44 24 2F B0 5F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1e9d0:$s5: delete[]
          • 0x1de88:$s6: constructor or from DllMain.
          0.0.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x700:$s3: 83 EC 38 53 B0 CA 88 44 24 2B 88 44 24 2F B0 5F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1e9d0:$s5: delete[]
          • 0x1de88:$s6: constructor or from DllMain.
          0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3546458.7.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3546458.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3546458.7.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                Click to see the 77 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Suricata Signatures

                Timestamp:2024-07-24T09:04:13.641756+0200
                SID:2855542
                Source Port:49705
                Destination Port:39781
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-24T09:04:13.615473+0200
                SID:2855542
                Source Port:49705
                Destination Port:39781
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-24T09:04:13.198989+0200
                SID:2029927
                Source Port:49704
                Destination Port:21
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeAvira: detected
                Found malware configuration
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.wapination.net", "Username": "pop@wapination.net", "Password": "sync@#1235"}
                Multi AV Scanner detection for submitted file
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeReversingLabs: Detection: 50%
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeVirustotal: Detection: 57%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                Machine Learning detection for sample
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeJoe Sandbox ML: detected
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: _.pdb source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000003.2043003117.000000000063E000.00000004.00000020.00020000.00000000.sdmp, 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3278789552.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3277929389.00000000020DE000.00000004.00000020.00020000.00000000.sdmp, 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3279523987.0000000003541000.00000004.00000800.00020000.00000000.sdmp
                Source: global trafficTCP traffic: 192.168.2.5:49705 -> 108.179.234.136:39781
                Source: Joe Sandbox ViewIP Address: 108.179.234.136 108.179.234.136
                Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                Source: unknownFTP traffic detected: 108.179.234.136:21 -> 192.168.2.5:49704 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 12 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 12 of 150 allowed.220-Local time is now 02:04. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 12 of 150 allowed.220-Local time is now 02:04. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 12 of 150 allowed.220-Local time is now 02:04. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: ftp.wapination.net
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3278893128.000000000259E000.00000004.00000800.00020000.00000000.sdmp, 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3278893128.0000000002590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.wapination.net
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3278893128.0000000002590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3278893128.000000000259E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://wapination.net
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3279694943.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000003.2043003117.000000000063E000.00000004.00000020.00020000.00000000.sdmp, 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3278789552.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3277929389.00000000020DE000.00000004.00000020.00020000.00000000.sdmp, 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3279523987.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to log keystrokes (.Net Source)
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.raw.unpack, SKTzxzsJw.cs.Net Code: Fe9wfWKc5

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, type: SAMPLEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 0.0.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3546458.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3546458.7.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0ee8.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0ee8.3.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3545570.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3545570.6.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3592b90.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3592b90.5.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0ee8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0ee8.3.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211ecee.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211ecee.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211ecee.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211ecee.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0000.4.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3592b90.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3592b90.5.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211fbd6.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211fbd6.2.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3546458.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3546458.7.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211fbd6.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211fbd6.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3545570.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3545570.6.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: 00000000.00000002.3279694943.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 00000000.00000002.3279694943.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: 00000000.00000002.3278789552.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 00000000.00000002.3278789552.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_00408C600_2_00408C60
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_0040DC110_2_0040DC11
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_00407C3F0_2_00407C3F
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_00418CCC0_2_00418CCC
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_00406CA00_2_00406CA0
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_004028B00_2_004028B0
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_0041A4BE0_2_0041A4BE
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_004182440_2_00418244
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_004016500_2_00401650
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_00402F200_2_00402F20
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_004193C40_2_004193C4
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_004187880_2_00418788
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_00402F890_2_00402F89
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_00402B900_2_00402B90
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_004073A00_2_004073A0
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_0226D0500_2_0226D050
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_0226D9200_2_0226D920
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_0226CD080_2_0226CD08
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_022612980_2_02261298
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_022612EA0_2_022612EA
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_022612CA0_2_022612CA
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_022613220_2_02261322
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_022613070_2_02261307
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_022613680_2_02261368
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_022613450_2_02261345
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_0226138B0_2_0226138B
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_02260FD00_2_02260FD0
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_022610300_2_02261030
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_05C7BD880_2_05C7BD88
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_05C750D30_2_05C750D3
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_05C7E4700_2_05C7E470
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_05C7EBC30_2_05C7EBC3
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_05C700400_2_05C70040
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_05C700070_2_05C70007
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_05C78B220_2_05C78B22
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_05CA4AE70_2_05CA4AE7
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_05CA98E90_2_05CA98E9
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_05CA09F80_2_05CA09F8
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_064E6C200_2_064E6C20
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_064E53A80_2_064E53A8
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_064ECED00_2_064ECED0
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: String function: 0040E1D8 appears 44 times
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3278893128.0000000002541000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3279694943.0000000004B20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename5e940590-bd07-4e56-ae86-61e052f8ff28.exe4 vs 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000003.2043003117.000000000063E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename5e940590-bd07-4e56-ae86-61e052f8ff28.exe4 vs 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000003.2043003117.000000000063E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000003.2045073210.000000000068A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3278789552.00000000024D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename5e940590-bd07-4e56-ae86-61e052f8ff28.exe4 vs 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3278789552.00000000024D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename5e940590-bd07-4e56-ae86-61e052f8ff28.exe4 vs 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3277929389.00000000020DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename5e940590-bd07-4e56-ae86-61e052f8ff28.exe4 vs 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3277929389.00000000020DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3277242731.0000000000198000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000003.2041698547.00000000006BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3279523987.0000000003541000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename5e940590-bd07-4e56-ae86-61e052f8ff28.exe4 vs 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3279523987.0000000003541000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeBinary or memory string: OriginalFilename5e940590-bd07-4e56-ae86-61e052f8ff28.exe4 vs 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, type: SAMPLEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 0.0.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3546458.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3546458.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0ee8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0ee8.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3545570.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3545570.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3592b90.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3592b90.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0ee8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0ee8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211ecee.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211ecee.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211ecee.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211ecee.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3592b90.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3592b90.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211fbd6.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211fbd6.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3546458.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3546458.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211fbd6.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211fbd6.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3545570.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3545570.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 00000000.00000002.3279694943.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 00000000.00000002.3279694943.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 00000000.00000002.3278789552.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 00000000.00000002.3278789552.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeStatic PE information: Section: .rsrc ZLIB complexity 0.9924296875
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeMutant created: NULL
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCommand line argument: 08A0_2_00413780
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeReversingLabs: Detection: 50%
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeVirustotal: Detection: 57%
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: _.pdb source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000003.2043003117.000000000063E000.00000004.00000020.00020000.00000000.sdmp, 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3278789552.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3277929389.00000000020DE000.00000004.00000020.00020000.00000000.sdmp, 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3279523987.0000000003541000.00000004.00000800.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211fbd6.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3546458.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3592b90.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeStatic PE information: real checksum: 0x23bfb should be: 0x47d5f
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_0040E21D push ecx; ret 0_2_0040E230
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'w58Mn4hlKZnUX', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'w58Mn4hlKZnUX', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211fbd6.2.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'w58Mn4hlKZnUX', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3546458.7.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'w58Mn4hlKZnUX', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3592b90.5.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'w58Mn4hlKZnUX', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeMemory allocated: 2260000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeMemory allocated: 2540000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeMemory allocated: 4540000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3279843919.0000000004BE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeAPI call chain: ExitProcess graph end nodegraph_0-51008
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040CE09
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_0040ADB0 GetProcessHeap,HeapFree,0_2_0040ADB0
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040CE09
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040E61C
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00416F6A
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_004123F1 SetUnhandledExceptionFilter,0_2_004123F1
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: GetLocaleInfoA,0_2_00417A20
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeCode function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00412A15
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3546458.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0ee8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3545570.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3592b90.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0ee8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211ecee.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211ecee.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211fbd6.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3592b90.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211fbd6.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3546458.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3545570.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.3279694943.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2043003117.000000000063E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3278789552.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3278893128.0000000002590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3277929389.00000000020DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3279523987.0000000003541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3278893128.0000000002541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe PID: 4824, type: MEMORYSTR
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3546458.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0ee8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3545570.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3592b90.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0ee8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211ecee.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211ecee.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211fbd6.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3592b90.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211fbd6.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3546458.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3545570.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.3279694943.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2043003117.000000000063E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3278789552.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3277929389.00000000020DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3279523987.0000000003541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3546458.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0ee8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3545570.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3592b90.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211ecee.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0ee8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211ecee.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3592b90.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211fbd6.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211fbd6.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3546458.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3545570.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.3279694943.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2043003117.000000000063E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3278789552.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3277929389.00000000020DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3279523987.0000000003541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3278893128.0000000002541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe PID: 4824, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3546458.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0ee8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3545570.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3592b90.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0ee8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211ecee.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211ecee.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211fbd6.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3592b90.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211fbd6.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3546458.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3545570.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.3279694943.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2043003117.000000000063E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3278789552.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3278893128.0000000002590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3277929389.00000000020DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3279523987.0000000003541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3278893128.0000000002541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe PID: 4824, type: MEMORYSTR
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3546458.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0ee8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3545570.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3592b90.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0ee8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211ecee.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211ecee.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.24d0000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211fbd6.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3592b90.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.211fbd6.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3546458.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.4b20000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe.3545570.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.3279694943.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2043003117.000000000063E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3278789552.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3277929389.00000000020DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3279523987.0000000003541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		12
                Virtualization/Sandbox Evasion                		2
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		1
                Exfiltration Over Alternative Protocol                		Abuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                Disable or Modify Tools                		1
                Input Capture                		141
                Security Software Discovery                		Remote Desktop Protocol1
                Input Capture                		1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Native API                		Logon Script (Windows)Logon Script (Windows)11
                Deobfuscate/Decode Files or Information                		1
                Credentials in Registry                		12
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares11
                Archive Collected Data                		1
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                Obfuscated Files or Information                		NTDS2
                Process Discovery                		Distributed Component Object Model2
                Data from Local System                		11
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                Software Packing                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials35
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe50%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe58%VirustotalBrowse
                95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe100%AviraHEUR/AGEN.1323352
                95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                wapination.net0%VirustotalBrowse
                ftp.wapination.net1%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                https://account.dyn.com/0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://ftp.wapination.net1%VirustotalBrowse
                http://ftp.wapination.net0%Avira URL Cloudsafe
                http://wapination.net0%Avira URL Cloudsafe
                http://wapination.net0%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                wapination.net
                		108.179.234.136
                		truetrueunknown
                ftp.wapination.net
                		unknown
                		unknowntrueunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://ftp.wapination.net95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3278893128.000000000259E000.00000004.00000800.00020000.00000000.sdmp, 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3278893128.0000000002590000.00000004.00000800.00020000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://account.dyn.com/95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3279694943.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000003.2043003117.000000000063E000.00000004.00000020.00020000.00000000.sdmp, 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3278789552.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3277929389.00000000020DE000.00000004.00000020.00020000.00000000.sdmp, 95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3279523987.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3278893128.0000000002590000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://wapination.net95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe, 00000000.00000002.3278893128.000000000259E000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                108.179.234.136
                		wapination.netUnited States
                		46606UNIFIEDLAYER-AS-1UStrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1479851
                Start date and time:2024-07-24 09:03:17 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 6m 6s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:5
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 93%
                • Number of executed functions: 83
                • Number of non-executed functions: 42
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                108.179.234.136Shipping Documents_pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  SecuriteInfo.com.Win32.PWSX-gen.20769.7015.exeGet hashmaliciousAgentTeslaBrowse
                    SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeGet hashmaliciousAgentTeslaBrowse
                      Shipping Documents_pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                        Quotation_#432768#_pdf.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          Payment Advice Copy-EUR 5500,00 20240419165413-docx.pif.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            Payment_Advice-pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              UNIFIEDLAYER-AS-1USList & Sample_Doc3.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                              • 108.167.181.251
                              Shipping Documents_pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 108.179.234.136
                              Apixaban - August 2024.XLS.exeGet hashmaliciousSnake KeyloggerBrowse
                              • 108.167.181.251
                              Collexus Knowledge Base Access.docxGet hashmaliciousUnknownBrowse
                              • 192.254.232.202
                              https://www.turkiyecumhuriyetiziraatbankasi.com/en/product-and-service-fees.htmlGet hashmaliciousUnknownBrowse
                              • 162.240.37.219
                              http://nia.sga.mybluehost.me/Get hashmaliciousUnknownBrowse
                              • 162.241.226.133
                              http://www.agrimarkeurope.comGet hashmaliciousUnknownBrowse
                              • 173.254.30.100
                              http://erikagascon.com/Get hashmaliciousHTMLPhisherBrowse
                              • 162.241.61.204
                              Caller_Left (VM) (Ofsoptics) c8d121e7a1b51baf9fc10b2def5961d2 (14.9 KB).msgGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                              • 69.49.245.172
                              http://links-sg.dispatch.me/ls/click?upn=u001.ocQe0-2BgliqpF-2FIgZypM8KOaLflKjBlvqTxtPZw5yZIbZDE9vmulRwrCjHKmWRDNHlPAKzJz-2Bkyw6vooZJVzMD9D0PTTv40Qaf3A-2B8jdax3zSQd6j97iwPQ5LL29XZH-2Bb3ZkTE33n6oy8gEQcco0n7vS-2FGTmcMagm61nZGx-2BsbOmIrrFduUTLIj3aNiNh7GKndYRqJIKnx4-2BMq-2Fp3sc3WW23AJCzdlcXL4wplUU4mfYI-3DEZrM_2oPqK8tuNAHN64IciOmeZPyRuqNs2X0exJLQc9A9fZvUMaycL-2Fz7whcRnxrz-2B4IB7izKsVyREANEupGz7H72JUx0AUI1w-2F-2BoQqBNLoZiC-2FK-2BFnOYEVpG01K9eVop9ITdC7fLxEN-2F3GKzXPK8ZIvVGqqB1Qi-2F618LDRDdHJqCef2Ko2ktowJEA7wmfbk9zS9J2KvV7yd4oTdMV5y9A9xZdg-3D-3DGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                              • 108.179.241.225

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.537966293884466
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe
                              File size:267'264 bytes
                              MD5:f653eb1fb00fe3d29d270f7ac7d5bf1d
                              SHA1:72759ad39425e85a9c8a766db75b7e6ec8c80b10
                              SHA256:cfbeebd8641fc2fdffcc1056365ccfe165db87c12ca0c6d5c3ae3f3e8db58048
                              SHA512:be7d11e36c93c8b81811c6def50761396da6f9f6409cba4f88ba3c49070757e42b153c5bee632dc5e43a8aecdf9f2c32d5107b20a36d3df80171d5e6d2256534
                              SSDEEP:6144:YDKW1Lgbdl0TBBvjc/q6D6d/rtiaAxMGG+ui:+h1Lk70Tnvjci6DUorui
                              TLSH:7744D02075D1C2B3C4B6013045E6CBB69A7A7072077A92DBB7DD17BA6E213D0A3362CD
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~.................OXf....PE..L...t..P..........#........

                              File Icon

                              Icon Hash:00928e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0x40cd2f
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                              DLL Characteristics:TERMINAL_SERVER_AWARE
                              Time Stamp:0x5000A574 [Fri Jul 13 22:47:16 2012 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:0
                              File Version Major:5
                              File Version Minor:0
                              Subsystem Version Major:5
                              Subsystem Version Minor:0
                              Import Hash:bf5a4aa99e5b160f8521cadd6bfe73b8

                              Entrypoint Preview

                              Instruction
                              call 00007FBCC0E40706h
                              jmp 00007FBCC0E3A8C9h
                              mov edi, edi
                              push ebp
                              mov ebp, esp
                              sub esp, 20h
                              mov eax, dword ptr [ebp+08h]
                              push esi
                              push edi
                              push 00000008h
                              pop ecx
                              mov esi, 0041F058h
                              lea edi, dword ptr [ebp-20h]
                              rep movsd
                              mov dword ptr [ebp-08h], eax
                              mov eax, dword ptr [ebp+0Ch]
                              pop edi
                              mov dword ptr [ebp-04h], eax
                              pop esi
                              test eax, eax
                              je 00007FBCC0E3AA2Eh
                              test byte ptr [eax], 00000008h
                              je 00007FBCC0E3AA29h
                              mov dword ptr [ebp-0Ch], 01994000h
                              lea eax, dword ptr [ebp-0Ch]
                              push eax
                              push dword ptr [ebp-10h]
                              push dword ptr [ebp-1Ch]
                              push dword ptr [ebp-20h]
                              call dword ptr [0041B000h]
                              leave
                              retn 0008h
                              ret
                              mov eax, 00413563h
                              mov dword ptr [004228E4h], eax
                              mov dword ptr [004228E8h], 00412C4Ah
                              mov dword ptr [004228ECh], 00412BFEh
                              mov dword ptr [004228F0h], 00412C37h
                              mov dword ptr [004228F4h], 00412BA0h
                              mov dword ptr [004228F8h], eax
                              mov dword ptr [004228FCh], 004134DBh
                              mov dword ptr [00422900h], 00412BBCh
                              mov dword ptr [00422904h], 00412B1Eh
                              mov dword ptr [00422908h], 00412AABh
                              ret
                              mov edi, edi
                              push ebp
                              mov ebp, esp
                              call 00007FBCC0E3A9BBh
                              call 00007FBCC0E41240h
                              cmp dword ptr [ebp+00h], 00000000h

                              Rich Headers

                              Programming Language:
                              • [ASM] VS2008 build 21022
                              • [IMP] VS2005 build 50727
                              • [C++] VS2008 build 21022
                              • [ C ] VS2008 build 21022
                              • [LNK] VS2008 build 21022

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x215b40x50.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x260000x1f24c.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x1b1c00x1c.rdata
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x20da00x40.rdata
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x184.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x197180x1980033c54ba3b075ccbea955f3cf6e80ff4aFalse0.5789292279411765data6.748588134618396IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rdata0x1b0000x6db40x6e005826801f33fc1b607aa8e942aa92e9faFalse0.5467329545454546data6.442956247632331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0x220000x30c00x16002fe51a72ede820cd7cf55a77ba59b1f4False0.3126775568181818data3.2625868398009703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0x260000x1f24c0x1f400a242078be4416e3b04c48640183a6ec6False0.9924296875data7.994902503276483IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_RCDATA0x261240x1ec5ddata1.0003649490261415
                              RT_RCDATA0x44d840x20data1.28125
                              RT_VERSION0x44da40x2bcdata0.43714285714285717
                              RT_MANIFEST0x450600x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                              Imports

                              DLLImport
                              KERNEL32.dllRaiseException, GetLastError, MultiByteToWideChar, lstrlenA, InterlockedDecrement, GetProcAddress, LoadLibraryA, FreeResource, SizeofResource, LockResource, LoadResource, FindResourceA, GetModuleHandleA, Module32Next, CloseHandle, Module32First, CreateToolhelp32Snapshot, GetCurrentProcessId, SetEndOfFile, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, GetLocaleInfoA, HeapFree, GetProcessHeap, HeapAlloc, GetCommandLineA, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, HeapSize, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, ReadFile, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, FlushFileBuffers, SetFilePointer, SetHandleCount, GetFileType, GetStartupInfoA, RtlUnwind, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CompareStringA, CompareStringW, SetEnvironmentVariableA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA
                              ole32.dllOleInitialize
                              OLEAUT32.dllSafeArrayCreate, SafeArrayAccessData, SafeArrayUnaccessData, SafeArrayDestroy, SafeArrayCreateVector, VariantClear, VariantInit, SysFreeString, SysAllocString

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                              2024-07-24T09:04:13.641756+0200TCP2855542ETPRO MALWARE Agent Tesla CnC Exfil Activity4970539781192.168.2.5108.179.234.136
                              2024-07-24T09:04:13.615473+0200TCP2855542ETPRO MALWARE Agent Tesla CnC Exfil Activity4970539781192.168.2.5108.179.234.136
                              2024-07-24T09:04:13.198989+0200TCP2029927ET MALWARE AgentTesla Exfil via FTP4970421192.168.2.5108.179.234.136

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jul 24, 2024 09:04:11.660638094 CEST4970421192.168.2.5108.179.234.136
                              Jul 24, 2024 09:04:11.665447950 CEST2149704108.179.234.136192.168.2.5
                              Jul 24, 2024 09:04:11.665527105 CEST4970421192.168.2.5108.179.234.136
                              Jul 24, 2024 09:04:12.180226088 CEST2149704108.179.234.136192.168.2.5
                              Jul 24, 2024 09:04:12.180500031 CEST4970421192.168.2.5108.179.234.136
                              Jul 24, 2024 09:04:12.185323000 CEST2149704108.179.234.136192.168.2.5
                              Jul 24, 2024 09:04:12.518779039 CEST2149704108.179.234.136192.168.2.5
                              Jul 24, 2024 09:04:12.519572973 CEST2149704108.179.234.136192.168.2.5
                              Jul 24, 2024 09:04:12.519731045 CEST4970421192.168.2.5108.179.234.136
                              Jul 24, 2024 09:04:12.519848108 CEST4970421192.168.2.5108.179.234.136
                              Jul 24, 2024 09:04:12.525656939 CEST2149704108.179.234.136192.168.2.5
                              Jul 24, 2024 09:04:12.726624012 CEST2149704108.179.234.136192.168.2.5
                              Jul 24, 2024 09:04:12.726816893 CEST4970421192.168.2.5108.179.234.136
                              Jul 24, 2024 09:04:12.734177113 CEST2149704108.179.234.136192.168.2.5
                              Jul 24, 2024 09:04:12.844710112 CEST2149704108.179.234.136192.168.2.5
                              Jul 24, 2024 09:04:12.844985962 CEST4970421192.168.2.5108.179.234.136
                              Jul 24, 2024 09:04:12.849826097 CEST2149704108.179.234.136192.168.2.5
                              Jul 24, 2024 09:04:12.959749937 CEST2149704108.179.234.136192.168.2.5
                              Jul 24, 2024 09:04:12.960019112 CEST4970421192.168.2.5108.179.234.136
                              Jul 24, 2024 09:04:12.964915037 CEST2149704108.179.234.136192.168.2.5
                              Jul 24, 2024 09:04:13.077303886 CEST2149704108.179.234.136192.168.2.5
                              Jul 24, 2024 09:04:13.077594042 CEST4970421192.168.2.5108.179.234.136
                              Jul 24, 2024 09:04:13.082951069 CEST2149704108.179.234.136192.168.2.5
                              Jul 24, 2024 09:04:13.192862988 CEST2149704108.179.234.136192.168.2.5
                              Jul 24, 2024 09:04:13.193824053 CEST4970539781192.168.2.5108.179.234.136
                              Jul 24, 2024 09:04:13.198764086 CEST3978149705108.179.234.136192.168.2.5
                              Jul 24, 2024 09:04:13.198887110 CEST4970539781192.168.2.5108.179.234.136
                              Jul 24, 2024 09:04:13.198988914 CEST4970421192.168.2.5108.179.234.136
                              Jul 24, 2024 09:04:13.205091000 CEST2149704108.179.234.136192.168.2.5
                              Jul 24, 2024 09:04:13.614537001 CEST2149704108.179.234.136192.168.2.5
                              Jul 24, 2024 09:04:13.615473032 CEST4970539781192.168.2.5108.179.234.136
                              Jul 24, 2024 09:04:13.615581036 CEST4970539781192.168.2.5108.179.234.136
                              Jul 24, 2024 09:04:13.620352030 CEST3978149705108.179.234.136192.168.2.5
                              Jul 24, 2024 09:04:13.641655922 CEST3978149705108.179.234.136192.168.2.5
                              Jul 24, 2024 09:04:13.641756058 CEST4970539781192.168.2.5108.179.234.136
                              Jul 24, 2024 09:04:13.655420065 CEST4970421192.168.2.5108.179.234.136
                              Jul 24, 2024 09:04:13.751806974 CEST2149704108.179.234.136192.168.2.5
                              Jul 24, 2024 09:04:13.796060085 CEST4970421192.168.2.5108.179.234.136

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jul 24, 2024 09:04:11.340152979 CEST5768353192.168.2.51.1.1.1
                              Jul 24, 2024 09:04:11.653389931 CEST53576831.1.1.1192.168.2.5

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Jul 24, 2024 09:04:11.340152979 CEST192.168.2.51.1.1.10x7839Standard query (0)ftp.wapination.netA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Jul 24, 2024 09:04:11.653389931 CEST1.1.1.1192.168.2.50x7839No error (0)ftp.wapination.netwapination.netCNAME (Canonical name)IN (0x0001)false
                              Jul 24, 2024 09:04:11.653389931 CEST1.1.1.1192.168.2.50x7839No error (0)wapination.net108.179.234.136A (IP address)IN (0x0001)false

                              FTP Packets

                              TimestampSource PortDest PortSource IPDest IPCommands
                              Jul 24, 2024 09:04:12.180226088 CEST2149704108.179.234.136192.168.2.5220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 12 of 150 allowed.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 12 of 150 allowed.220-Local time is now 02:04. Server port: 21.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 12 of 150 allowed.220-Local time is now 02:04. Server port: 21.220-IPv6 connections are also welcome on this server.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 12 of 150 allowed.220-Local time is now 02:04. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                              Jul 24, 2024 09:04:12.180500031 CEST4970421192.168.2.5108.179.234.136USER pop@wapination.net
                              Jul 24, 2024 09:04:12.518779039 CEST2149704108.179.234.136192.168.2.5331 User pop@wapination.net OK. Password required
                              Jul 24, 2024 09:04:12.519572973 CEST2149704108.179.234.136192.168.2.5331 User pop@wapination.net OK. Password required
                              Jul 24, 2024 09:04:12.519848108 CEST4970421192.168.2.5108.179.234.136PASS sync@#1235
                              Jul 24, 2024 09:04:12.726624012 CEST2149704108.179.234.136192.168.2.5230 OK. Current restricted directory is /
                              Jul 24, 2024 09:04:12.844710112 CEST2149704108.179.234.136192.168.2.5504 Unknown command
                              Jul 24, 2024 09:04:12.844985962 CEST4970421192.168.2.5108.179.234.136PWD
                              Jul 24, 2024 09:04:12.959749937 CEST2149704108.179.234.136192.168.2.5257 "/" is your current location
                              Jul 24, 2024 09:04:12.960019112 CEST4970421192.168.2.5108.179.234.136TYPE I
                              Jul 24, 2024 09:04:13.077303886 CEST2149704108.179.234.136192.168.2.5200 TYPE is now 8-bit binary
                              Jul 24, 2024 09:04:13.077594042 CEST4970421192.168.2.5108.179.234.136PASV
                              Jul 24, 2024 09:04:13.192862988 CEST2149704108.179.234.136192.168.2.5227 Entering Passive Mode (108,179,234,136,155,101)
                              Jul 24, 2024 09:04:13.198988914 CEST4970421192.168.2.5108.179.234.136STOR PW_user-374653_2024_07_24_03_04_10.html
                              Jul 24, 2024 09:04:13.614537001 CEST2149704108.179.234.136192.168.2.5150 Accepted data connection
                              Jul 24, 2024 09:04:13.751806974 CEST2149704108.179.234.136192.168.2.5226-File successfully transferred
                              226-File successfully transferred226 0.137 seconds (measured here), 2.28 Kbytes per second

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              System Behavior

                              General

                              Target ID:0
                              Start time:03:04:08
                              Start date:24/07/2024
                              Path:C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe"
                              Imagebase:0x400000
                              File size:267'264 bytes
                              MD5 hash:F653EB1FB00FE3D29D270F7AC7D5BF1D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3279694943.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3279694943.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.3279694943.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.3279694943.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                              • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000000.00000002.3279694943.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2043003117.000000000063E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.2043003117.000000000063E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.2043003117.000000000063E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3278789552.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3278789552.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.3278789552.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.3278789552.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                              • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000000.00000002.3278789552.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3278893128.0000000002590000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3277929389.00000000020DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3277929389.00000000020DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.3277929389.00000000020DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3279523987.0000000003541000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3279523987.0000000003541000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.3279523987.0000000003541000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3278893128.0000000002541000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3278893128.0000000002541000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:false

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:9.1%
                                Dynamic/Decrypted Code Coverage:55.8%
                                Signature Coverage:13.3%
                                Total number of Nodes:369
                                Total number of Limit Nodes:36
                                execution_graph 50594 21cd01c 50595 21cd034 50594->50595 50596 21cd08e 50595->50596 50601 64e8368 50595->50601 50605 64e75e4 50595->50605 50614 64e8357 50595->50614 50618 64e90b9 50595->50618 50602 64e838e 50601->50602 50603 64e75e4 CallWindowProcW 50602->50603 50604 64e83af 50603->50604 50604->50596 50606 64e75ef 50605->50606 50607 64e9129 50606->50607 50610 64e9119 50606->50610 50608 64e9127 50607->50608 50643 64e770c 50607->50643 50627 64e931c 50610->50627 50633 64e9250 50610->50633 50638 64e924d 50610->50638 50615 64e8362 50614->50615 50616 64e75e4 CallWindowProcW 50615->50616 50617 64e83af 50616->50617 50617->50596 50619 64e90f5 50618->50619 50620 64e9129 50619->50620 50622 64e9119 50619->50622 50621 64e770c CallWindowProcW 50620->50621 50623 64e9127 50620->50623 50621->50623 50624 64e931c CallWindowProcW 50622->50624 50625 64e924d CallWindowProcW 50622->50625 50626 64e9250 CallWindowProcW 50622->50626 50623->50623 50624->50623 50625->50623 50626->50623 50628 64e92da 50627->50628 50629 64e932a 50627->50629 50647 64e9308 50628->50647 50650 64e92f9 50628->50650 50630 64e92f0 50630->50608 50635 64e9264 50633->50635 50634 64e92f0 50634->50608 50636 64e9308 CallWindowProcW 50635->50636 50637 64e92f9 CallWindowProcW 50635->50637 50636->50634 50637->50634 50640 64e9264 50638->50640 50639 64e92f0 50639->50608 50641 64e9308 CallWindowProcW 50640->50641 50642 64e92f9 CallWindowProcW 50640->50642 50641->50639 50642->50639 50644 64e7717 50643->50644 50645 64ea80a CallWindowProcW 50644->50645 50646 64ea7b9 50644->50646 50645->50646 50646->50608 50648 64e9319 50647->50648 50653 64ea750 50647->50653 50648->50630 50651 64e9319 50650->50651 50652 64ea750 CallWindowProcW 50650->50652 50651->50630 50652->50651 50654 64e770c CallWindowProcW 50653->50654 50655 64ea75a 50654->50655 50655->50648 50805 5ca9d58 50806 5ca9d66 50805->50806 50808 5ca9d80 50805->50808 50809 5ca9d9d 50808->50809 50810 5ca9dc5 50808->50810 50809->50806 50810->50809 50811 5ca9eae GlobalMemoryStatusEx 50810->50811 50812 5ca9ede 50811->50812 50812->50806 51036 5cae368 DuplicateHandle 51037 5cae3fe 51036->51037 51048 2260890 51049 22608b1 51048->51049 51050 226097a 51049->51050 51053 2263dbd 51049->51053 51056 226451a 51049->51056 51059 2269230 51053->51059 51058 2269230 VirtualProtect 51056->51058 51057 2264539 51058->51057 51061 2269243 51059->51061 51063 22692e0 51061->51063 51064 2269328 VirtualProtect 51063->51064 51066 2263dd6 51064->51066 51038 5cae120 51039 5cae166 GetCurrentProcess 51038->51039 51041 5cae1b8 GetCurrentThread 51039->51041 51042 5cae1b1 51039->51042 51043 5cae1ee 51041->51043 51044 5cae1f5 GetCurrentProcess 51041->51044 51042->51041 51043->51044 51045 5cae22b 51044->51045 51046 5cae253 GetCurrentThreadId 51045->51046 51047 5cae284 51046->51047 50813 40cbdd 50814 40cbe9 _getenv 50813->50814 50857 40d534 HeapCreate 50814->50857 50817 40cc46 50918 41087e 71 API calls 8 library calls 50817->50918 50820 40cc4c 50821 40cc50 50820->50821 50822 40cc58 __RTC_Initialize 50820->50822 50919 40cbb4 62 API calls 3 library calls 50821->50919 50859 411a15 67 API calls 3 library calls 50822->50859 50824 40cc57 50824->50822 50826 40cc66 50827 40cc72 GetCommandLineA 50826->50827 50828 40cc6a 50826->50828 50860 412892 71 API calls 3 library calls 50827->50860 50920 40e79a 62 API calls 3 library calls 50828->50920 50831 40cc82 50921 4127d7 107 API calls 3 library calls 50831->50921 50832 40cc71 50832->50827 50834 40cc8c 50835 40cc90 50834->50835 50836 40cc98 50834->50836 50922 40e79a 62 API calls 3 library calls 50835->50922 50861 41255f 106 API calls 6 library calls 50836->50861 50839 40cc97 50839->50836 50840 40cc9d 50841 40cca1 50840->50841 50842 40cca9 50840->50842 50923 40e79a 62 API calls 3 library calls 50841->50923 50862 40e859 73 API calls 5 library calls 50842->50862 50845 40cca8 50845->50842 50846 40ccb0 50847 40ccb5 50846->50847 50848 40ccbc 50846->50848 50924 40e79a 62 API calls 3 library calls 50847->50924 50863 4019f0 OleInitialize 50848->50863 50851 40ccbb 50851->50848 50852 40ccd8 50853 40ccea 50852->50853 50925 40ea0a 62 API calls _doexit 50852->50925 50926 40ea36 62 API calls _doexit 50853->50926 50856 40ccef _getenv 50858 40cc3a 50857->50858 50858->50817 50917 40cbb4 62 API calls 3 library calls 50858->50917 50859->50826 50860->50831 50861->50840 50862->50846 50864 401ab9 50863->50864 50927 40b99e 50864->50927 50866 401abf 50867 401acd GetCurrentProcessId CreateToolhelp32Snapshot Module32First 50866->50867 50896 402467 50866->50896 50868 401dc3 FindCloseChangeNotification GetModuleHandleA 50867->50868 50876 401c55 50867->50876 50940 401650 50868->50940 50870 401e8b FindResourceA LoadResource LockResource SizeofResource 50942 40b84d 50870->50942 50874 401c9c CloseHandle 50874->50852 50875 401ecb _memset 50877 401efc SizeofResource 50875->50877 50876->50874 50880 401cf9 Module32Next 50876->50880 50878 401f1c 50877->50878 50879 401f5f 50877->50879 50878->50879 50998 401560 __VEC_memcpy ___sbh_free_block 50878->50998 50882 401f92 _memset 50879->50882 50999 401560 __VEC_memcpy ___sbh_free_block 50879->50999 50880->50868 50888 401d0f 50880->50888 50884 401fa2 FreeResource 50882->50884 50885 40b84d _malloc 62 API calls 50884->50885 50886 401fbb SizeofResource 50885->50886 50887 401fe5 _memset 50886->50887 50889 4020aa LoadLibraryA 50887->50889 50888->50874 50892 401dad Module32Next 50888->50892 50890 401650 50889->50890 50891 40216c GetProcAddress 50890->50891 50893 4021aa 50891->50893 50891->50896 50892->50868 50892->50888 50893->50896 50972 4018f0 50893->50972 50896->50852 50897 4021f1 50916 40243f 50897->50916 50984 401870 50897->50984 50899 402269 VariantInit 50900 401870 75 API calls 50899->50900 50901 40228b VariantInit 50900->50901 50902 4022a7 50901->50902 50903 4022d9 SafeArrayCreate SafeArrayAccessData 50902->50903 50989 40b350 50903->50989 50906 40232c 50907 402354 SafeArrayDestroy 50906->50907 50908 40235b 50906->50908 50907->50908 50909 402392 SafeArrayCreateVector 50908->50909 50910 4023a4 50909->50910 50911 4023bc VariantClear VariantClear 50910->50911 50991 4019a0 50911->50991 50914 40242e 50915 4019a0 65 API calls 50914->50915 50915->50916 50916->50896 51000 40b6b5 62 API calls 2 library calls 50916->51000 50917->50817 50918->50820 50919->50824 50920->50832 50921->50834 50922->50839 50923->50845 50924->50851 50925->50853 50926->50856 50930 40b9aa _getenv _strnlen 50927->50930 50928 40b9b8 51001 40bfc1 62 API calls __getptd_noexit 50928->51001 50930->50928 50933 40b9ec 50930->50933 50931 40b9bd 51002 40e744 6 API calls 2 library calls 50931->51002 51003 40d6e0 62 API calls 2 library calls 50933->51003 50935 40b9f3 51004 40b917 120 API calls 3 library calls 50935->51004 50937 40b9ff 51005 40ba18 LeaveCriticalSection _doexit 50937->51005 50938 40b9cd _getenv 50938->50866 50941 4017cc _realloc 50940->50941 50941->50870 50943 40b900 50942->50943 50954 40b85f 50942->50954 51013 40d2e3 6 API calls __decode_pointer 50943->51013 50945 40b906 51014 40bfc1 62 API calls __getptd_noexit 50945->51014 50948 401ebf 50960 40af66 50948->50960 50951 40b8bc RtlAllocateHeap 50951->50954 50952 40b870 50952->50954 51006 40ec4d 62 API calls 2 library calls 50952->51006 51007 40eaa2 62 API calls 7 library calls 50952->51007 51008 40e7ee GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 50952->51008 50954->50948 50954->50951 50954->50952 50955 40b8ec 50954->50955 50958 40b8f1 50954->50958 51009 40b7fe 62 API calls 4 library calls 50954->51009 51010 40d2e3 6 API calls __decode_pointer 50954->51010 51011 40bfc1 62 API calls __getptd_noexit 50955->51011 51012 40bfc1 62 API calls __getptd_noexit 50958->51012 50962 40af70 50960->50962 50961 40b84d _malloc 62 API calls 50961->50962 50962->50961 50963 40af8a 50962->50963 50967 40af8c std::bad_alloc::bad_alloc 50962->50967 51015 40d2e3 6 API calls __decode_pointer 50962->51015 50963->50875 50965 40afb2 51017 40af49 62 API calls std::exception::exception 50965->51017 50967->50965 51016 40d2bd 73 API calls __cinit 50967->51016 50968 40afbc 51018 40cd39 RaiseException 50968->51018 50971 40afca 50973 401903 lstrlenA 50972->50973 50974 4018fc 50972->50974 51019 4017e0 50973->51019 50974->50897 50977 401940 GetLastError 50979 40194b MultiByteToWideChar 50977->50979 50980 40198d 50977->50980 50978 401996 50978->50897 50981 4017e0 72 API calls 50979->50981 50980->50978 51027 401030 GetLastError 50980->51027 50983 401970 MultiByteToWideChar 50981->50983 50983->50980 50985 40af66 74 API calls 50984->50985 50986 40187c 50985->50986 50987 401885 SysAllocString 50986->50987 50988 4018a4 50986->50988 50987->50988 50988->50899 50990 40231a SafeArrayUnaccessData 50989->50990 50990->50906 50992 4019aa InterlockedDecrement 50991->50992 50997 4019df VariantClear 50991->50997 50993 4019b8 50992->50993 50992->50997 50994 4019c2 SysFreeString 50993->50994 50995 4019c9 50993->50995 50993->50997 50994->50995 51031 40aec0 63 API calls 2 library calls 50995->51031 50997->50914 50998->50878 50999->50882 51000->50896 51001->50931 51003->50935 51004->50937 51005->50938 51006->50952 51007->50952 51009->50954 51010->50954 51011->50958 51012->50948 51013->50945 51014->50948 51015->50962 51016->50965 51017->50968 51018->50971 51020 4017e9 51019->51020 51025 401844 51020->51025 51026 40182d 51020->51026 51028 40b783 72 API calls 4 library calls 51020->51028 51024 40186d MultiByteToWideChar 51024->50977 51024->50978 51025->51024 51030 40b743 62 API calls 2 library calls 51025->51030 51026->51025 51029 40b6b5 62 API calls 2 library calls 51026->51029 51028->51026 51029->51025 51030->51025 51031->50997 50656 2269728 50658 226972e 50656->50658 50657 22697fb 50658->50657 50661 5cad00a 50658->50661 50665 5cad018 50658->50665 50662 5cad027 50661->50662 50669 5cac814 50662->50669 50666 5cad027 50665->50666 50667 5cac814 3 API calls 50666->50667 50668 5cad048 50667->50668 50668->50658 50671 5cac81f 50669->50671 50673 5cadf7c 50671->50673 50672 5cae9bd 50672->50672 50674 5cadf87 50673->50674 50675 5caf014 50674->50675 50678 64e0dc0 50674->50678 50683 64e0db0 50674->50683 50675->50672 50679 64e0de1 50678->50679 50680 64e0e05 50679->50680 50689 64e0f60 50679->50689 50694 64e0f70 50679->50694 50680->50675 50684 64e0d9e 50683->50684 50686 64e0db6 50683->50686 50684->50675 50685 64e0e05 50685->50675 50686->50685 50687 64e0f60 3 API calls 50686->50687 50688 64e0f70 3 API calls 50686->50688 50687->50685 50688->50685 50691 64e0f7d 50689->50691 50690 64e0fb6 50690->50680 50691->50690 50699 64e0fc8 50691->50699 50705 64e0fd8 50691->50705 50695 64e0f7d 50694->50695 50696 64e0fb6 50695->50696 50697 64e0fc8 3 API calls 50695->50697 50698 64e0fd8 3 API calls 50695->50698 50696->50680 50697->50696 50698->50696 50700 64e0fd6 50699->50700 50701 64e1028 50700->50701 50711 64e1070 50700->50711 50719 64e10d4 50700->50719 50728 64e1088 50700->50728 50701->50701 50706 64e1000 50705->50706 50707 64e1028 50706->50707 50708 64e1088 3 API calls 50706->50708 50709 64e10d4 3 API calls 50706->50709 50710 64e1070 3 API calls 50706->50710 50707->50707 50708->50707 50709->50707 50710->50707 50712 64e1092 50711->50712 50713 64e1097 50712->50713 50736 64e1f00 50712->50736 50740 64e1f30 50712->50740 50744 64e6278 50713->50744 50757 64e6290 50713->50757 50714 64e10d1 50714->50701 50720 64e1092 50719->50720 50721 64e10e2 50719->50721 50722 64e1097 50720->50722 50724 64e1f00 3 API calls 50720->50724 50725 64e1f30 3 API calls 50720->50725 50726 64e6278 3 API calls 50722->50726 50727 64e6290 3 API calls 50722->50727 50723 64e10d1 50723->50701 50724->50722 50725->50722 50726->50723 50727->50723 50729 64e1092 50728->50729 50730 64e1097 50729->50730 50734 64e1f00 3 API calls 50729->50734 50735 64e1f30 3 API calls 50729->50735 50732 64e6278 3 API calls 50730->50732 50733 64e6290 3 API calls 50730->50733 50731 64e10d1 50731->50701 50732->50731 50733->50731 50734->50730 50735->50730 50737 64e1f05 50736->50737 50738 64e2238 50737->50738 50739 64e0dc0 3 API calls 50737->50739 50738->50713 50739->50738 50743 64e1f53 50740->50743 50741 64e2238 50741->50713 50742 64e0dc0 3 API calls 50742->50741 50743->50741 50743->50742 50746 64e62c1 50744->50746 50749 64e63c1 50744->50749 50745 64e62cd 50745->50714 50746->50745 50753 64e6278 3 API calls 50746->50753 50754 64e6290 3 API calls 50746->50754 50770 64e6508 50746->50770 50773 64e64f8 50746->50773 50747 64e64ca 50747->50714 50748 64e630d 50776 64e6c10 50748->50776 50780 64e6c20 50748->50780 50749->50747 50784 64e6538 50749->50784 50753->50748 50754->50748 50759 64e62c1 50757->50759 50762 64e63c1 50757->50762 50758 64e62cd 50758->50714 50759->50758 50766 64e64f8 2 API calls 50759->50766 50767 64e6508 2 API calls 50759->50767 50768 64e6278 3 API calls 50759->50768 50769 64e6290 3 API calls 50759->50769 50760 64e64ca 50760->50714 50761 64e630d 50763 64e6c10 CreateWindowExW 50761->50763 50764 64e6c20 CreateWindowExW 50761->50764 50762->50760 50765 64e6538 2 API calls 50762->50765 50763->50762 50764->50762 50765->50760 50766->50761 50767->50761 50768->50761 50769->50761 50771 64e6512 50770->50771 50772 64e6538 2 API calls 50770->50772 50771->50748 50772->50771 50775 64e6538 2 API calls 50773->50775 50774 64e6512 50774->50748 50775->50774 50777 64e6c21 50776->50777 50778 64e6ca6 50777->50778 50792 64e8150 50777->50792 50778->50749 50781 64e6c42 50780->50781 50782 64e6ca6 50780->50782 50781->50782 50783 64e8150 CreateWindowExW 50781->50783 50782->50749 50783->50782 50785 64e6559 50784->50785 50786 64e657c 50784->50786 50785->50786 50797 64e67d0 50785->50797 50801 64e67e0 50785->50801 50786->50747 50787 64e6574 50787->50786 50788 64e6780 GetModuleHandleW 50787->50788 50789 64e67ad 50788->50789 50789->50747 50793 64e8166 50792->50793 50794 64e819e CreateWindowExW 50792->50794 50793->50778 50796 64e82d4 50794->50796 50796->50796 50798 64e67f4 50797->50798 50799 64e6819 50798->50799 50800 64e5500 LoadLibraryExW 50798->50800 50799->50787 50800->50799 50802 64e67f4 50801->50802 50803 64e6819 50802->50803 50804 64e5500 LoadLibraryExW 50802->50804 50803->50787 50804->50803 51032 22694b8 51033 22694f8 FindCloseChangeNotification 51032->51033 51035 2269529 51033->51035

                                Executed Functions

                                Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747comprocessCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 4019f0-401ac7 OleInitialize call 401650 call 40b99e 5 40248a-402496 0->5 6 401acd-401c4f GetCurrentProcessId CreateToolhelp32Snapshot Module32First 0->6 7 401dc3-401ed4 FindCloseChangeNotification GetModuleHandleA call 401650 FindResourceA LoadResource LockResource SizeofResource call 40b84d call 40af66 6->7 8 401c55-401c6c call 401650 6->8 26 401ed6-401eed call 40ba30 7->26 27 401eef 7->27 13 401c73-401c77 8->13 15 401c93-401c95 13->15 16 401c79-401c7b 13->16 20 401c98-401c9a 15->20 18 401c7d-401c83 16->18 19 401c8f-401c91 16->19 18->15 23 401c85-401c8d 18->23 19->20 24 401cb0-401cce call 401650 20->24 25 401c9c-401caf CloseHandle 20->25 23->13 23->19 34 401cd0-401cd4 24->34 30 401ef3-401f1a call 401300 SizeofResource 26->30 27->30 39 401f1c-401f2f 30->39 40 401f5f-401f69 30->40 36 401cf0-401cf2 34->36 37 401cd6-401cd8 34->37 38 401cf5-401cf7 36->38 41 401cda-401ce0 37->41 42 401cec-401cee 37->42 38->25 43 401cf9-401d09 Module32Next 38->43 44 401f33-401f5d call 401560 39->44 45 401f73-401f75 40->45 46 401f6b-401f72 40->46 41->36 47 401ce2-401cea 41->47 42->38 43->7 48 401d0f 43->48 44->40 50 401f92-4021a4 call 40ba30 FreeResource call 40b84d SizeofResource call 40ac60 call 40ba30 call 401650 LoadLibraryA call 401650 GetProcAddress 45->50 51 401f77-401f8d call 401560 45->51 46->45 47->34 47->42 54 401d10-401d2e call 401650 48->54 50->5 87 4021aa-4021c0 50->87 51->50 61 401d30-401d34 54->61 63 401d50-401d52 61->63 64 401d36-401d38 61->64 68 401d55-401d57 63->68 66 401d3a-401d40 64->66 67 401d4c-401d4e 64->67 66->63 70 401d42-401d4a 66->70 67->68 68->25 71 401d5d-401d7b call 401650 68->71 70->61 70->67 76 401d80-401d84 71->76 78 401da0-401da2 76->78 79 401d86-401d88 76->79 83 401da5-401da7 78->83 81 401d8a-401d90 79->81 82 401d9c-401d9e 79->82 81->78 85 401d92-401d9a 81->85 82->83 83->25 86 401dad-401dbd Module32Next 83->86 85->76 85->82 86->7 86->54 89 4021c6-4021ca 87->89 90 40246a-402470 87->90 89->90 91 4021d0-402217 call 4018f0 89->91 92 402472-402475 90->92 93 40247a-402480 90->93 98 40221d-40223d 91->98 99 40244f-40245f 91->99 92->93 93->5 95 402482-402487 93->95 95->5 98->99 104 402243-402251 98->104 99->90 100 402461-402467 call 40b6b5 99->100 100->90 104->99 106 402257-4022b7 call 401870 VariantInit call 401870 VariantInit call 4018d0 104->106 114 4022c3-40232a call 4018d0 SafeArrayCreate SafeArrayAccessData call 40b350 SafeArrayUnaccessData 106->114 115 4022b9-4022be call 40ad90 106->115 122 402336-40234d call 4018d0 114->122 123 40232c-402331 call 40ad90 114->123 115->114 154 40234e call 5dd01d 122->154 155 40234e call 5dd005 122->155 123->122 127 402350-402352 128 402354-402355 SafeArrayDestroy 127->128 129 40235b-402361 127->129 128->129 130 402363-402368 call 40ad90 129->130 131 40236d-402375 129->131 130->131 133 402377-402379 131->133 134 40237b 131->134 135 40237d-40238f call 4018d0 133->135 134->135 152 402390 call 5dd01d 135->152 153 402390 call 5dd005 135->153 138 402392-4023a2 SafeArrayCreateVector 139 4023a4-4023a9 call 40ad90 138->139 140 4023ae-4023b4 138->140 139->140 142 4023b6-4023b8 140->142 143 4023ba 140->143 144 4023bc-402417 VariantClear * 2 call 4019a0 142->144 143->144 146 40241c-40242c VariantClear 144->146 147 402436-402445 call 4019a0 146->147 148 40242e-402433 146->148 147->99 151 402447-40244c 147->151 148->147 151->99 152->138 153->138 154->127 155->127
                                APIs
                                • OleInitialize.OLE32(00000000), ref: 004019FD
                                • _getenv.LIBCMT ref: 00401ABA
                                • GetCurrentProcessId.KERNEL32 ref: 00401ACD
                                • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
                                • Module32First.KERNEL32 ref: 00401C48
                                • CloseHandle.KERNEL32(00000000,?,?,00000000,?), ref: 00401C9D
                                • Module32Next.KERNEL32(00000000,?), ref: 00401D02
                                • Module32Next.KERNEL32(00000000,?), ref: 00401DB6
                                • FindCloseChangeNotification.KERNEL32(00000000), ref: 00401DC4
                                • GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
                                • FindResourceA.KERNEL32(00000000,00000000,00000000), ref: 00401E90
                                • LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
                                • LockResource.KERNEL32(00000000), ref: 00401EA7
                                • SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
                                • _malloc.LIBCMT ref: 00401EBA
                                • _memset.LIBCMT ref: 00401EDD
                                • SizeofResource.KERNEL32(00000000,?), ref: 00401F02
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: Resource$Module32$CloseFindHandleNextSizeof$ChangeCreateCurrentFirstInitializeLoadLockModuleNotificationProcessSnapshotToolhelp32_getenv_malloc_memset
                                • String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
                                • API String ID: 2366190142-2962942730
                                • Opcode ID: 224088bd6fdf40f00aacdd5f7db7c03047c3cc993abb63ba2c7175de51848a6e
                                • Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
                                • Opcode Fuzzy Hash: 224088bd6fdf40f00aacdd5f7db7c03047c3cc993abb63ba2c7175de51848a6e
                                • Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B
                                Function 05C7BD88 Relevance: 8.0, Strings: 6, Instructions: 547COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 806 5c7bd88-5c7bda9 807 5c7bdab-5c7bdae 806->807 808 5c7bdb4-5c7bdd3 807->808 809 5c7c553-5c7c556 807->809 818 5c7bdd5-5c7bdd8 808->818 819 5c7bdec-5c7bdf6 808->819 810 5c7c57c-5c7c57e 809->810 811 5c7c558-5c7c577 809->811 812 5c7c585-5c7c588 810->812 813 5c7c580 810->813 811->810 812->807 816 5c7c58e-5c7c597 812->816 813->812 818->819 821 5c7bdda-5c7bdea 818->821 823 5c7bdfc-5c7be0b 819->823 821->823 935 5c7be0d call 5c7c5d0 823->935 936 5c7be0d call 5c7c5c9 823->936 825 5c7be12-5c7be17 826 5c7be24-5c7c101 825->826 827 5c7be19-5c7be1f 825->827 848 5c7c107-5c7c1b6 826->848 849 5c7c545-5c7c552 826->849 827->816 858 5c7c1df 848->858 859 5c7c1b8-5c7c1dd 848->859 861 5c7c1e8-5c7c1fb call 5c7881c 858->861 859->861 864 5c7c201-5c7c223 call 5c78828 861->864 865 5c7c52c-5c7c538 861->865 864->865 869 5c7c229-5c7c233 864->869 865->848 866 5c7c53e 865->866 866->849 869->865 870 5c7c239-5c7c244 869->870 870->865 871 5c7c24a-5c7c320 870->871 883 5c7c322-5c7c324 871->883 884 5c7c32e-5c7c35e 871->884 883->884 888 5c7c360-5c7c362 884->888 889 5c7c36c-5c7c378 884->889 888->889 890 5c7c37a-5c7c37e 889->890 891 5c7c3d8-5c7c3dc 889->891 890->891 892 5c7c380-5c7c3aa 890->892 893 5c7c3e2-5c7c41e 891->893 894 5c7c51d-5c7c526 891->894 901 5c7c3ac-5c7c3ae 892->901 902 5c7c3b8-5c7c3d5 call 5c78834 892->902 905 5c7c420-5c7c422 893->905 906 5c7c42c-5c7c43a 893->906 894->865 894->871 901->902 902->891 905->906 909 5c7c451-5c7c45c 906->909 910 5c7c43c-5c7c447 906->910 913 5c7c474-5c7c485 909->913 914 5c7c45e-5c7c464 909->914 910->909 915 5c7c449 910->915 919 5c7c487-5c7c48d 913->919 920 5c7c49d-5c7c4a9 913->920 916 5c7c466 914->916 917 5c7c468-5c7c46a 914->917 915->909 916->913 917->913 921 5c7c491-5c7c493 919->921 922 5c7c48f 919->922 924 5c7c4c1-5c7c516 920->924 925 5c7c4ab-5c7c4b1 920->925 921->920 922->920 924->894 926 5c7c4b5-5c7c4b7 925->926 927 5c7c4b3 925->927 926->924 927->924 935->825 936->825
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                • API String ID: 0-3723351465
                                • Opcode ID: b07b42a8c7755517af82ca9cd17d30151c0687e7d8a4881986a22095fe6c0f6c
                                • Instruction ID: 657264c148a3f30222832575be90bb4e79a238a3973ffc42c52b0ab806438e96
                                • Opcode Fuzzy Hash: b07b42a8c7755517af82ca9cd17d30151c0687e7d8a4881986a22095fe6c0f6c
                                • Instruction Fuzzy Hash: 1E323135E1071A8FCB14EFB5D8945ADB7B2FFC9300F609A6AD409A7214EB709D85CB90
                                Function 05C7EBC3 Relevance: 2.9, Strings: 2, Instructions: 410COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID: XPbq$\Obq
                                • API String ID: 0-409418754
                                • Opcode ID: 18a655c5f7406208e63664ded6848dad98ef4b7b655d54b74c567fd4a3a0ef9a
                                • Instruction ID: 96180c452a3b9093d3523bf9d9c86b4c22e5c80fb24e7f09e12411f8b4e06d43
                                • Opcode Fuzzy Hash: 18a655c5f7406208e63664ded6848dad98ef4b7b655d54b74c567fd4a3a0ef9a
                                • Instruction Fuzzy Hash: 70E1E336B001188FDB24DB78C494AADBBE6FF89710F2588AAE406DB791CA31DD45C791
                                Function 05C750D3 Relevance: 2.9, Instructions: 2881COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2790633b9965ca437b22eca3108c6959ab66b81b7a3869dbac43c410515e3bb7
                                • Instruction ID: de693b84698d3ec76c9a6df5c5bb48944e35fcc68ba069d560ba4c950d20b9a2
                                • Opcode Fuzzy Hash: 2790633b9965ca437b22eca3108c6959ab66b81b7a3869dbac43c410515e3bb7
                                • Instruction Fuzzy Hash: 3D630831D10B1A8ACB51EF68C8845A9F7B1FF99300F11DB9AE45977121FB70AAD4CB81
                                Function 05CA98E9 Relevance: 2.8, Strings: 2, Instructions: 331COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280283326.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5ca0000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID: Xaq$$]q
                                • API String ID: 0-1280934391
                                • Opcode ID: 4dc51e01a745599b52052860060e4d8173d49fdd4abc97b3fec5408e2e3224b0
                                • Instruction ID: efb2653adc8615040d7dfddc0382280e3a9406a570bdf916ccca2864ee4bbb68
                                • Opcode Fuzzy Hash: 4dc51e01a745599b52052860060e4d8173d49fdd4abc97b3fec5408e2e3224b0
                                • Instruction Fuzzy Hash: 8EB19E35B052599BDB08EF79945927E7EE7BBC8714B04886ED40BD7388CE34C8028796
                                Function 05C7E470 Relevance: 1.8, Strings: 1, Instructions: 592COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID: $
                                • API String ID: 0-3993045852
                                • Opcode ID: 121b2bf94fa0bc8565128a70f888da5e00de1b1469d5d7f877002b29b8166eb3
                                • Instruction ID: c7b434f274582876c1ab13f75498fc6f2f8b076e39cd821cc2cb22472ca10ee8
                                • Opcode Fuzzy Hash: 121b2bf94fa0bc8565128a70f888da5e00de1b1469d5d7f877002b29b8166eb3
                                • Instruction Fuzzy Hash: 8622B576F002199FDF24DBB8C480AAEBBB6FF84310F1088A9E515AB745DA35DD41CB91
                                Function 0226D050 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3278197737.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2260000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID: \Vl
                                • API String ID: 0-682378881
                                • Opcode ID: a08127220cd8d18b52d8bf5306b3aa7a19a5aa4cb3329ec56b8cce5f778cbcef
                                • Instruction ID: 503587b8df14ba2a9e64167ae2b8bee4bab23fb9314bdaccc24ff8259e62c524
                                • Opcode Fuzzy Hash: a08127220cd8d18b52d8bf5306b3aa7a19a5aa4cb3329ec56b8cce5f778cbcef
                                • Instruction Fuzzy Hash: 1FB11B71E1020DDFDF14DFE9C9897ADBBF2AB88304F148129D815AB258EB749895CF81
                                Function 0226CD08 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3278197737.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2260000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID: \Vl
                                • API String ID: 0-682378881
                                • Opcode ID: 0ea9b1cb862e6515d811f65f3c6facd8ffa4f7cbf0ece8f9dc701ec2fa9feab7
                                • Instruction ID: 310cae49d6bb7dbb48c027fc674561c53245a8b083cd8f67d9ac4025dea7b721
                                • Opcode Fuzzy Hash: 0ea9b1cb862e6515d811f65f3c6facd8ffa4f7cbf0ece8f9dc701ec2fa9feab7
                                • Instruction Fuzzy Hash: 62917171E10209DFDF14DFE9C9897EDBBF2AF88304F14812AE455A7258DB749885CB81
                                Function 05CA4AE7 Relevance: .6, Instructions: 569COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280283326.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5ca0000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 19947a1a0867def101f86212635f1941a72b50d0ba91604dfd3f7524c6a661e5
                                • Instruction ID: 286f70dcbb32d47d20e4d5bb3e41d458cd975bc7aa9a1f276932aedc480c163b
                                • Opcode Fuzzy Hash: 19947a1a0867def101f86212635f1941a72b50d0ba91604dfd3f7524c6a661e5
                                • Instruction Fuzzy Hash: 17228335F0020A8BDF28DAA8D4C4BBDBBB6FB45314F248C26E409DB355DA75DD818751
                                Function 064E6C20 Relevance: .4, Instructions: 407COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280545074.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_64e0000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 085863ae84a7a1868731690967388edb38c5cdbe416a446f70c932950dcfa1da
                                • Instruction ID: 703b617a9ca1f4455222a9e14a74c8b66f1055f2bab54037081f4946730d6c8f
                                • Opcode Fuzzy Hash: 085863ae84a7a1868731690967388edb38c5cdbe416a446f70c932950dcfa1da
                                • Instruction Fuzzy Hash: BBF19235A00619CFCB59CF68C9949AEBBF6FF48712F56842AD806DB350E734E945CB40
                                Function 0226D920 Relevance: .3, Instructions: 266COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3278197737.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2260000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7a7c3e0182ee3729d80ea16a92f3f327981328a86a125056466a5a66942c84c1
                                • Instruction ID: db14f916426e7bcea4ef938ecc7b66f0de963f8af00c50288acc2f19710a74d5
                                • Opcode Fuzzy Hash: 7a7c3e0182ee3729d80ea16a92f3f327981328a86a125056466a5a66942c84c1
                                • Instruction Fuzzy Hash: 5CB15D71F1420E8FDF10CFE9C9857ADBBF2AF88314F148529D415AB298EB759885CB81
                                Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1192 4018f0-4018fa 1193 401903-40193e lstrlenA call 4017e0 MultiByteToWideChar 1192->1193 1194 4018fc-401900 1192->1194 1197 401940-401949 GetLastError 1193->1197 1198 401996-40199a 1193->1198 1199 40194b-40198c MultiByteToWideChar call 4017e0 MultiByteToWideChar 1197->1199 1200 40198d-40198f 1197->1200 1199->1200 1200->1198 1201 401991 call 401030 1200->1201 1201->1198
                                APIs
                                • lstrlenA.KERNEL32(?), ref: 00401906
                                • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
                                • GetLastError.KERNEL32 ref: 00401940
                                • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
                                • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: ByteCharMultiWide$ErrorLastlstrlen
                                • String ID:
                                • API String ID: 3322701435-0
                                • Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                • Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
                                • Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                • Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8
                                Function 05CAE111 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1205 5cae111-5cae1af GetCurrentProcess 1209 5cae1b8-5cae1ec GetCurrentThread 1205->1209 1210 5cae1b1-5cae1b7 1205->1210 1211 5cae1ee-5cae1f4 1209->1211 1212 5cae1f5-5cae229 GetCurrentProcess 1209->1212 1210->1209 1211->1212 1214 5cae22b-5cae231 1212->1214 1215 5cae232-5cae24d call 5cae2fa 1212->1215 1214->1215 1218 5cae253-5cae282 GetCurrentThreadId 1215->1218 1219 5cae28b-5cae2ed 1218->1219 1220 5cae284-5cae28a 1218->1220 1220->1219
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 05CAE19E
                                • GetCurrentThread.KERNEL32 ref: 05CAE1DB
                                • GetCurrentProcess.KERNEL32 ref: 05CAE218
                                • GetCurrentThreadId.KERNEL32 ref: 05CAE271
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280283326.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5ca0000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: e602f0e12f8d83b4467ff356940fd2c98039f3c3e6277e28a2e2f6b5d7c22814
                                • Instruction ID: e11dda82a1d9469e4b1fd2e39d6a03ae172f68d279ebe441bd9a938681c3d0c5
                                • Opcode Fuzzy Hash: e602f0e12f8d83b4467ff356940fd2c98039f3c3e6277e28a2e2f6b5d7c22814
                                • Instruction Fuzzy Hash: 275166B490024ACFDB14DFA9D548BAEBFF6FF88304F24845AE009A7361D7385944CB66
                                Function 05CAE120 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1227 5cae120-5cae1af GetCurrentProcess 1231 5cae1b8-5cae1ec GetCurrentThread 1227->1231 1232 5cae1b1-5cae1b7 1227->1232 1233 5cae1ee-5cae1f4 1231->1233 1234 5cae1f5-5cae229 GetCurrentProcess 1231->1234 1232->1231 1233->1234 1236 5cae22b-5cae231 1234->1236 1237 5cae232-5cae24d call 5cae2fa 1234->1237 1236->1237 1240 5cae253-5cae282 GetCurrentThreadId 1237->1240 1241 5cae28b-5cae2ed 1240->1241 1242 5cae284-5cae28a 1240->1242 1242->1241
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 05CAE19E
                                • GetCurrentThread.KERNEL32 ref: 05CAE1DB
                                • GetCurrentProcess.KERNEL32 ref: 05CAE218
                                • GetCurrentThreadId.KERNEL32 ref: 05CAE271
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280283326.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5ca0000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 18f8c5a02013f1e271786de03883a9b3385bc026cfc9a2d86b28bee3f21ed672
                                • Instruction ID: 537660ee4ea3b6db5e9e785cd30fa5c311172247ba6fee1709e0c617748db553
                                • Opcode Fuzzy Hash: 18f8c5a02013f1e271786de03883a9b3385bc026cfc9a2d86b28bee3f21ed672
                                • Instruction Fuzzy Hash: 0E5158B490020ACFDB14DFA9D548BAEBFF6FF88304F20845AE409A7360D7745944CB66
                                Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1249 40af66-40af6e 1250 40af7d-40af88 call 40b84d 1249->1250 1253 40af70-40af7b call 40d2e3 1250->1253 1254 40af8a-40af8b 1250->1254 1253->1250 1257 40af8c-40af98 1253->1257 1258 40afb3-40afca call 40af49 call 40cd39 1257->1258 1259 40af9a-40afb2 call 40aefc call 40d2bd 1257->1259 1259->1258
                                APIs
                                • _malloc.LIBCMT ref: 0040AF80
                                  • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                  • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                  • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                • std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3
                                  • Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08
                                • std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
                                • __CxxThrowException@8.LIBCMT ref: 0040AFC5
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                • String ID:
                                • API String ID: 1411284514-0
                                • Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
                                • Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
                                • Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
                                • Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E
                                Function 05C7DA10 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1478 5c7da10-5c7da34 1479 5c7da36-5c7da39 1478->1479 1480 5c7da3b-5c7da55 1479->1480 1481 5c7da5a-5c7da5d 1479->1481 1480->1481 1482 5c7da63-5c7db5b 1481->1482 1483 5c7e13c-5c7e13e 1481->1483 1501 5c7db61-5c7dbae call 5c7e2e0 1482->1501 1502 5c7dbde-5c7dbe5 1482->1502 1485 5c7e145-5c7e148 1483->1485 1486 5c7e140 1483->1486 1485->1479 1487 5c7e14e-5c7e15b 1485->1487 1486->1485 1515 5c7dbb4-5c7dbd0 1501->1515 1503 5c7dbeb-5c7dc5b 1502->1503 1504 5c7dc69-5c7dc72 1502->1504 1521 5c7dc66 1503->1521 1522 5c7dc5d 1503->1522 1504->1487 1518 5c7dbd2 1515->1518 1519 5c7dbdb-5c7dbdc 1515->1519 1518->1519 1519->1502 1521->1504 1522->1521
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID: fbq$XPbq$\Obq
                                • API String ID: 0-4057264190
                                • Opcode ID: 9dadaacc6cfce2ffb55b740d0e009c06b8014fccc9e2bf96650a1b7462356751
                                • Instruction ID: ff12f7ac8820c2bf91d2c763ef6495c2b7cf94f731bcc359a1964be323c19291
                                • Opcode Fuzzy Hash: 9dadaacc6cfce2ffb55b740d0e009c06b8014fccc9e2bf96650a1b7462356751
                                • Instruction Fuzzy Hash: 1A616070F002099FDB549FA5C855BAEBBF6FF88700F20842AE506EB395DB754D418B91
                                Function 05C7DA00 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID: fbq$XPbq
                                • API String ID: 0-2292610095
                                • Opcode ID: 4848fc6f308030f54942772aa6cf7893040437b94e2b87ca9353d4f679a366f1
                                • Instruction ID: 705c280875ceab18fdd94e09bcef6d926ffbc6f25f168af7175e5e580f069503
                                • Opcode Fuzzy Hash: 4848fc6f308030f54942772aa6cf7893040437b94e2b87ca9353d4f679a366f1
                                • Instruction Fuzzy Hash: F9518270F002099FDB549FE4C8557AEBBF6FF88700F20892AE106AB395DB758D418B91
                                Function 064E6538 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000), ref: 064E679E
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280545074.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_64e0000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: e6d50d845eee13a86c05e71a2dbd5ee4d3fa297e7e37a9cd71c9084bb664f298
                                • Instruction ID: 0ad43aedb448d57d0ca833b1f7616d513f3873763e081d1702426946297f3b33
                                • Opcode Fuzzy Hash: e6d50d845eee13a86c05e71a2dbd5ee4d3fa297e7e37a9cd71c9084bb664f298
                                • Instruction Fuzzy Hash: 88815470A10B058FDBA5DF69D44475ABBF1BF88301F018A2ED48AD7B50DB35E94ACB90
                                Function 064E8150 Relevance: 1.7, APIs: 1, Instructions: 153COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280545074.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_64e0000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 20850906f8766b6e3e6b412e0fe1acf9f96993118a7b718e964bf8f61d9a4b01
                                • Instruction ID: 4ff502132bf33815d045deca4a3fd15d512af1019edfb54592649ff6cd65c369
                                • Opcode Fuzzy Hash: 20850906f8766b6e3e6b412e0fe1acf9f96993118a7b718e964bf8f61d9a4b01
                                • Instruction Fuzzy Hash: 5F5102B1C00249AFDF15CF99C984ADEBFB5FF49300F25826AE818AB260D7759855CF90
                                Function 05CA9D80 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280283326.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5ca0000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7e2c04e929ce7ce794b485c4cdeda9ffacd6f41c6b7277cf498a430e0a7c3579
                                • Instruction ID: ec71cfc285cdbfa5936e6e5153a5ce8049dff466d972815f6c67e2a0493625ce
                                • Opcode Fuzzy Hash: 7e2c04e929ce7ce794b485c4cdeda9ffacd6f41c6b7277cf498a430e0a7c3579
                                • Instruction Fuzzy Hash: 79412672D047968FCB14DFB9D8057AEBFF1AF89310F04896AD408A7281DB789984CBD1
                                Function 064E81B0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                Download Yara Rule
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 064E82C2
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280545074.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_64e0000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: ce86516ef25aceec86ab563165d104993beb42db6b04e895457c43887aebcc97
                                • Instruction ID: 692ec1b6284c575753da0d9f20c166ee3110880c47dcf33ffebd3dc6146cda50
                                • Opcode Fuzzy Hash: ce86516ef25aceec86ab563165d104993beb42db6b04e895457c43887aebcc97
                                • Instruction Fuzzy Hash: 9B41B0B1D00309DFDF15CF9AC984ADEBBB5BF48310F64812AE819AB250D775A845CF91
                                Function 064E770C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                Download Yara Rule
                                APIs
                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 064EA831
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280545074.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_64e0000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: CallProcWindow
                                • String ID:
                                • API String ID: 2714655100-0
                                • Opcode ID: 348219f95b684ebf7305fa2290897f7ee93e844cb12e0ee97de3a1341d1704da
                                • Instruction ID: fc21caf98d58379d4dc5071ec3cc7131d4eb18619b425a847e0d2c6066bb9a0c
                                • Opcode Fuzzy Hash: 348219f95b684ebf7305fa2290897f7ee93e844cb12e0ee97de3a1341d1704da
                                • Instruction Fuzzy Hash: 254108B49002458FDB54DF99C488BAAFBF5FF88315F24C45AE519AB321D735A881CBA0
                                Function 05CAE360 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05CAE3EF
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280283326.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5ca0000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: c800a2db1cb162ab96f3fae67f5c64cef85e25338b32cf91e13d465eb8fcb37a
                                • Instruction ID: 6a32906839003a29bc5b44ce9313e08cce0695a271749c24bb3fbf43b15d9bbb
                                • Opcode Fuzzy Hash: c800a2db1cb162ab96f3fae67f5c64cef85e25338b32cf91e13d465eb8fcb37a
                                • Instruction Fuzzy Hash: B621E3B5D002499FDB10CFA9D984ADEBFF8FB08320F14851AE918A7250D378A944CFA1
                                Function 05CAE368 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05CAE3EF
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280283326.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5ca0000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 7f9322938c2d3e1480f0f13e4288bf638a8d97beb7515520a9bc1b89b237c666
                                • Instruction ID: e4ae9bf81dd46ba68d66dc850d6304868d1ad699cd55aaa42bd80fe70081c76d
                                • Opcode Fuzzy Hash: 7f9322938c2d3e1480f0f13e4288bf638a8d97beb7515520a9bc1b89b237c666
                                • Instruction Fuzzy Hash: 2421F5B59002499FDB10CFAAD984ADEFFF8FB48310F14841AE918A7350D378A944CFA1
                                Function 064E54E8 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,064E6819,00000800,00000000,00000000), ref: 064E6A0A
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280545074.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_64e0000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: fc929d207159a7b3e871e191c84423afc23328e30aa1f5028f3221105cfc26cf
                                • Instruction ID: 3c5d06505f6c78a949237303d39ce8e6d7faf2f430af350f52a5d5415801b836
                                • Opcode Fuzzy Hash: fc929d207159a7b3e871e191c84423afc23328e30aa1f5028f3221105cfc26cf
                                • Instruction Fuzzy Hash: D52154B1C042588FCB10CFAAC844ADEBBF4EF49320F04855AD559AB250C378A448CFA5
                                Function 064E6998 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,064E6819,00000800,00000000,00000000), ref: 064E6A0A
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280545074.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_64e0000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 8066d3a8e500d802c06bec7f68806eb3db66f29f34b860a606c79365b34dc609
                                • Instruction ID: e3dc109acdbc089ea6f41860f97ee93c0d2b96cefde2501ae0d15fdcf5e53edd
                                • Opcode Fuzzy Hash: 8066d3a8e500d802c06bec7f68806eb3db66f29f34b860a606c79365b34dc609
                                • Instruction Fuzzy Hash: AC2114B6D002499FDB20CF9AD844ADFFBF8EB49310F11851AE519A7200C379A545CFA5
                                Function 022692E0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNEL32(?,?,?,?), ref: 02269354
                                Memory Dump Source
                                • Source File: 00000000.00000002.3278197737.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2260000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: bee6b25b97f944d30f1a4394942ea0cfcea845c3feecfa73f47205794b448a4e
                                • Instruction ID: 37174932dfaddfb2682879486146107bb7024d2c9311ccb93a36f842401e11c7
                                • Opcode Fuzzy Hash: bee6b25b97f944d30f1a4394942ea0cfcea845c3feecfa73f47205794b448a4e
                                • Instruction Fuzzy Hash: 981106B1D002099FCB10DFAAC944AEEFBF4FF48324F14842AD419A7250CB79A944CFA1
                                Function 064E5500 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,064E6819,00000800,00000000,00000000), ref: 064E6A0A
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280545074.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_64e0000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 1ec0e8775c84a926f9774b30196a528a3b8fd15cdcc62683d19c781f4b02f48f
                                • Instruction ID: 2f978026309b94e0578e440a4f4b88c82956ac074e946441f0788a543c321e37
                                • Opcode Fuzzy Hash: 1ec0e8775c84a926f9774b30196a528a3b8fd15cdcc62683d19c781f4b02f48f
                                • Instruction Fuzzy Hash: 721126B6D002089FDB10DF9AC844BDEFBF4EB58310F11842AD519A7300C379A545CFA5
                                Function 05CA9E68 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                Download Yara Rule
                                APIs
                                • GlobalMemoryStatusEx.KERNEL32 ref: 05CA9ECF
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280283326.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5ca0000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: GlobalMemoryStatus
                                • String ID:
                                • API String ID: 1890195054-0
                                • Opcode ID: 5135ab7ef046f12569b3b07f05e3d87d54dbcfa3984fa59aeea5ea017505bf89
                                • Instruction ID: 2f3f6f282a9b631427618b66dede8968366440255eda39e4352c02f72172ded6
                                • Opcode Fuzzy Hash: 5135ab7ef046f12569b3b07f05e3d87d54dbcfa3984fa59aeea5ea017505bf89
                                • Instruction Fuzzy Hash: 1B1112B1C0065A9BCB10DF9AC544B9EFBF4AF48320F10812AD818A7241D778A944CFA1
                                Function 022694B8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                • FindCloseChangeNotification.KERNEL32 ref: 0226951A
                                Memory Dump Source
                                • Source File: 00000000.00000002.3278197737.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2260000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: ChangeCloseFindNotification
                                • String ID:
                                • API String ID: 2591292051-0
                                • Opcode ID: b8c7c5ce434c2ced3497e055104e005e1dafc54b45f0431663c50fd9c90bc9d8
                                • Instruction ID: 94d3b83a460008cc383ec4aaa5cd9c39a78a572d744f998a28e8c98f85443933
                                • Opcode Fuzzy Hash: b8c7c5ce434c2ced3497e055104e005e1dafc54b45f0431663c50fd9c90bc9d8
                                • Instruction Fuzzy Hash: 7D113AB1D002498FCB20DFAAC4457EEFBF4EF88314F248419D519A7240CB79A984CFA5
                                Function 064E6738 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000), ref: 064E679E
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280545074.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_64e0000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 24afb5b71f0527b690b25e718d0f43fba5bfc396fb2b7f84bc81eb2ef9f900fb
                                • Instruction ID: 70e9f2bd2eb01c88d2297a4669ca1354568de61a48e328dbc46055e0ddf02711
                                • Opcode Fuzzy Hash: 24afb5b71f0527b690b25e718d0f43fba5bfc396fb2b7f84bc81eb2ef9f900fb
                                • Instruction Fuzzy Hash: 9811E0B6C002498FCB10DF9AC844ADEFBF9EF88314F11841AD819A7210C379A545CFA1
                                Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80
                                • SysAllocString.OLEAUT32 ref: 00401898
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: AllocString_malloc
                                • String ID:
                                • API String ID: 959018026-0
                                • Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                • Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
                                • Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                • Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA
                                Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                Download Yara Rule
                                APIs
                                • HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0040D549
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: CreateHeap
                                • String ID:
                                • API String ID: 10892065-0
                                • Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                • Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
                                • Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                • Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548
                                Function 05C7ADF1 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID: PH]q
                                • API String ID: 0-3168235125
                                • Opcode ID: 0e0faeda9e6f5da5fec0b9019f00573e20b0ffd247823f3bd9b0463d3835503b
                                • Instruction ID: 6718adc098a250908cf0052f0b7ff5e4e439ecf978af68b5c595ec13f0c95a0d
                                • Opcode Fuzzy Hash: 0e0faeda9e6f5da5fec0b9019f00573e20b0ffd247823f3bd9b0463d3835503b
                                • Instruction Fuzzy Hash: A531DF30B002059FCB18AB74D82466E3BE7BFC9340F208838E406DB394DE39DD468B95
                                Function 05C710F0 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID: LR]q
                                • API String ID: 0-3081347316
                                • Opcode ID: 8922fd48059edbd79e975fd826b0f9d67d87c28b81e1dce7e360ce20636d042b
                                • Instruction ID: a380d894bf39e96764ef697d27bbb09fc1dd3d812383d5a7a187e4fe0ebf85ef
                                • Opcode Fuzzy Hash: 8922fd48059edbd79e975fd826b0f9d67d87c28b81e1dce7e360ce20636d042b
                                • Instruction Fuzzy Hash: 44317274E1020D8BDB14CFA5C840BAEBBB2FF85350F14892AE815EB640EBB1D946CB41
                                Function 05C710E1 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID: LR]q
                                • API String ID: 0-3081347316
                                • Opcode ID: 631e95b30aa3fe6d78edc2a0a22a11fe9e57b080f24ae82f85da9a9ba776c46c
                                • Instruction ID: 8684cb98f13ffb8a98b3235eb51adbe083429eb009cbeed9ba4854f5124cc448
                                • Opcode Fuzzy Hash: 631e95b30aa3fe6d78edc2a0a22a11fe9e57b080f24ae82f85da9a9ba776c46c
                                • Instruction Fuzzy Hash: 34317270E1020D9BDB24CFA5C851BAEBBB2FF85350F148C29E815EB640E7B4D942CB41
                                Function 05C70D00 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID: LR]q
                                • API String ID: 0-3081347316
                                • Opcode ID: 34ec3d6ba922afe39c2918b181e55e072d09bc4db9a55f7efac311ec2c86b229
                                • Instruction ID: 6c29f101a97680846cfc1103be05f2c909d67626bb8b27c84ba88f5b2a73aad5
                                • Opcode Fuzzy Hash: 34ec3d6ba922afe39c2918b181e55e072d09bc4db9a55f7efac311ec2c86b229
                                • Instruction Fuzzy Hash: 8F11E4307042118FCB15AB7DE058A6E3BF6EF8A300B00486BD015CB795DF349D4A87D2
                                Function 05C7F3A8 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID: KDBM
                                • API String ID: 0-3504354710
                                • Opcode ID: 0bd4f5c01a1363aed76f0c29b7de0dfc67b14f47b319293ee47e804d1bdea81f
                                • Instruction ID: 38e7ffa13d51d8cc691c576d68233314d04cae3cd7d173841a09bc629bb8cdea
                                • Opcode Fuzzy Hash: 0bd4f5c01a1363aed76f0c29b7de0dfc67b14f47b319293ee47e804d1bdea81f
                                • Instruction Fuzzy Hash: 5421C67595424ACFCB05EF24FA80E993769FB4130CF506E69E0448B52EE7759A0EDBC0
                                Function 05C70CFE Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID: LR]q
                                • API String ID: 0-3081347316
                                • Opcode ID: 6d1b2b72237fa4f188ddf9face2c22a8aec76809e19d42b0c87270a02b222f64
                                • Instruction ID: 04b2c9bc4c88e88f9f0a67e02ed206f14c62d0be218f13a10d0425575d8901c7
                                • Opcode Fuzzy Hash: 6d1b2b72237fa4f188ddf9face2c22a8aec76809e19d42b0c87270a02b222f64
                                • Instruction Fuzzy Hash: C7F0F435B002159FC714ABBDD02866EBBF6EFC9700B10886BD00ACB350DE359C818BD2
                                Function 05C7AF79 Relevance: 1.1, Instructions: 1075COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 57e7f4a596f2756bfb9f7563b199c8a1d6b8f03cde8014124a4a2b8aa81fd33c
                                • Instruction ID: 79c12c28c07fc27485809544e23162e1cff180822dbce6530eb5efc349776874
                                • Opcode Fuzzy Hash: 57e7f4a596f2756bfb9f7563b199c8a1d6b8f03cde8014124a4a2b8aa81fd33c
                                • Instruction Fuzzy Hash: 19924934A00208CFDB24DBA4C198B6DBBF2FF45359F5488A9E4169B755EB35DD82CB80
                                Function 05C71B68 Relevance: .5, Instructions: 519COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d5ee3b6f29f25e954e9b305aa29398bc25a6b32a36f5a634c1df1bf67b546c8c
                                • Instruction ID: 26751aecfff925e3b0a4bb2099107ccabba4df84c59c05e57ccf4609109194ca
                                • Opcode Fuzzy Hash: d5ee3b6f29f25e954e9b305aa29398bc25a6b32a36f5a634c1df1bf67b546c8c
                                • Instruction Fuzzy Hash: 4F02DD347102058BCF2926F8A09D23D7AA3FBCA251B65482EF807D7391DE75CDC29796
                                Function 05C748E0 Relevance: .4, Instructions: 389COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: beb41f868f63d60774aa126927254dbe5f62d254c32a4e645486021909a1f4c7
                                • Instruction ID: b5c39994dc1ae54e7736304381a4e1476651fec3fe19470dae4d017ef0f7ca6d
                                • Opcode Fuzzy Hash: beb41f868f63d60774aa126927254dbe5f62d254c32a4e645486021909a1f4c7
                                • Instruction Fuzzy Hash: CDE14D34B002098FCF19DFA8D595A6DBBB2FB88210F244829E406E7754DB75DD42CB91
                                Function 05C78368 Relevance: .3, Instructions: 338COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2879c400da5ef651fee8dfaddff227f3f8210f8395d635887449b4f5a6e5e31a
                                • Instruction ID: f2de1836f575a06bbfcf32f103c037780c247b0187144f1aebdd397ea1f4d724
                                • Opcode Fuzzy Hash: 2879c400da5ef651fee8dfaddff227f3f8210f8395d635887449b4f5a6e5e31a
                                • Instruction Fuzzy Hash: 13C11371B0021A9FDB14CB68C894A3EBBB6FF84310F24896AD519DB395CB31ED42C791
                                Function 05C74870 Relevance: .2, Instructions: 245COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c7cfebcb1b426a2b69a18fe871f87aa41c0fb6d0d8d1c48768a6d6f0151f239f
                                • Instruction ID: 0eab4d0204bdbc528ed7f332ecf15181fc4833cf436c693a18cb5cd6afa22a2a
                                • Opcode Fuzzy Hash: c7cfebcb1b426a2b69a18fe871f87aa41c0fb6d0d8d1c48768a6d6f0151f239f
                                • Instruction Fuzzy Hash: 83917F34B042088FCB19DFA4D595AADBBF2FB88350F248465E806E77A5DB35DD42CB80
                                Function 05C748D1 Relevance: .2, Instructions: 239COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 65f324e4bbab2f2c162b6e83ee44dee5a990b8be97919041ad9cccc2e76e3ba6
                                • Instruction ID: 99bfb6849d177ae7ac830f99b20728845bb490c07e25073490db65f0d3225efc
                                • Opcode Fuzzy Hash: 65f324e4bbab2f2c162b6e83ee44dee5a990b8be97919041ad9cccc2e76e3ba6
                                • Instruction Fuzzy Hash: FB913B34B102098FCF18DFA4D595AADBBF6FB88251F248825E806E7754DB71DD82CB90
                                Function 05C7F0D0 Relevance: .2, Instructions: 230COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7a67a0fd5649b6cae1764d6c1f620b36698bc8ab4ca17cc56ea5bf9cbaf57914
                                • Instruction ID: e29cb9c0500162a4449a6b81aa7fbcfc05cc46ed9cef019b674a1a722891d857
                                • Opcode Fuzzy Hash: 7a67a0fd5649b6cae1764d6c1f620b36698bc8ab4ca17cc56ea5bf9cbaf57914
                                • Instruction Fuzzy Hash: 9061B371F000214BDB14AABEC884A6FBAD7AFD4624F25447AE80ED7364DE75DD0287D2
                                Function 05C7CFF0 Relevance: .2, Instructions: 216COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3367f499ba66400380d440648de5dce32e3b2b039e278f9ee074ec22e35a1683
                                • Instruction ID: a3d1e8193d8ff35edc27f0d4fbe77dddfc636e4a4fff2720f08c49537088aef7
                                • Opcode Fuzzy Hash: 3367f499ba66400380d440648de5dce32e3b2b039e278f9ee074ec22e35a1683
                                • Instruction Fuzzy Hash: 81812F34B002098BDB54DFA5D55476EBBB3BF89314F208829E40AEB398DB75DD468B81
                                Function 05C74E30 Relevance: .2, Instructions: 215COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0bb8f0213b0ca025f1086af1828d6dbd45f59cdaed8ae326e565bfb4e223b966
                                • Instruction ID: 94f601a28fd957bafacf08ffd2133877511cdd68d459f3f7e829411763c94e9e
                                • Opcode Fuzzy Hash: 0bb8f0213b0ca025f1086af1828d6dbd45f59cdaed8ae326e565bfb4e223b966
                                • Instruction Fuzzy Hash: 2071C075A002048FDB08DFA9D884B9DBBF6FF88310F14C56AE9099B395DB70D945CB90
                                Function 05C7D330 Relevance: .2, Instructions: 185COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cf6896a5439d5afc600492471d39718108856a3a65462a2fdf323632fa3845a7
                                • Instruction ID: f7d1e582baef1f9483a5dbce302712986423777b1e9b55ce35518b6bdec42707
                                • Opcode Fuzzy Hash: cf6896a5439d5afc600492471d39718108856a3a65462a2fdf323632fa3845a7
                                • Instruction Fuzzy Hash: EB614471E103098BDF10DBA8C8507ADB7B2FF85310F209926E50AFB394EB749985CB41
                                Function 05C7D300 Relevance: .2, Instructions: 183COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 072e6913d26eebba53aa66a086b592014b4a47a023455e68b8010d6fd99469fe
                                • Instruction ID: 804283b6a7662bffd70964fd78aafa2ff640ed7dcfa47f518e6e410d61911945
                                • Opcode Fuzzy Hash: 072e6913d26eebba53aa66a086b592014b4a47a023455e68b8010d6fd99469fe
                                • Instruction Fuzzy Hash: 8F613470E003099BDF10DBA8C9517ADBBB2FF95310F20592AE14ABF794DB749985CB41
                                Function 05C7D340 Relevance: .2, Instructions: 182COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f4ab369aa0dc9a91aec02ea4533ea2a670de260f1d03b9f4387ce6624c36eb4e
                                • Instruction ID: 2a0236e3bcaac9b6960839a5bd66a0a8572f109a959cc603bf6ed65719f7fa3e
                                • Opcode Fuzzy Hash: f4ab369aa0dc9a91aec02ea4533ea2a670de260f1d03b9f4387ce6624c36eb4e
                                • Instruction Fuzzy Hash: 56613630E103099BDF10DBA8C850BADB7B6FF85310F209929E50ABB794DB749985CB41
                                Function 05C74C50 Relevance: .2, Instructions: 154COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ed08964447801a8bd792fb825c1f233f6c6dbf057bc3f0284583987ab231e942
                                • Instruction ID: 5d6838017903119e4dd1d243b873403336986b2fbbc7751bff282b26e5c706a7
                                • Opcode Fuzzy Hash: ed08964447801a8bd792fb825c1f233f6c6dbf057bc3f0284583987ab231e942
                                • Instruction Fuzzy Hash: B151E834B0020A4BDF29DAA8D5D0B7EB7A6FB85314F204C2AD04AC7791D739DE46C782
                                Function 05C70E2C Relevance: .1, Instructions: 133COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c612c1bbd1743ba14639ca38b372e9d66fd9ac562a96bbe96666729601ac8d3b
                                • Instruction ID: f7d4fdd07fee6f0d8b7a360d84700ba742818a9b6445f43f6fdbe45c7c1028af
                                • Opcode Fuzzy Hash: c612c1bbd1743ba14639ca38b372e9d66fd9ac562a96bbe96666729601ac8d3b
                                • Instruction Fuzzy Hash: BE5136B4D002188FDB18CFA9C889BADBBF1BF48304F148519E81ABB791D774A945CF95
                                Function 05C70E38 Relevance: .1, Instructions: 132COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3f26888f4d60a5c9ab5c5444c3272e0fa70f76d46a2837bc5a8bdf700f0c8da9
                                • Instruction ID: 946e5b6729f8789d4f5ccbe6cc9d870eac6f2560d151c4ae4bdd0e2be46f18d1
                                • Opcode Fuzzy Hash: 3f26888f4d60a5c9ab5c5444c3272e0fa70f76d46a2837bc5a8bdf700f0c8da9
                                • Instruction Fuzzy Hash: AC5124B4D002188FDB18CFA9C889B9DBBF1BF48314F548529E81ABB790D774A944CF95
                                Function 05C7E2E0 Relevance: .1, Instructions: 127COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d3d6ec9b4098d547857dfa081cc935826107f27e289398efe4f158bc34a60658
                                • Instruction ID: 2f873aaf0fdbbc66d88f39bb94d208bd8a125101677947d6d9a795cc14af6b9b
                                • Opcode Fuzzy Hash: d3d6ec9b4098d547857dfa081cc935826107f27e289398efe4f158bc34a60658
                                • Instruction Fuzzy Hash: 03413D72A006098BDF30CEE9D8C0ABFF7B6FB84310F104D6AE256D7A50D731A9458B91
                                Function 05C7AC60 Relevance: .1, Instructions: 108COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 182643bb7d1983ad7a177e891e40213c83d2445952840ead3e049b6c3a596f7c
                                • Instruction ID: b598019f01d7ba8eeaeceb55e2bec7099a5238eb566eec4187321e5145948f06
                                • Opcode Fuzzy Hash: 182643bb7d1983ad7a177e891e40213c83d2445952840ead3e049b6c3a596f7c
                                • Instruction Fuzzy Hash: 76317271F112199BCF09DFB8D8946AEB7B6BF89300F148829E806E7740EF7499428791
                                Function 05C7AC70 Relevance: .1, Instructions: 104COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e8dcd598665055efb4e35d5924f84ea56bd4671bfa3f04eacb6238e759ae5c96
                                • Instruction ID: 78cc6f8e9721ebf3c5db4d3c789e4808ecd53728918ca492c13d35cdb701a935
                                • Opcode Fuzzy Hash: e8dcd598665055efb4e35d5924f84ea56bd4671bfa3f04eacb6238e759ae5c96
                                • Instruction Fuzzy Hash: E2316231F102199BCF09DFA9D8946AEB7F6BFC9300F148829E805EB740EF7499428791
                                Function 05C746FF Relevance: .1, Instructions: 98COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 01a125c7f30c7e1540ae735ecc4896b1da71a099d2b023adae89aa370a134e1d
                                • Instruction ID: d780aca4e8298da74efe8fe051ed1982dfa27792ddce73d33dfcc604a40fa0bb
                                • Opcode Fuzzy Hash: 01a125c7f30c7e1540ae735ecc4896b1da71a099d2b023adae89aa370a134e1d
                                • Instruction Fuzzy Hash: B631D875F042598BCF09CFA8D4946AEBBB2FF86310F108969E801FB351DB709986CB41
                                Function 05C74728 Relevance: .1, Instructions: 86COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b84531d6d2e1b6b22f76bff189f880b0d3918cd389dd7d99a150f7659ed5cb43
                                • Instruction ID: 4d9e0f2b8c2aa25795f6a5154022a306ca91c4c51432eb397e4be0cb9b76f1f8
                                • Opcode Fuzzy Hash: b84531d6d2e1b6b22f76bff189f880b0d3918cd389dd7d99a150f7659ed5cb43
                                • Instruction Fuzzy Hash: ED31A935F102198BCF19CFA4D4946AEBBB6FF89310F108929E805F7750DB709986CB91
                                Function 05C71209 Relevance: .1, Instructions: 82COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4765c9a856aab968fdb2e9db12cf068fdc63715b67cb3fdc95f9b8843fca54b4
                                • Instruction ID: 761c15f6c0301e65262ad5716c8f70b8d0e7385df06b0c47f56ebe3adae0da97
                                • Opcode Fuzzy Hash: 4765c9a856aab968fdb2e9db12cf068fdc63715b67cb3fdc95f9b8843fca54b4
                                • Instruction Fuzzy Hash: CE2150387002158FD709EB74E454A2D77ABEFC8708F108868E40A8B3A9CF359C4BDB91
                                Function 05C7CBF0 Relevance: .1, Instructions: 81COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 70b4b1d1a91eac8a0a9d828c0ee3084b103cee697a71bd32f370b2217fc3e659
                                • Instruction ID: 8651f41371f4cd7c4508dd36dfaec4c7495d9c43ca1b87202eed4f857c9667e2
                                • Opcode Fuzzy Hash: 70b4b1d1a91eac8a0a9d828c0ee3084b103cee697a71bd32f370b2217fc3e659
                                • Instruction Fuzzy Hash: 5A219F7AF0021A8FDB00DFA9D890BAEB7F1FB48210F204426E906E7354E730DD428B95
                                Function 05C7CC00 Relevance: .1, Instructions: 79COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e1926165c7d452be375d78b518d59beea6f2d3114fff707d2faa4e68f5f5877f
                                • Instruction ID: 1aa70df56c100ee8925086d712db3ea3528917dd2886384e8d5a05266d51e571
                                • Opcode Fuzzy Hash: e1926165c7d452be375d78b518d59beea6f2d3114fff707d2faa4e68f5f5877f
                                • Instruction Fuzzy Hash: 9B21AE75F0021A9FDB10DFA9D890AAEB7F5FB48700F10442AE905E7344EB31DD418B94
                                Function 005DD4FC Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277649072.00000000005DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 005DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5dd000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2954a865d27e77368c1b14afcc75d70d34c12197d9c0f8f80b3b2758a2a54130
                                • Instruction ID: 891fff7a4b2e0856c1dfb19b5bc0969eee5fe0cb0bb09c507d4bbc729f1b1a5c
                                • Opcode Fuzzy Hash: 2954a865d27e77368c1b14afcc75d70d34c12197d9c0f8f80b3b2758a2a54130
                                • Instruction Fuzzy Hash: 8721F171500204DFCB25DF18E980B26BFB5FB98318F20856BD9090A356C33AD816DAB2
                                Function 05C745F0 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6de653136b82987ed1961c37e69511578485e5e45d65206a64eb93e28d516b8a
                                • Instruction ID: 02a83bbd7fc90c30dcd043d6529b91cfe830d173aeb81d1a38a08e262a5611ad
                                • Opcode Fuzzy Hash: 6de653136b82987ed1961c37e69511578485e5e45d65206a64eb93e28d516b8a
                                • Instruction Fuzzy Hash: 9621B771E102199BCF09DFB4C4945AEB7B2BF89310F208A19E816F7690EB709941CB45
                                Function 05C74600 Relevance: .1, Instructions: 73COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ae915dab19f62bc2e30f4a09e064d409ad7e1253020773a085463065dec2eb30
                                • Instruction ID: ee0539a8dee122f831de3f160f3ed84224d9ac417ac780ed4410eede77636a23
                                • Opcode Fuzzy Hash: ae915dab19f62bc2e30f4a09e064d409ad7e1253020773a085463065dec2eb30
                                • Instruction Fuzzy Hash: 01219531E102199BCF0DDFB4C4945AEB7B2BF89310F10892AE816F7780EB71A985CB45
                                Function 021CD01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3278007991.00000000021CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021CD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_21cd000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a65df5ca630b57d8635a8b6dd552394966ec9cc806fdf4d714b231cef5766d24
                                • Instruction ID: db4538e60662590a435db8d7de60f1614ab696d766951a375a1a8a6bb18d215d
                                • Opcode Fuzzy Hash: a65df5ca630b57d8635a8b6dd552394966ec9cc806fdf4d714b231cef5766d24
                                • Instruction Fuzzy Hash: 57210379584200DFDB14DF28E580B16BBA5EB94324F30C57DD80A0B256C33AD417CA62
                                Function 021CD006 Relevance: .1, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3278007991.00000000021CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021CD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_21cd000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6522a9e3a3d0cfde1850a83885f21124cf8294c6e7c650fcfa39324efe055e7b
                                • Instruction ID: 0c182c2f17d9472df15d380c866a45a79aa9223ad96405831518bef366dec0ef
                                • Opcode Fuzzy Hash: 6522a9e3a3d0cfde1850a83885f21124cf8294c6e7c650fcfa39324efe055e7b
                                • Instruction Fuzzy Hash: C82192755483809FCB02CF14D994715BF71EB56324F28C5EAD8498F2A7C33A981ACB62
                                Function 05C74E20 Relevance: .1, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 37773b6052e08e0efe6f7e952330e7a794878285ca2387b24ba79aa5920d9553
                                • Instruction ID: bee523abe597dee47a98ac68336c97e2e4c5e6195195b952a604d27b2c9ccd85
                                • Opcode Fuzzy Hash: 37773b6052e08e0efe6f7e952330e7a794878285ca2387b24ba79aa5920d9553
                                • Instruction Fuzzy Hash: 43112B32E001098FDF18DF98E9C4B9DB766FFC0311F148961C9085B656D774DA46C791
                                Function 05C7CD18 Relevance: .1, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7bf71f278824a6960b526e80a1d3b7bc3da247a51f2b02f5c2f5a0eda5e9d565
                                • Instruction ID: 74834000f6b9c7f7ce1b1c613145330abe26ceea368c8b6edae85443affab1b0
                                • Opcode Fuzzy Hash: 7bf71f278824a6960b526e80a1d3b7bc3da247a51f2b02f5c2f5a0eda5e9d565
                                • Instruction Fuzzy Hash: 5211CE36B0012A8BCF18D668D814AAE76A7ABC8210B014939D40AE7744DE29DD028BD1
                                Function 005DD4F7 Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277649072.00000000005DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 005DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5dd000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3fcf16f0ce3997a393d561b9291fa03094e96af132afbef0229708fa6f6a02d1
                                • Instruction ID: 507bf05daf620ce1729274d18b9feedb825f32d6cfe8705a50ade9f6ac31ec95
                                • Opcode Fuzzy Hash: 3fcf16f0ce3997a393d561b9291fa03094e96af132afbef0229708fa6f6a02d1
                                • Instruction Fuzzy Hash: D811D376504244CFCB16CF14D5C4B16BF72FB94314F24C5AAD9494B356C33AD85ACBA2
                                Function 05C7C5C9 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 524ed9ca0369201642411282eac058f84879cad8d271bf6eb534e3d51f78d5ca
                                • Instruction ID: 31c78bec0c00d57b2fc8cd09708c6f759236320bb26cbcd1c2816daf681f4f4d
                                • Opcode Fuzzy Hash: 524ed9ca0369201642411282eac058f84879cad8d271bf6eb534e3d51f78d5ca
                                • Instruction Fuzzy Hash: 8821C0B5D01219AFCB00DF99D984BDEFBB4FB09310F10852AE918B7240D378AA54CBA5
                                Function 05C7CF51 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cebc0c61f3f41254bbb69267e52f3c63c311aacfe48deb723a23de6fb03322ff
                                • Instruction ID: fc9871658214cacc67058c01b8bee65f59a3de9341d335ea594442e148ba935f
                                • Opcode Fuzzy Hash: cebc0c61f3f41254bbb69267e52f3c63c311aacfe48deb723a23de6fb03322ff
                                • Instruction Fuzzy Hash: 8D012F357001150FCB208ABCD050B2AB7EBEBC8720F20883AF10EC7794DA25CD468381
                                Function 05C7C5D0 Relevance: .1, Instructions: 52COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c22177560d66ca5ec32632807b8f4382d41f35d3ebb0c7130c57788d2ade84e7
                                • Instruction ID: f742b52a4c0407254bf45acb387d914d2eb5ca5e76ffe7280d2342f40ad426f7
                                • Opcode Fuzzy Hash: c22177560d66ca5ec32632807b8f4382d41f35d3ebb0c7130c57788d2ade84e7
                                • Instruction Fuzzy Hash: 0011C2B1D01259AFCB00DF9AD884ADEFBB4FB49310F10812AE518A7240C378A954CBA5
                                Function 05C7CD08 Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8586105fc7c2b601d6c97a535f2fb5b392cb1d3afc9677219353a22351dd210c
                                • Instruction ID: 1e7b2c49509330ede408fa48e65b617e1fce31bd03b09fd524dfabf34e696abb
                                • Opcode Fuzzy Hash: 8586105fc7c2b601d6c97a535f2fb5b392cb1d3afc9677219353a22351dd210c
                                • Instruction Fuzzy Hash: 6101D436B100265BDF19D6A8DC617EF37ABE7C8200F114835D10AD7644EE648E0747D1
                                Function 05C7CF60 Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c8d0f6ab0aac8f3b1764d41a82367aca6a87a9cebbde95f91fdf266178e35af2
                                • Instruction ID: 10c78ecc16cf2d2e3fff2593d3029083b46531c438c3d7c28982088d7176686d
                                • Opcode Fuzzy Hash: c8d0f6ab0aac8f3b1764d41a82367aca6a87a9cebbde95f91fdf266178e35af2
                                • Instruction Fuzzy Hash: 1201AD357005190BDB2499BD9454F2AA7DBEBC9B24F20883AF40EC7754DE61DD4683D1
                                Function 005DD005 Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277649072.00000000005DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 005DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5dd000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fab771e8064d53c6b8d9feadd5c8303c6573b701e206fdc8d38002de2c8d76ef
                                • Instruction ID: 3e4a5dca12c7d2e8c176e74ac0a3ca5d476c8233dbe4166bb49a248b325ebe76
                                • Opcode Fuzzy Hash: fab771e8064d53c6b8d9feadd5c8303c6573b701e206fdc8d38002de2c8d76ef
                                • Instruction Fuzzy Hash: 6301927100D3C49FD7228B258C88752BFB8EF53220F0985DBE8888F2A3D2695C45C772
                                Function 005DD01D Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277649072.00000000005DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 005DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5dd000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 897c90780f4f5b515f8941729de86751831c47aafd28d880816ac29fdb2d53da
                                • Instruction ID: 6a2c1bfb65779cd478b5684e320dc4e701ebdb8e052cc194ad368aa908e544ab
                                • Opcode Fuzzy Hash: 897c90780f4f5b515f8941729de86751831c47aafd28d880816ac29fdb2d53da
                                • Instruction Fuzzy Hash: EE01A771404344AAD7309B1ECD88B67BFACFF85324F18C52BED480A386D2799C45CAB1
                                Function 05C72279 Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d2129d5fd4ec478ea8b2897c767fa74fd4403a7c59715f5c82bebde727038f35
                                • Instruction ID: 1e100cad35c1dd85ec154a62bf894c4899e52be73c626e47190160a6b10df8be
                                • Opcode Fuzzy Hash: d2129d5fd4ec478ea8b2897c767fa74fd4403a7c59715f5c82bebde727038f35
                                • Instruction Fuzzy Hash: C501D4715001459FCB09EBB8F944AAD3BA6DF81308F400A79C4058F2BADF702E4ED782
                                Function 05C72288 Relevance: .0, Instructions: 35COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a6139a6caf68849c114e243d68b228ff5f155b985c97718e1538b5f866e69e31
                                • Instruction ID: 686d2669bd8bbc15790d3a4f6e4b6b43adaafd775de38b98ec5937e8154b63a0
                                • Opcode Fuzzy Hash: a6139a6caf68849c114e243d68b228ff5f155b985c97718e1538b5f866e69e31
                                • Instruction Fuzzy Hash: CB012C309001499BCB48FBB8F94899D7BB5EF81308B504A75C4059B279EB306A4E9B92
                                Function 05C7F358 Relevance: .0, Instructions: 24COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7c976366878f92b44b6cd97cb33c1cf5eabadfa5d092be39316ada75b549e26b
                                • Instruction ID: 878a77e7d904fae75ba492f03887208e53bdee6ad692ff01d5854bf8d0b3d063
                                • Opcode Fuzzy Hash: 7c976366878f92b44b6cd97cb33c1cf5eabadfa5d092be39316ada75b549e26b
                                • Instruction Fuzzy Hash: 05E01A71A0810C9ADFA0DAA4C68A7A973A9EF4520CF208CA9C448DB941E63BCA129744
                                Function 05C73C51 Relevance: .0, Instructions: 14COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 39f716fc6860bcc15eccfb1b082de06d1fe2d4b8c58261cedff03b3b44111b64
                                • Instruction ID: f3c3a812967757b586df2879e34efc3da0d2e45c7d0d436fd815262892104c22
                                • Opcode Fuzzy Hash: 39f716fc6860bcc15eccfb1b082de06d1fe2d4b8c58261cedff03b3b44111b64
                                • Instruction Fuzzy Hash: 74C012B7B511204BE30826E9E1A53BDE7568BD4521B010527D606933D9CE7A4C434684
                                Function 05C73C60 Relevance: .0, Instructions: 11COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cf54d26dd8b02302d1ce742384da95144f9906f658b90b278568cee116277d43
                                • Instruction ID: 725d0fa77a7cec9b358e1f87c0aa59650afaf9bfecae877064830080d6720b83
                                • Opcode Fuzzy Hash: cf54d26dd8b02302d1ce742384da95144f9906f658b90b278568cee116277d43
                                • Instruction Fuzzy Hash: 1CC02B3322032447930032E9B0548AEB75DCB885303000422FC0583309CFB79C4007D5
                                Function 05C7507B Relevance: .0, Instructions: 9COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0e4346e301b399505f888e76031ee1b04971d0325351ba6e767470015e060918
                                • Instruction ID: 199150d95abcee655c980b294f6a4fc2d4c5c72307768813378f1fd0fddd1ea7
                                • Opcode Fuzzy Hash: 0e4346e301b399505f888e76031ee1b04971d0325351ba6e767470015e060918
                                • Instruction Fuzzy Hash: D3C0123188510EDBEB20AA80C40CBEEBF70BB08350F240C2AC002F0890CBB40580CAA1

                                Non-executed Functions

                                Function 05CA09F8 Relevance: 13.0, Strings: 10, Instructions: 470COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280283326.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5ca0000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                • API String ID: 0-2843079600
                                • Opcode ID: d0d364944464d262c86441091c4b25106e5b25cbadfea19ff25457e67ad633ef
                                • Instruction ID: fb90f10ff72ce4b70eb42ed3059e9650d3c55d21b342859dd2bcee8990c8e241
                                • Opcode Fuzzy Hash: d0d364944464d262c86441091c4b25106e5b25cbadfea19ff25457e67ad633ef
                                • Instruction Fuzzy Hash: D1124131F0121A8FDB24DFA5D994A6DBBF2BF88704F248969D40AAB354DB719D81CF40
                                Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsDebuggerPresent.KERNEL32 ref: 004136F4
                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
                                • UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
                                • GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
                                • TerminateProcess.KERNEL32(00000000), ref: 00413737
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                • String ID:
                                • API String ID: 2579439406-0
                                • Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                • Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
                                • Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                • Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D
                                Function 00408C60 Relevance: 4.1, Strings: 3, Instructions: 377COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID: @$@$PA
                                • API String ID: 0-3039612711
                                • Opcode ID: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
                                • Instruction ID: 284407f43597d2b1529aa5dbb826e4f49811f0ea4eaa41d9cabafce47d44ff82
                                • Opcode Fuzzy Hash: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
                                • Instruction Fuzzy Hash: 64E159316083418FC724DF28C58066BB7E1AFD9314F14493EE8C5A7391EB79D949CB8A
                                Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32 ref: 0040ADD0
                                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: Heap$FreeProcess
                                • String ID:
                                • API String ID: 3859560861-0
                                • Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                • Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
                                • Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                • Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58
                                Function 05C78B22 Relevance: 2.0, Instructions: 1990COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 430bdd503793c03928a5fad74820d132b7ddcdefd7b818c5d0b261f3dae96020
                                • Instruction ID: 3be2cc62f1230734ad9944fd92192696df3f5177a57fd7a81f2a60ac65da7baf
                                • Opcode Fuzzy Hash: 430bdd503793c03928a5fad74820d132b7ddcdefd7b818c5d0b261f3dae96020
                                • Instruction Fuzzy Hash: E5230C31D106198ECB11EF68C894AADF7B1FF99300F15C79AE459B7221EB70AAD4CB41
                                Function 064ECED0 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280545074.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_64e0000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0b483b60adfd2ff34e654b550b24767c01b4951a3e620a27e1dd65342ec3a2a2
                                • Instruction ID: 002bd372034a91a078c1f429337c3e6a824c62b82af419c59e4816df1369c384
                                • Opcode Fuzzy Hash: 0b483b60adfd2ff34e654b550b24767c01b4951a3e620a27e1dd65342ec3a2a2
                                • Instruction Fuzzy Hash: C8F13830E002098FDB55DFA9C948BAEBBF1FF88305F14855AE405AB3A5DB75E945CB80
                                Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                Download Yara Rule
                                APIs
                                • SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: ExceptionFilterUnhandled
                                • String ID:
                                • API String ID: 3192549508-0
                                • Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                • Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
                                • Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                • Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569
                                Function 02260FD0 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3278197737.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2260000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q
                                • API String ID: 0-1259897404
                                • Opcode ID: 4d80c750b390b0fafe922c91b92c4e4eb46627d911a8439ec6adebc18379cd20
                                • Instruction ID: f392b7a89e01d74de9cd56dc6d80f7257b476882c0048097ff44acb4c8e9ff30
                                • Opcode Fuzzy Hash: 4d80c750b390b0fafe922c91b92c4e4eb46627d911a8439ec6adebc18379cd20
                                • Instruction Fuzzy Hash: EB717E71D082458FD709DF3AE854A9ABFA6BFC6304F04C9ABC0049B27AEB34440ECB51
                                Function 02261030 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3278197737.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2260000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q
                                • API String ID: 0-1259897404
                                • Opcode ID: 8a5b8cc6b9a4ff4c9c5af378f6d60bdab8089e4c8bd6c3332934b034f31c9201
                                • Instruction ID: 7b74a3a3d0e476dca81b9a5fd76c9d44478395aa941ae77d095a751842b67425
                                • Opcode Fuzzy Hash: 8a5b8cc6b9a4ff4c9c5af378f6d60bdab8089e4c8bd6c3332934b034f31c9201
                                • Instruction Fuzzy Hash: E6515C74E482059FD71CEF7AE944A9ABBE7BBC9304F04C92AC0049B278EB74550EDB51
                                Function 02261298 Relevance: 1.0, Instructions: 964COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3278197737.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2260000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4530bdf53807fdb60fa001452aaf1fc3dc21a127921d135c4d5789399df1bae5
                                • Instruction ID: 382b958a3b3c046af7c4569d6190b506126fdbb8162f4b802f2a18dfec6a1e13
                                • Opcode Fuzzy Hash: 4530bdf53807fdb60fa001452aaf1fc3dc21a127921d135c4d5789399df1bae5
                                • Instruction Fuzzy Hash: 5A828B5394D2C25BD7670BB818FA2E6BFF1DD9722876C09DEC8C00A417E10695BBC74A
                                Function 022612EA Relevance: .9, Instructions: 923COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3278197737.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2260000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c5b21c1892e54d6b2c5bbbc9dcc4eaf3764abe7516b35291a2ef9d3e9577c4d2
                                • Instruction ID: 276a50e9e39586d659036815bf6ecbdae43eaa427170941a7955af069fcb6149
                                • Opcode Fuzzy Hash: c5b21c1892e54d6b2c5bbbc9dcc4eaf3764abe7516b35291a2ef9d3e9577c4d2
                                • Instruction Fuzzy Hash: 2B827A53A4D2C25BD7670BB818FA2E6BFF1DD9722836D09DEC8C00A417E10655BBC74A
                                Function 022612CA Relevance: .9, Instructions: 923COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3278197737.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2260000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d9448337097f6e0f8e1b2cb54bcf1b4a43762c24eb2470a8715712001d6fbecf
                                • Instruction ID: 1228a4e1fcfb31fc14dd2413a12c3afc8676b16100398c376a943f065bef26ce
                                • Opcode Fuzzy Hash: d9448337097f6e0f8e1b2cb54bcf1b4a43762c24eb2470a8715712001d6fbecf
                                • Instruction Fuzzy Hash: B3828A53A4D2C25BD7670BB818FA2E6BFF1DD9722836D09DEC8C00A417E10655BBC74A
                                Function 02261322 Relevance: .9, Instructions: 923COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3278197737.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2260000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ce6c1f803e88b6ad8593b269524fb1463b1d851899b9d3e4ed76bf287b5c8469
                                • Instruction ID: 3e6f4538b3b4f531c3484a964c407988f9a450e99908ddbba8ed8847e256a8db
                                • Opcode Fuzzy Hash: ce6c1f803e88b6ad8593b269524fb1463b1d851899b9d3e4ed76bf287b5c8469
                                • Instruction Fuzzy Hash: 0B828A53A4D2C25BD7670BB818FA2E6BFF1DD9722836D09DEC8C00A417E10655BBC74A
                                Function 02261368 Relevance: .9, Instructions: 923COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3278197737.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2260000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a8934b7e233fd7b28a0f82c0f1048305fa2556c09258840d48e591c1a84574cd
                                • Instruction ID: 57b98217cba87cb225a98a42c44fbb7272d88b285a46b4bcf6ccddcf2f828ee6
                                • Opcode Fuzzy Hash: a8934b7e233fd7b28a0f82c0f1048305fa2556c09258840d48e591c1a84574cd
                                • Instruction Fuzzy Hash: 30828A53A4D2C25BD7670BB818FA2E6BFF1DD9722836D09DEC8C00A417E10655BBC74A
                                Function 02261345 Relevance: .9, Instructions: 923COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3278197737.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2260000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: acbd5d45a0aabcb265f665f631534c68ff0ab332f2f35c28402014259af69aa7
                                • Instruction ID: e046ed6c376d3f1da5ee51c1200833c4edf6e99948af307f1b6ba8f6d83bd50f
                                • Opcode Fuzzy Hash: acbd5d45a0aabcb265f665f631534c68ff0ab332f2f35c28402014259af69aa7
                                • Instruction Fuzzy Hash: D6828A53A4D2C25BD7670BB818FA2E6BFF1DD9722836D09DEC8C00A417E10655BBC74A
                                Function 02261307 Relevance: .9, Instructions: 922COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3278197737.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2260000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5db94afcde15a2fd614812ab7756bbd2ce9517cd392e914101caf051599e69a3
                                • Instruction ID: 6098d3efa047ddb8ea45cf5578a25360d525dbdff478013b3d6ce95a6040dc45
                                • Opcode Fuzzy Hash: 5db94afcde15a2fd614812ab7756bbd2ce9517cd392e914101caf051599e69a3
                                • Instruction Fuzzy Hash: EA828A53A4D2C25BD7670BB818FA2E6BFF1DD9722836D09DEC8C00A417E10655BBC74A
                                Function 0226138B Relevance: .9, Instructions: 922COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3278197737.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2260000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 836b46799d7e83a559921c095571bd0d8c422b9217fa97a25593210315d3573f
                                • Instruction ID: fd44514e5492b3258ca4dd7613246e2853d53c4968631d6b04cdcfee15bf5286
                                • Opcode Fuzzy Hash: 836b46799d7e83a559921c095571bd0d8c422b9217fa97a25593210315d3573f
                                • Instruction Fuzzy Hash: FE828A53A4D2C25BD7670BB818FA2E6BFF1DD9722836D09DEC8C00A417E10655BBC74A
                                Function 00407C3F Relevance: .8, Instructions: 783COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
                                • Instruction ID: d5e3495c9826dce769b252ea72d1bcaf7b5d46a24141b332915225fd3cdae7ad
                                • Opcode Fuzzy Hash: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
                                • Instruction Fuzzy Hash: 9852A471A047129FC708CF29C99066AB7E1FF88304F044A3EE896E7B81D739E955CB95
                                Function 004073A0 Relevance: .6, Instructions: 633COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
                                • Instruction ID: 17d22deff8d32e931318445bbea846c6b698fa6fcc44f6923348d96d7e24b863
                                • Opcode Fuzzy Hash: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
                                • Instruction Fuzzy Hash: 0A329E70A087029FD318CF29C98472AB7E1BF84304F148A3EE89567781D779E955CBDA
                                Function 00406CA0 Relevance: .4, Instructions: 401COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
                                • Instruction ID: cc67e10771130af0a5279b37c8f7fa75a2653c997645fd1ae8a0b8309c7f2627
                                • Opcode Fuzzy Hash: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
                                • Instruction Fuzzy Hash: 48E1D6306083514FC708CF28C99456ABBE2EFC5304F198A7EE8D68B386D779D94ACB55
                                Function 05C70040 Relevance: .3, Instructions: 315COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 692ad90e0bf3507b2c99400a949176f2eaad529665944bb73187e79a598d263d
                                • Instruction ID: ebaf631a72e9363c18b67465b3ea82a8976a29f5f46c7ba6eafa833754087cbd
                                • Opcode Fuzzy Hash: 692ad90e0bf3507b2c99400a949176f2eaad529665944bb73187e79a598d263d
                                • Instruction Fuzzy Hash: A012A4F0C817558AD338CF25E84C1997AB9F744728FD25A0EC2616A2E5E7B4126ECF44
                                Function 064E53A8 Relevance: .3, Instructions: 264COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280545074.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_64e0000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3974433c0b7e512152638ad33a37266908f74be2fd749d0a56d593df29450872
                                • Instruction ID: 8c9b796982e5d5a17730c63b3bb21bc6a14b2574cd57751315e89e69c42b61b8
                                • Opcode Fuzzy Hash: 3974433c0b7e512152638ad33a37266908f74be2fd749d0a56d593df29450872
                                • Instruction Fuzzy Hash: 56A17E32E00219CFCF5ADFA5D84459EB7B2FF84306B15856BE815AB321DB72E915CB80
                                Function 05C70007 Relevance: .2, Instructions: 231COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3280265188.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5c70000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eedc8d8d4307207f80533c0effc69db4ca118850d906db7237df6e235a1154cd
                                • Instruction ID: 1f70a668528cf93a5da4f02f22ef663220c8cfbe60d1dcbded3e60f6824b9725
                                • Opcode Fuzzy Hash: eedc8d8d4307207f80533c0effc69db4ca118850d906db7237df6e235a1154cd
                                • Instruction Fuzzy Hash: 88C15EF0C817558BD728CF24E8481997B79FB85328FD25A0ED1606B2E1EBB4166ECF44
                                Function 00402B90 Relevance: .2, Instructions: 212COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
                                • Instruction ID: 74c1b90a01db230de662c72faab58802bb742d928f34651097fec506a9751401
                                • Opcode Fuzzy Hash: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
                                • Instruction Fuzzy Hash: 15717072A9155347E39CCF5CECD17763713DBC5351F49C23ACA025B6EAC938A922C688
                                Function 004028B0 Relevance: .2, Instructions: 184COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
                                • Instruction ID: e93c334361593eb17f37b37ed9e80cdb2c00b1b1e1af3e0e9a736190e966ddef
                                • Opcode Fuzzy Hash: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
                                • Instruction Fuzzy Hash: 4A615E3266055747E391DF6DEEC47663762EBC9351F18C630CA008B6A6CB39B92297CC
                                Function 00401650 Relevance: .1, Instructions: 111COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
                                • Instruction ID: 39afabd8a370e1aacf823bb5b0eb141e0e266d105c364ee31248ba7b153c19f0
                                • Opcode Fuzzy Hash: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
                                • Instruction Fuzzy Hash: 2851F94400D7E18EC716873A44E0AA7BFD10FAB115F4E9ACDA5E90B2E3C159C288DB77
                                Function 00402F20 Relevance: .1, Instructions: 103COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
                                • Instruction ID: cff114a85fcb8f5deb46d81d22c4208fa3965af46b01a687ebeadebabb5a60ab
                                • Opcode Fuzzy Hash: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
                                • Instruction Fuzzy Hash: 9A31D8302052028BE738CE19C954BEBB3B5AFC0349F44883ED986A73C4DABDD945D795
                                Function 00402F89 Relevance: .1, Instructions: 77COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
                                • Instruction ID: 40597224e526abc728bb10992f322fa75c91b34d76fbbe6bc80328d1c420bfc2
                                • Opcode Fuzzy Hash: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
                                • Instruction Fuzzy Hash: F321923170520247EB68C929C9547ABB3A5ABC0389F48853EC986A73C8DAB9E941D785
                                Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
                                • GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,021E1910), ref: 004170C5
                                • MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
                                • _malloc.LIBCMT ref: 0041718A
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
                                • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
                                • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
                                • _malloc.LIBCMT ref: 0041724C
                                • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
                                • __freea.LIBCMT ref: 004172A4
                                • __freea.LIBCMT ref: 004172AD
                                • ___ansicp.LIBCMT ref: 004172DE
                                • ___convertcp.LIBCMT ref: 00417309
                                • LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
                                • _malloc.LIBCMT ref: 00417362
                                • _memset.LIBCMT ref: 00417384
                                • LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
                                • ___convertcp.LIBCMT ref: 004173BA
                                • __freea.LIBCMT ref: 004173CF
                                • LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
                                • String ID:
                                • API String ID: 3809854901-0
                                • Opcode ID: b820e78b463918eed32479816903fc70d8532b7c557c67349a3712e4f0fad1ae
                                • Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
                                • Opcode Fuzzy Hash: b820e78b463918eed32479816903fc70d8532b7c557c67349a3712e4f0fad1ae
                                • Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98
                                Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON
                                Download Yara Rule
                                APIs
                                • _malloc.LIBCMT ref: 004057DE
                                  • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                  • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                  • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                • _malloc.LIBCMT ref: 00405842
                                • _malloc.LIBCMT ref: 00405906
                                • _malloc.LIBCMT ref: 00405930
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: _malloc$AllocateHeap
                                • String ID: 1.2.3
                                • API String ID: 680241177-2310465506
                                • Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
                                • Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
                                • Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
                                • Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A
                                Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                • String ID:
                                • API String ID: 3886058894-0
                                • Opcode ID: c4afc057559a022db8f819d9985b866907c7fad8716f86744927840939a860f5
                                • Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
                                • Opcode Fuzzy Hash: c4afc057559a022db8f819d9985b866907c7fad8716f86744927840939a860f5
                                • Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD
                                Function 0040C73D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON
                                Download Yara Rule
                                APIs
                                • __lock_file.LIBCMT ref: 0040C6C8
                                • __fileno.LIBCMT ref: 0040C6D6
                                • __fileno.LIBCMT ref: 0040C6E2
                                • __fileno.LIBCMT ref: 0040C6EE
                                • __fileno.LIBCMT ref: 0040C6FE
                                  • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                  • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
                                • String ID: 'B
                                • API String ID: 2805327698-2787509829
                                • Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
                                • Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
                                • Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
                                • Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D
                                Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __getptd.LIBCMT ref: 00414744
                                  • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                  • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                • __getptd.LIBCMT ref: 0041475B
                                • __amsg_exit.LIBCMT ref: 00414769
                                • __lock.LIBCMT ref: 00414779
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                • String ID: @.B
                                • API String ID: 3521780317-470711618
                                • Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                • Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
                                • Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                • Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D
                                Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __getptd.LIBCMT ref: 00413FD8
                                  • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                  • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                • __amsg_exit.LIBCMT ref: 00413FF8
                                • __lock.LIBCMT ref: 00414008
                                • InterlockedDecrement.KERNEL32(?), ref: 00414025
                                • InterlockedIncrement.KERNEL32(021E1670), ref: 00414050
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                • String ID:
                                • API String ID: 4271482742-0
                                • Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                • Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
                                • Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                • Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD
                                Function 0040FA58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: __calloc_crt
                                • String ID: P$B$`$B
                                • API String ID: 3494438863-235554963
                                • Opcode ID: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
                                • Instruction ID: 4bdca0f49684ef71ac3198dcc3f656e5d5ce7fed137673697bf40858e87bd1f9
                                • Opcode Fuzzy Hash: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
                                • Instruction Fuzzy Hash: 6011A3327446115BE7348B1DBD50F662391EB84728BA4423BE619EA7E0E77CD8864A4C
                                Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
                                • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: IsProcessorFeaturePresent$KERNEL32
                                • API String ID: 1646373207-3105848591
                                • Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                • Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
                                • Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                • Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A
                                Function 004146FA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___addlocaleref.LIBCMT ref: 0041470C
                                  • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(00000001), ref: 004145E4
                                  • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145F1
                                  • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145FE
                                  • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041460B
                                  • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414618
                                  • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414634
                                  • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414644
                                  • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041465A
                                • ___removelocaleref.LIBCMT ref: 00414717
                                  • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 0041467B
                                  • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414688
                                  • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414695
                                  • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146A2
                                  • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146AF
                                  • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146CB
                                  • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(00000000), ref: 004146DB
                                  • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146F1
                                • ___freetlocinfo.LIBCMT ref: 0041472B
                                  • Part of subcall function 00414489: ___free_lconv_mon.LIBCMT ref: 004144CF
                                  • Part of subcall function 00414489: ___free_lconv_num.LIBCMT ref: 004144F0
                                  • Part of subcall function 00414489: ___free_lc_time.LIBCMT ref: 00414575
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
                                • String ID: @.B
                                • API String ID: 467427115-470711618
                                • Opcode ID: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
                                • Instruction ID: 8e9b8205a585dc9325c25650a27042e0212317e7447dcce9b0fe23aa5a8dd77f
                                • Opcode Fuzzy Hash: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
                                • Instruction Fuzzy Hash: BDE0863250192255CE35261D76806EF93A98FD3725B3A017FF864AF7D8EB2C4CC0809D
                                Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __fileno.LIBCMT ref: 0040C77C
                                • __locking.LIBCMT ref: 0040C791
                                  • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                  • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: __decode_pointer__fileno__getptd_noexit__locking
                                • String ID:
                                • API String ID: 2395185920-0
                                • Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
                                • Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
                                • Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
                                • Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D
                                Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: _fseek_malloc_memset
                                • String ID:
                                • API String ID: 208892515-0
                                • Opcode ID: 689e5a2a8d0df6628a55ca55f65915ee6a0b33bdec45a2b9390eeacb6c5b01b1
                                • Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
                                • Opcode Fuzzy Hash: 689e5a2a8d0df6628a55ca55f65915ee6a0b33bdec45a2b9390eeacb6c5b01b1
                                • Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89
                                Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                Download Yara Rule
                                APIs
                                • __flush.LIBCMT ref: 0040BB6E
                                • __fileno.LIBCMT ref: 0040BB8E
                                • __locking.LIBCMT ref: 0040BB95
                                • __flsbuf.LIBCMT ref: 0040BBC0
                                  • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                  • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                                • String ID:
                                • API String ID: 3240763771-0
                                • Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
                                • Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
                                • Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
                                • Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C
                                Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
                                • __isleadbyte_l.LIBCMT ref: 00415307
                                • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
                                • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                • String ID:
                                • API String ID: 3058430110-0
                                • Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                • Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
                                • Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                • Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59
                                Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.3277306409.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.3277282843.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277335340.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277356431.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.3277423639.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.jbxd
                                Similarity
                                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                • String ID:
                                • API String ID: 3016257755-0
                                • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                • Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
                                • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                • Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89