Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ynhHNexysa.exe

Overview

General Information

Sample name:ynhHNexysa.exe
renamed because original name is a hash value
Original sample name:3d33cbde84d0a1197ec0d459d634473e.exe
Analysis ID:1482799
MD5:3d33cbde84d0a1197ec0d459d634473e
SHA1:abd0074c5b2eed8fbab4d30443ceac4b403ad09d
SHA256:33647cf1d7ba05386d44a608a94979925883f8e8c0e5f63b3f2e7ffdc7380461
Tags:32exetrojan
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ynhHNexysa.exe (PID: 2412 cmdline: "C:\Users\user\Desktop\ynhHNexysa.exe" MD5: 3D33CBDE84D0A1197EC0D459D634473E)
    • ynhHNexysa.exe (PID: 2796 cmdline: "C:\Users\user\Desktop\ynhHNexysa.exe" MD5: 3D33CBDE84D0A1197EC0D459D634473E)
    • ynhHNexysa.exe (PID: 6104 cmdline: "C:\Users\user\Desktop\ynhHNexysa.exe" MD5: 3D33CBDE84D0A1197EC0D459D634473E)
    • ynhHNexysa.exe (PID: 2684 cmdline: "C:\Users\user\Desktop\ynhHNexysa.exe" MD5: 3D33CBDE84D0A1197EC0D459D634473E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "smtp.jlahuachem.com", "Username": "hunk.zhang@jlahuachem.com", "Password": "eGbB!FT9"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.4495357530.0000000002AB5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.4492696673.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000005.00000002.4492696673.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.2065195598.0000000003FA9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.2065195598.0000000003FA9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.ynhHNexysa.exe.40240a8.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.ynhHNexysa.exe.40240a8.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.ynhHNexysa.exe.40240a8.4.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x33021:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33093:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x3311d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x331af:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x33219:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3328b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x33321:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x333b1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.ynhHNexysa.exe.3fa9990.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.ynhHNexysa.exe.3fa9990.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 208.91.199.225, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\ynhHNexysa.exe, Initiated: true, ProcessId: 2684, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49708

                    Snort Signatures

                    No Snort rule has matched

                    Suricata Signatures

                    Timestamp:2024-07-26T07:30:16.711253+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49711
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T07:30:56.019190+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49717
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: ynhHNexysa.exeAvira: detected
                    Found malware configuration
                    Source: 0.2.ynhHNexysa.exe.3fa9990.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "smtp.jlahuachem.com", "Username": "hunk.zhang@jlahuachem.com", "Password": "eGbB!FT9"}
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: ynhHNexysa.exeJoe Sandbox ML: detected
                    Source: ynhHNexysa.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49706 version: TLS 1.2
                    Source: ynhHNexysa.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Joe Sandbox ViewIP Address: 208.91.198.143 208.91.198.143
                    Source: Joe Sandbox ViewIP Address: 208.91.199.225 208.91.199.225
                    Source: Joe Sandbox ViewIP Address: 208.91.199.223 208.91.199.223
                    Source: Joe Sandbox ViewIP Address: 208.91.199.224 208.91.199.224
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.5:49708 -> 208.91.199.225:25
                    Source: global trafficTCP traffic: 192.168.2.5:49708 -> 208.91.198.143:25
                    Source: global trafficTCP traffic: 192.168.2.5:49708 -> 208.91.199.223:25
                    Source: global trafficTCP traffic: 192.168.2.5:49708 -> 208.91.199.224:25
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: smtp.jlahuachem.com
                    Source: ynhHNexysa.exe, 00000005.00000002.4495357530.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: ynhHNexysa.exe, 00000005.00000002.4495357530.0000000002AB5000.00000004.00000800.00020000.00000000.sdmp, ynhHNexysa.exe, 00000005.00000002.4495357530.0000000002C48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.jlahuachem.com
                    Source: ynhHNexysa.exeString found in binary or memory: http://tempuri.org/dxsss.xsd
                    Source: ynhHNexysa.exe, 00000005.00000002.4495357530.0000000002AB5000.00000004.00000800.00020000.00000000.sdmp, ynhHNexysa.exe, 00000005.00000002.4495357530.0000000002C48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                    Source: ynhHNexysa.exe, 00000000.00000002.2065195598.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, ynhHNexysa.exe, 00000000.00000002.2065195598.0000000004024000.00000004.00000800.00020000.00000000.sdmp, ynhHNexysa.exe, 00000005.00000002.4492696673.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: ynhHNexysa.exe, 00000000.00000002.2065195598.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, ynhHNexysa.exe, 00000000.00000002.2065195598.0000000004024000.00000004.00000800.00020000.00000000.sdmp, ynhHNexysa.exe, 00000005.00000002.4495357530.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, ynhHNexysa.exe, 00000005.00000002.4492696673.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: ynhHNexysa.exe, 00000005.00000002.4495357530.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: ynhHNexysa.exe, 00000005.00000002.4495357530.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49706 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.ynhHNexysa.exe.3fa9990.2.raw.unpack, SKTzxzsJw.cs.Net Code: agneM

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.ynhHNexysa.exe.40240a8.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.ynhHNexysa.exe.3fa9990.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 5.2.ynhHNexysa.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.ynhHNexysa.exe.3fa9990.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.ynhHNexysa.exe.40240a8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 0_2_0162D3040_2_0162D304
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 0_2_05637BD00_2_05637BD0
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 0_2_056300400_2_05630040
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 0_2_056300070_2_05630007
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 0_2_05637BC00_2_05637BC0
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 0_2_07604D300_2_07604D30
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 0_2_07604D110_2_07604D11
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 0_2_076055A00_2_076055A0
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 0_2_07606C780_2_07606C78
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 0_2_076051680_2_07605168
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 0_2_076068400_2_07606840
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 0_2_076068310_2_07606831
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 0_2_0760C8000_2_0760C800
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_00C2EEC05_2_00C2EEC0
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_00C218A05_2_00C218A0
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_00F641C85_2_00F641C8
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_00F6E6B15_2_00F6E6B1
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_00F6F7B05_2_00F6F7B0
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_00F64A985_2_00F64A98
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_00F63E805_2_00F63E80
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_00F6A9785_2_00F6A978
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_0670B6385_2_0670B638
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_06707D785_2_06707D78
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_067065E85_2_067065E8
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_067055A05_2_067055A0
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_0670B2175_2_0670B217
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_067030605_2_06703060
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_0670C1805_2_0670C180
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_067076985_2_06707698
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_06705CCF5_2_06705CCF
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_067023485_2_06702348
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_0670E3B05_2_0670E3B0
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_067000405_2_06700040
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_067000395_2_06700039
                    Source: ynhHNexysa.exe, 00000000.00000002.2065195598.0000000003FA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameecf29b00-c117-46a2-9260-1b0a359263de.exe4 vs ynhHNexysa.exe
                    Source: ynhHNexysa.exe, 00000000.00000002.2067938969.0000000007560000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs ynhHNexysa.exe
                    Source: ynhHNexysa.exe, 00000000.00000002.2065195598.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs ynhHNexysa.exe
                    Source: ynhHNexysa.exe, 00000000.00000002.2065195598.0000000004024000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameecf29b00-c117-46a2-9260-1b0a359263de.exe4 vs ynhHNexysa.exe
                    Source: ynhHNexysa.exe, 00000000.00000002.2064767675.0000000002FC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameecf29b00-c117-46a2-9260-1b0a359263de.exe4 vs ynhHNexysa.exe
                    Source: ynhHNexysa.exe, 00000000.00000002.2064767675.0000000002F81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMML.dll2 vs ynhHNexysa.exe
                    Source: ynhHNexysa.exe, 00000000.00000002.2067506595.0000000005C10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMML.dll2 vs ynhHNexysa.exe
                    Source: ynhHNexysa.exe, 00000000.00000002.2063971815.00000000011FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs ynhHNexysa.exe
                    Source: ynhHNexysa.exe, 00000005.00000002.4492696673.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameecf29b00-c117-46a2-9260-1b0a359263de.exe4 vs ynhHNexysa.exe
                    Source: ynhHNexysa.exe, 00000005.00000002.4492911660.0000000000AF9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs ynhHNexysa.exe
                    Source: ynhHNexysa.exeBinary or memory string: OriginalFilenameSxEh.exe< vs ynhHNexysa.exe
                    Source: ynhHNexysa.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.ynhHNexysa.exe.40240a8.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.ynhHNexysa.exe.3fa9990.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 5.2.ynhHNexysa.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.ynhHNexysa.exe.3fa9990.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.ynhHNexysa.exe.40240a8.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: ynhHNexysa.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.ynhHNexysa.exe.3fa9990.2.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.ynhHNexysa.exe.3fa9990.2.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.ynhHNexysa.exe.3fa9990.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.ynhHNexysa.exe.3fa9990.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.ynhHNexysa.exe.3fa9990.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.ynhHNexysa.exe.3fa9990.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.ynhHNexysa.exe.3fa9990.2.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.ynhHNexysa.exe.3fa9990.2.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, wY0JxeJBuhumsKEEdp.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, wY0JxeJBuhumsKEEdp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, wY0JxeJBuhumsKEEdp.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, X1lGeNtrqa9RypnK1A.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, wY0JxeJBuhumsKEEdp.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, wY0JxeJBuhumsKEEdp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, wY0JxeJBuhumsKEEdp.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, X1lGeNtrqa9RypnK1A.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, X1lGeNtrqa9RypnK1A.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, wY0JxeJBuhumsKEEdp.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, wY0JxeJBuhumsKEEdp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, wY0JxeJBuhumsKEEdp.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/1@2/5
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ynhHNexysa.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeMutant created: \Sessions\1\BaseNamedObjects\nDULVUQYKBSQmTmUguHVQEG
                    Source: ynhHNexysa.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: ynhHNexysa.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\ynhHNexysa.exe "C:\Users\user\Desktop\ynhHNexysa.exe"
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess created: C:\Users\user\Desktop\ynhHNexysa.exe "C:\Users\user\Desktop\ynhHNexysa.exe"
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess created: C:\Users\user\Desktop\ynhHNexysa.exe "C:\Users\user\Desktop\ynhHNexysa.exe"
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess created: C:\Users\user\Desktop\ynhHNexysa.exe "C:\Users\user\Desktop\ynhHNexysa.exe"
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess created: C:\Users\user\Desktop\ynhHNexysa.exe "C:\Users\user\Desktop\ynhHNexysa.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess created: C:\Users\user\Desktop\ynhHNexysa.exe "C:\Users\user\Desktop\ynhHNexysa.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess created: C:\Users\user\Desktop\ynhHNexysa.exe "C:\Users\user\Desktop\ynhHNexysa.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: ynhHNexysa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: ynhHNexysa.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, wY0JxeJBuhumsKEEdp.cs.Net Code: oQDraBlY6e System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.ynhHNexysa.exe.5c10000.5.raw.unpack, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.ynhHNexysa.exe.5c10000.5.raw.unpack, PingPong.cs.Net Code: Justy
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, wY0JxeJBuhumsKEEdp.cs.Net Code: oQDraBlY6e System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.ynhHNexysa.exe.2fa6060.0.raw.unpack, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.ynhHNexysa.exe.2fa6060.0.raw.unpack, PingPong.cs.Net Code: Justy
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, wY0JxeJBuhumsKEEdp.cs.Net Code: oQDraBlY6e System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_00C203D9 push es; ret 5_2_00C203DA
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_00C29231 push cs; ret 5_2_00C2923E
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeCode function: 5_2_00F60CCC push edi; retf 5_2_00F60C7A
                    Source: ynhHNexysa.exeStatic PE information: section name: .text entropy: 7.962364275489502
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, VowUMM871Fp8bDemBP.csHigh entropy of concatenated method names: 'zg9NYQMDKL', 'gr9NyR2uIg', 'FjPNZeB3hh', 'COPZl1kGnD', 'ROJZzo0OQT', 'n03Ni2bJSi', 'fOPNcmWdZw', 'Ok1NxuDJSn', 'tNTN2HAADS', 'k31NrSbbHO'
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, bLe1PVPXUhjRYjopUa.csHigh entropy of concatenated method names: 'SyeLk60tW4', 'hPNLEIREsG', 'DteLnPwbjp', 'VScLQyWdfy', 'M89LSDXina', 'yuJLfyVN5w', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, wY0JxeJBuhumsKEEdp.csHigh entropy of concatenated method names: 'XVh2Gyi6t8', 'hBk2YctEcf', 'U0F2j1g4Sv', 'Ijo2ytU9fJ', 'LMe2otdIYh', 'gbZ2ZQTjvv', 'rdF2Na0qE8', 'ePD2JuGhHT', 'DY62FcglJh', 'bHI2ABrSVB'
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, X7eG0gqJtgFhfpo9cM.csHigh entropy of concatenated method names: 'bj1LYGylCf', 'DuILjg4Dy9', 'lWkLyDSM5Q', 'nwLLo67wt3', 'UYyLZuUlC1', 'jFSLN1EsAx', 'OdNLJxlV3l', 'qbVLF7g1mR', 'OjoLAHE5LB', 'xj0LKo2doe'
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, bejyHZrHlbbQAjmPBF.csHigh entropy of concatenated method names: 'vnqcN1lGeN', 'dqacJ9Rypn', 'zYCcAyZPlc', 'rn4cKFjT12', 'LUGcObk3mR', 'PLOc3IxEnr', 'Vy8Ep7TJOShcrX5SCi', 'TNSZPuxa3W7DKHfEpy', 'Pm1cchrIdn', 'UULc2eXrSk'
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, EHf4hJcibXDdIwrcxWa.csHigh entropy of concatenated method names: 'GPh5pEEQct', 'G8X5661gvI', 'CZy5a4U08p', 'nZq5DoGqW3', 'qtQ5vDuOw5', 'Dbd5gNEK89', 'gWY5Mrs8GO', 'WPk5tB5Bqy', 'quU5Vp7nWO', 'Vlm5COD7hk'
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, yCyWgaVYCyZPlcLn4F.csHigh entropy of concatenated method names: 'HAkyDvYNmP', 'SZUygFHJ2Z', 'OB6ytO5xS2', 'FqoyVSWLUw', 'R2gyO81kuG', 'Byny3n9PuV', 'ldIyRO4C0b', 'b3AyLdkjvC', 'lVcy5bsjsd', 'iAyyBye0YT'
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, VtoD4klVEdWHcS8xeB.csHigh entropy of concatenated method names: 'UKy5cLfb4A', 'pAC520I54m', 'kU65rwnIB8', 'Rn75Y4D6QV', 'V5o5jcNDob', 'kaI5o1TUkf', 'v5r5ZRd5oW', 'RmSL4qW8B5', 'j6vLqtV9OZ', 'OT5LP8RBa3'
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, X1lGeNtrqa9RypnK1A.csHigh entropy of concatenated method names: 'YgDjSugHe4', 'DT5jH0yfm8', 'KRUjXQ6YTs', 'uAxjUmo3CE', 'P0njm9FbH3', 'WAAjuAM8tH', 'vsej4E0JEX', 'pXUjqZuKT1', 'faUjPRECx7', 'MJEjlVNm5U'
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, xVUQskdyggVyKpAr72.csHigh entropy of concatenated method names: 'f7vwtj0SC7', 'VPSwVAQLac', 'KCxwkD0K3U', 'q4kwEhbKvQ', 'HqmwQXNXqe', 'Vvkwf2A3la', 'BjBw8A9SUF', 'jA7wek2HYU', 'pQkwbBk9qP', 'Q2kw9F4BSc'
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, iRONNpzmxgNG0DqyUV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'T1m5wH5Yn9', 'c4f5OG4nxb', 'l8l53mMuSI', 'oYl5RVOprX', 'MBE5LPrRa5', 'HqA55jdoXd', 'JZt5BrVR7F'
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, pmR0LOkIxEnrctQD2X.csHigh entropy of concatenated method names: 'qABZGbaA0y', 'aYfZjSI0TR', 'ElfZoYxmKo', 'BBoZNK6vIh', 'C9IZJ9JLvg', 'lFUomIWgoi', 'APoou49NSs', 'CCNo4uAXLe', 'UbooqD3BQ1', 'hXIoP1GXO3'
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, HJtwWsj8mZcgkhR8CY.csHigh entropy of concatenated method names: 'Dispose', 'NsocPAKa0p', 'KCHxEd7Emf', 'R2O11l3QCo', 'kP7cleG0gJ', 'DgFczhfpo9', 'ProcessDialogKey', 'aMcxiLe1PV', 'SUhxcjRYjo', 'xUaxxutoD4'
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, B5YNRDX6ACF01eAiIM.csHigh entropy of concatenated method names: 'ToString', 'Nsu390Z1BA', 'SaK3ENTDJv', 'hYv3nYwqOF', 'l5p3QpgJcf', 'nxv3fUV4C0', 'Emm3IFGDOo', 'Gci38T8Vuf', 'lfZ3elmMS4', 'SmP3hsFWrT'
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, VFbsN9QyklDZced5yE.csHigh entropy of concatenated method names: 'XI9ZWFwfw3', 'MB4Zpjy1Dv', 'JydZabIBKP', 'LlDZDr8k0K', 'NVnZg9hrSP', 'psfZMdItIL', 'SuGZVx1T8N', 'vVgZCUskbI', 'hk6skP40O4dnFp3QKhA', 'Ku7SwC4EoRAAoQHc0w5'
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, U53X4duKhnr0sejxel.csHigh entropy of concatenated method names: 'q9dRqDGSLG', 'XXCRltWufr', 'f9hLiNpZdr', 'mXYLci3loj', 'qU7R9xDhQu', 'NXwR00hpPM', 'YNVRdI8EpX', 'pvERS8IniO', 'oOdRHqhjL0', 'hPORXC46NU'
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, gBacBfc2y4FvbqjllAT.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qNcBSa7Y5T', 'KHgBHecyXO', 'lRLBXZcd9H', 'LarBUEe9K9', 'pRWBm6E5qj', 'G32BunBv4O', 'b0vB4PbFXQ'
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, l6A1ftxPNHNC6cEnNj.csHigh entropy of concatenated method names: 'MVqa9qiYD', 'Sv6DW5jXs', 'ccBgf7sAh', 'osjMMM8ul', 'Ra9VrVpAf', 'CSLCwFUEI', 'TY9Mjc82YuAdgD8rdA', 'yu16YS1rXxrEQugYJi', 'p80LVcEuh', 'DBYBgpLq1'
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, gT12ZpCTTqeGReUGbk.csHigh entropy of concatenated method names: 'dLLovp63h9', 'W2loMMWpMV', 'R7PynHqqJc', 'Vq8yQJykct', 'ej6yf5RgtJ', 'fudyI4EVAe', 'cH7y8Ru1c8', 'Uc4yeTWctG', 'jusyhnZrry', 'hM3ybR2iyc'
                    Source: 0.2.ynhHNexysa.exe.7560000.7.raw.unpack, OLaIZShKLuCmYa6fj7.csHigh entropy of concatenated method names: 'u1WNpQWdGg', 'YJ5N6gw1sU', 'gJZNaklB4w', 'xkNNDuXVAC', 'KOkNv2uvko', 't2aNgvY8cw', 'y3UNMD6XNP', 'SgANtVvx2q', 'Pk4NVwtCu7', 'J9mNCWetml'
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, VowUMM871Fp8bDemBP.csHigh entropy of concatenated method names: 'zg9NYQMDKL', 'gr9NyR2uIg', 'FjPNZeB3hh', 'COPZl1kGnD', 'ROJZzo0OQT', 'n03Ni2bJSi', 'fOPNcmWdZw', 'Ok1NxuDJSn', 'tNTN2HAADS', 'k31NrSbbHO'
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, bLe1PVPXUhjRYjopUa.csHigh entropy of concatenated method names: 'SyeLk60tW4', 'hPNLEIREsG', 'DteLnPwbjp', 'VScLQyWdfy', 'M89LSDXina', 'yuJLfyVN5w', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, wY0JxeJBuhumsKEEdp.csHigh entropy of concatenated method names: 'XVh2Gyi6t8', 'hBk2YctEcf', 'U0F2j1g4Sv', 'Ijo2ytU9fJ', 'LMe2otdIYh', 'gbZ2ZQTjvv', 'rdF2Na0qE8', 'ePD2JuGhHT', 'DY62FcglJh', 'bHI2ABrSVB'
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, X7eG0gqJtgFhfpo9cM.csHigh entropy of concatenated method names: 'bj1LYGylCf', 'DuILjg4Dy9', 'lWkLyDSM5Q', 'nwLLo67wt3', 'UYyLZuUlC1', 'jFSLN1EsAx', 'OdNLJxlV3l', 'qbVLF7g1mR', 'OjoLAHE5LB', 'xj0LKo2doe'
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, bejyHZrHlbbQAjmPBF.csHigh entropy of concatenated method names: 'vnqcN1lGeN', 'dqacJ9Rypn', 'zYCcAyZPlc', 'rn4cKFjT12', 'LUGcObk3mR', 'PLOc3IxEnr', 'Vy8Ep7TJOShcrX5SCi', 'TNSZPuxa3W7DKHfEpy', 'Pm1cchrIdn', 'UULc2eXrSk'
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, EHf4hJcibXDdIwrcxWa.csHigh entropy of concatenated method names: 'GPh5pEEQct', 'G8X5661gvI', 'CZy5a4U08p', 'nZq5DoGqW3', 'qtQ5vDuOw5', 'Dbd5gNEK89', 'gWY5Mrs8GO', 'WPk5tB5Bqy', 'quU5Vp7nWO', 'Vlm5COD7hk'
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, yCyWgaVYCyZPlcLn4F.csHigh entropy of concatenated method names: 'HAkyDvYNmP', 'SZUygFHJ2Z', 'OB6ytO5xS2', 'FqoyVSWLUw', 'R2gyO81kuG', 'Byny3n9PuV', 'ldIyRO4C0b', 'b3AyLdkjvC', 'lVcy5bsjsd', 'iAyyBye0YT'
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, VtoD4klVEdWHcS8xeB.csHigh entropy of concatenated method names: 'UKy5cLfb4A', 'pAC520I54m', 'kU65rwnIB8', 'Rn75Y4D6QV', 'V5o5jcNDob', 'kaI5o1TUkf', 'v5r5ZRd5oW', 'RmSL4qW8B5', 'j6vLqtV9OZ', 'OT5LP8RBa3'
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, X1lGeNtrqa9RypnK1A.csHigh entropy of concatenated method names: 'YgDjSugHe4', 'DT5jH0yfm8', 'KRUjXQ6YTs', 'uAxjUmo3CE', 'P0njm9FbH3', 'WAAjuAM8tH', 'vsej4E0JEX', 'pXUjqZuKT1', 'faUjPRECx7', 'MJEjlVNm5U'
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, xVUQskdyggVyKpAr72.csHigh entropy of concatenated method names: 'f7vwtj0SC7', 'VPSwVAQLac', 'KCxwkD0K3U', 'q4kwEhbKvQ', 'HqmwQXNXqe', 'Vvkwf2A3la', 'BjBw8A9SUF', 'jA7wek2HYU', 'pQkwbBk9qP', 'Q2kw9F4BSc'
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, iRONNpzmxgNG0DqyUV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'T1m5wH5Yn9', 'c4f5OG4nxb', 'l8l53mMuSI', 'oYl5RVOprX', 'MBE5LPrRa5', 'HqA55jdoXd', 'JZt5BrVR7F'
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, pmR0LOkIxEnrctQD2X.csHigh entropy of concatenated method names: 'qABZGbaA0y', 'aYfZjSI0TR', 'ElfZoYxmKo', 'BBoZNK6vIh', 'C9IZJ9JLvg', 'lFUomIWgoi', 'APoou49NSs', 'CCNo4uAXLe', 'UbooqD3BQ1', 'hXIoP1GXO3'
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, HJtwWsj8mZcgkhR8CY.csHigh entropy of concatenated method names: 'Dispose', 'NsocPAKa0p', 'KCHxEd7Emf', 'R2O11l3QCo', 'kP7cleG0gJ', 'DgFczhfpo9', 'ProcessDialogKey', 'aMcxiLe1PV', 'SUhxcjRYjo', 'xUaxxutoD4'
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, B5YNRDX6ACF01eAiIM.csHigh entropy of concatenated method names: 'ToString', 'Nsu390Z1BA', 'SaK3ENTDJv', 'hYv3nYwqOF', 'l5p3QpgJcf', 'nxv3fUV4C0', 'Emm3IFGDOo', 'Gci38T8Vuf', 'lfZ3elmMS4', 'SmP3hsFWrT'
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, VFbsN9QyklDZced5yE.csHigh entropy of concatenated method names: 'XI9ZWFwfw3', 'MB4Zpjy1Dv', 'JydZabIBKP', 'LlDZDr8k0K', 'NVnZg9hrSP', 'psfZMdItIL', 'SuGZVx1T8N', 'vVgZCUskbI', 'hk6skP40O4dnFp3QKhA', 'Ku7SwC4EoRAAoQHc0w5'
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, U53X4duKhnr0sejxel.csHigh entropy of concatenated method names: 'q9dRqDGSLG', 'XXCRltWufr', 'f9hLiNpZdr', 'mXYLci3loj', 'qU7R9xDhQu', 'NXwR00hpPM', 'YNVRdI8EpX', 'pvERS8IniO', 'oOdRHqhjL0', 'hPORXC46NU'
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, gBacBfc2y4FvbqjllAT.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qNcBSa7Y5T', 'KHgBHecyXO', 'lRLBXZcd9H', 'LarBUEe9K9', 'pRWBm6E5qj', 'G32BunBv4O', 'b0vB4PbFXQ'
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, l6A1ftxPNHNC6cEnNj.csHigh entropy of concatenated method names: 'MVqa9qiYD', 'Sv6DW5jXs', 'ccBgf7sAh', 'osjMMM8ul', 'Ra9VrVpAf', 'CSLCwFUEI', 'TY9Mjc82YuAdgD8rdA', 'yu16YS1rXxrEQugYJi', 'p80LVcEuh', 'DBYBgpLq1'
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, gT12ZpCTTqeGReUGbk.csHigh entropy of concatenated method names: 'dLLovp63h9', 'W2loMMWpMV', 'R7PynHqqJc', 'Vq8yQJykct', 'ej6yf5RgtJ', 'fudyI4EVAe', 'cH7y8Ru1c8', 'Uc4yeTWctG', 'jusyhnZrry', 'hM3ybR2iyc'
                    Source: 0.2.ynhHNexysa.exe.42ecc90.3.raw.unpack, OLaIZShKLuCmYa6fj7.csHigh entropy of concatenated method names: 'u1WNpQWdGg', 'YJ5N6gw1sU', 'gJZNaklB4w', 'xkNNDuXVAC', 'KOkNv2uvko', 't2aNgvY8cw', 'y3UNMD6XNP', 'SgANtVvx2q', 'Pk4NVwtCu7', 'J9mNCWetml'
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, VowUMM871Fp8bDemBP.csHigh entropy of concatenated method names: 'zg9NYQMDKL', 'gr9NyR2uIg', 'FjPNZeB3hh', 'COPZl1kGnD', 'ROJZzo0OQT', 'n03Ni2bJSi', 'fOPNcmWdZw', 'Ok1NxuDJSn', 'tNTN2HAADS', 'k31NrSbbHO'
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, bLe1PVPXUhjRYjopUa.csHigh entropy of concatenated method names: 'SyeLk60tW4', 'hPNLEIREsG', 'DteLnPwbjp', 'VScLQyWdfy', 'M89LSDXina', 'yuJLfyVN5w', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, wY0JxeJBuhumsKEEdp.csHigh entropy of concatenated method names: 'XVh2Gyi6t8', 'hBk2YctEcf', 'U0F2j1g4Sv', 'Ijo2ytU9fJ', 'LMe2otdIYh', 'gbZ2ZQTjvv', 'rdF2Na0qE8', 'ePD2JuGhHT', 'DY62FcglJh', 'bHI2ABrSVB'
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, X7eG0gqJtgFhfpo9cM.csHigh entropy of concatenated method names: 'bj1LYGylCf', 'DuILjg4Dy9', 'lWkLyDSM5Q', 'nwLLo67wt3', 'UYyLZuUlC1', 'jFSLN1EsAx', 'OdNLJxlV3l', 'qbVLF7g1mR', 'OjoLAHE5LB', 'xj0LKo2doe'
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, bejyHZrHlbbQAjmPBF.csHigh entropy of concatenated method names: 'vnqcN1lGeN', 'dqacJ9Rypn', 'zYCcAyZPlc', 'rn4cKFjT12', 'LUGcObk3mR', 'PLOc3IxEnr', 'Vy8Ep7TJOShcrX5SCi', 'TNSZPuxa3W7DKHfEpy', 'Pm1cchrIdn', 'UULc2eXrSk'
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, EHf4hJcibXDdIwrcxWa.csHigh entropy of concatenated method names: 'GPh5pEEQct', 'G8X5661gvI', 'CZy5a4U08p', 'nZq5DoGqW3', 'qtQ5vDuOw5', 'Dbd5gNEK89', 'gWY5Mrs8GO', 'WPk5tB5Bqy', 'quU5Vp7nWO', 'Vlm5COD7hk'
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, yCyWgaVYCyZPlcLn4F.csHigh entropy of concatenated method names: 'HAkyDvYNmP', 'SZUygFHJ2Z', 'OB6ytO5xS2', 'FqoyVSWLUw', 'R2gyO81kuG', 'Byny3n9PuV', 'ldIyRO4C0b', 'b3AyLdkjvC', 'lVcy5bsjsd', 'iAyyBye0YT'
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, VtoD4klVEdWHcS8xeB.csHigh entropy of concatenated method names: 'UKy5cLfb4A', 'pAC520I54m', 'kU65rwnIB8', 'Rn75Y4D6QV', 'V5o5jcNDob', 'kaI5o1TUkf', 'v5r5ZRd5oW', 'RmSL4qW8B5', 'j6vLqtV9OZ', 'OT5LP8RBa3'
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, X1lGeNtrqa9RypnK1A.csHigh entropy of concatenated method names: 'YgDjSugHe4', 'DT5jH0yfm8', 'KRUjXQ6YTs', 'uAxjUmo3CE', 'P0njm9FbH3', 'WAAjuAM8tH', 'vsej4E0JEX', 'pXUjqZuKT1', 'faUjPRECx7', 'MJEjlVNm5U'
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, xVUQskdyggVyKpAr72.csHigh entropy of concatenated method names: 'f7vwtj0SC7', 'VPSwVAQLac', 'KCxwkD0K3U', 'q4kwEhbKvQ', 'HqmwQXNXqe', 'Vvkwf2A3la', 'BjBw8A9SUF', 'jA7wek2HYU', 'pQkwbBk9qP', 'Q2kw9F4BSc'
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, iRONNpzmxgNG0DqyUV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'T1m5wH5Yn9', 'c4f5OG4nxb', 'l8l53mMuSI', 'oYl5RVOprX', 'MBE5LPrRa5', 'HqA55jdoXd', 'JZt5BrVR7F'
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, pmR0LOkIxEnrctQD2X.csHigh entropy of concatenated method names: 'qABZGbaA0y', 'aYfZjSI0TR', 'ElfZoYxmKo', 'BBoZNK6vIh', 'C9IZJ9JLvg', 'lFUomIWgoi', 'APoou49NSs', 'CCNo4uAXLe', 'UbooqD3BQ1', 'hXIoP1GXO3'
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, HJtwWsj8mZcgkhR8CY.csHigh entropy of concatenated method names: 'Dispose', 'NsocPAKa0p', 'KCHxEd7Emf', 'R2O11l3QCo', 'kP7cleG0gJ', 'DgFczhfpo9', 'ProcessDialogKey', 'aMcxiLe1PV', 'SUhxcjRYjo', 'xUaxxutoD4'
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, B5YNRDX6ACF01eAiIM.csHigh entropy of concatenated method names: 'ToString', 'Nsu390Z1BA', 'SaK3ENTDJv', 'hYv3nYwqOF', 'l5p3QpgJcf', 'nxv3fUV4C0', 'Emm3IFGDOo', 'Gci38T8Vuf', 'lfZ3elmMS4', 'SmP3hsFWrT'
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, VFbsN9QyklDZced5yE.csHigh entropy of concatenated method names: 'XI9ZWFwfw3', 'MB4Zpjy1Dv', 'JydZabIBKP', 'LlDZDr8k0K', 'NVnZg9hrSP', 'psfZMdItIL', 'SuGZVx1T8N', 'vVgZCUskbI', 'hk6skP40O4dnFp3QKhA', 'Ku7SwC4EoRAAoQHc0w5'
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, U53X4duKhnr0sejxel.csHigh entropy of concatenated method names: 'q9dRqDGSLG', 'XXCRltWufr', 'f9hLiNpZdr', 'mXYLci3loj', 'qU7R9xDhQu', 'NXwR00hpPM', 'YNVRdI8EpX', 'pvERS8IniO', 'oOdRHqhjL0', 'hPORXC46NU'
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, gBacBfc2y4FvbqjllAT.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qNcBSa7Y5T', 'KHgBHecyXO', 'lRLBXZcd9H', 'LarBUEe9K9', 'pRWBm6E5qj', 'G32BunBv4O', 'b0vB4PbFXQ'
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, l6A1ftxPNHNC6cEnNj.csHigh entropy of concatenated method names: 'MVqa9qiYD', 'Sv6DW5jXs', 'ccBgf7sAh', 'osjMMM8ul', 'Ra9VrVpAf', 'CSLCwFUEI', 'TY9Mjc82YuAdgD8rdA', 'yu16YS1rXxrEQugYJi', 'p80LVcEuh', 'DBYBgpLq1'
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, gT12ZpCTTqeGReUGbk.csHigh entropy of concatenated method names: 'dLLovp63h9', 'W2loMMWpMV', 'R7PynHqqJc', 'Vq8yQJykct', 'ej6yf5RgtJ', 'fudyI4EVAe', 'cH7y8Ru1c8', 'Uc4yeTWctG', 'jusyhnZrry', 'hM3ybR2iyc'
                    Source: 0.2.ynhHNexysa.exe.436aab0.1.raw.unpack, OLaIZShKLuCmYa6fj7.csHigh entropy of concatenated method names: 'u1WNpQWdGg', 'YJ5N6gw1sU', 'gJZNaklB4w', 'xkNNDuXVAC', 'KOkNv2uvko', 't2aNgvY8cw', 'y3UNMD6XNP', 'SgANtVvx2q', 'Pk4NVwtCu7', 'J9mNCWetml'
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: ynhHNexysa.exe PID: 2412, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeMemory allocated: 1620000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeMemory allocated: 2F80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeMemory allocated: 4F80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeMemory allocated: 7CD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeMemory allocated: 7610000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeMemory allocated: 8DD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeMemory allocated: 9DD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeMemory allocated: F60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeMemory allocated: 2A40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeMemory allocated: 4A40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeWindow / User API: threadDelayed 1776Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeWindow / User API: threadDelayed 8079Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 2556Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep count: 34 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5344Thread sleep count: 1776 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -99890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5344Thread sleep count: 8079 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -99781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -99672s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -99562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -99453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -99338s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -99234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -99125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -99015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -98906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -98797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -98687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -98574s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -98468s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -98359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -98250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -98140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -98025s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -97918s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -97797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -97641s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -97527s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -97422s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -97312s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -97203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -97093s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -96984s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -96875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -96765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -96656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -96522s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -96406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -96297s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -96187s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -96078s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -95969s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -95859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -95750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -95640s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -95531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -95422s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -95312s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -95203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -95094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -94984s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -94874s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -94766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -94656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -94547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exe TID: 5304Thread sleep time: -94437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 99890Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 99781Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 99672Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 99562Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 99453Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 99338Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 99234Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 99125Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 99015Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 98906Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 98797Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 98687Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 98574Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 98468Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 98359Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 98250Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 98140Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 98025Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 97918Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 97797Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 97641Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 97527Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 97422Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 97312Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 97203Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 97093Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 96984Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 96875Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 96765Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 96656Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 96522Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 96406Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 96297Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 96187Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 96078Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 95969Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 95859Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 95750Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 95640Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 95531Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 95422Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 95312Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 95203Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 95094Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 94984Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 94874Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 94766Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 94656Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 94547Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeThread delayed: delay time: 94437Jump to behavior
                    Source: ynhHNexysa.exe, 00000005.00000002.4493699468.0000000000DDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeMemory written: C:\Users\user\Desktop\ynhHNexysa.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess created: C:\Users\user\Desktop\ynhHNexysa.exe "C:\Users\user\Desktop\ynhHNexysa.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess created: C:\Users\user\Desktop\ynhHNexysa.exe "C:\Users\user\Desktop\ynhHNexysa.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeProcess created: C:\Users\user\Desktop\ynhHNexysa.exe "C:\Users\user\Desktop\ynhHNexysa.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeQueries volume information: C:\Users\user\Desktop\ynhHNexysa.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeQueries volume information: C:\Users\user\Desktop\ynhHNexysa.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.ynhHNexysa.exe.40240a8.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.ynhHNexysa.exe.3fa9990.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.ynhHNexysa.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.ynhHNexysa.exe.3fa9990.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.ynhHNexysa.exe.40240a8.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.4495357530.0000000002AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.4492696673.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2065195598.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.4495357530.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2065195598.0000000004024000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: ynhHNexysa.exe PID: 2412, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ynhHNexysa.exe PID: 2684, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\ynhHNexysa.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.ynhHNexysa.exe.40240a8.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.ynhHNexysa.exe.3fa9990.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.ynhHNexysa.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.ynhHNexysa.exe.3fa9990.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.ynhHNexysa.exe.40240a8.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.4492696673.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2065195598.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.4495357530.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2065195598.0000000004024000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: ynhHNexysa.exe PID: 2412, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ynhHNexysa.exe PID: 2684, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.ynhHNexysa.exe.40240a8.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.ynhHNexysa.exe.3fa9990.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.ynhHNexysa.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.ynhHNexysa.exe.3fa9990.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.ynhHNexysa.exe.40240a8.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.4495357530.0000000002AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.4492696673.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2065195598.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.4495357530.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2065195598.0000000004024000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: ynhHNexysa.exe PID: 2412, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ynhHNexysa.exe PID: 2684, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS111
                    Security Software Discovery                    		Distributed Component Object Model1
                    Input Capture                    		23
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    Process Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    ynhHNexysa.exe100%AviraHEUR/AGEN.1308749
                    ynhHNexysa.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org/0%URL Reputationsafe
                    https://api.ipify.org0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    https://api.ipify.org/t0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://smtp.jlahuachem.com0%Avira URL Cloudsafe
                    http://us2.smtp.mailhostbox.com0%Avira URL Cloudsafe
                    http://tempuri.org/dxsss.xsd0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    us2.smtp.mailhostbox.com
                    		208.91.199.225
                    		truefalse
                      		unknown
                      api.ipify.org
                      		172.67.74.152
                      		truefalse
                        		unknown
                        smtp.jlahuachem.com
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                          • URL Reputation: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://smtp.jlahuachem.comynhHNexysa.exe, 00000005.00000002.4495357530.0000000002AB5000.00000004.00000800.00020000.00000000.sdmp, ynhHNexysa.exe, 00000005.00000002.4495357530.0000000002C48000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.ipify.orgynhHNexysa.exe, 00000000.00000002.2065195598.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, ynhHNexysa.exe, 00000000.00000002.2065195598.0000000004024000.00000004.00000800.00020000.00000000.sdmp, ynhHNexysa.exe, 00000005.00000002.4495357530.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, ynhHNexysa.exe, 00000005.00000002.4492696673.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/dxsss.xsdynhHNexysa.exefalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://account.dyn.com/ynhHNexysa.exe, 00000000.00000002.2065195598.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, ynhHNexysa.exe, 00000000.00000002.2065195598.0000000004024000.00000004.00000800.00020000.00000000.sdmp, ynhHNexysa.exe, 00000005.00000002.4492696673.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.ipify.org/tynhHNexysa.exe, 00000005.00000002.4495357530.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://us2.smtp.mailhostbox.comynhHNexysa.exe, 00000005.00000002.4495357530.0000000002AB5000.00000004.00000800.00020000.00000000.sdmp, ynhHNexysa.exe, 00000005.00000002.4495357530.0000000002C48000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameynhHNexysa.exe, 00000005.00000002.4495357530.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          208.91.198.143
                          		unknownUnited States
                          		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                          208.91.199.225
                          		us2.smtp.mailhostbox.comUnited States
                          		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                          208.91.199.223
                          		unknownUnited States
                          		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                          208.91.199.224
                          		unknownUnited States
                          		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                          172.67.74.152
                          		api.ipify.orgUnited States
                          		13335CLOUDFLARENETUSfalse

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1482799
                          Start date and time:2024-07-26 07:29:05 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 8m 58s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:9
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:ynhHNexysa.exe
                          renamed because original name is a hash value
                          Original Sample Name:3d33cbde84d0a1197ec0d459d634473e.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@7/1@2/5
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 99%
                          • Number of executed functions: 92
                          • Number of non-executed functions: 17
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: ynhHNexysa.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          01:29:55API Interceptor6526326x Sleep call for process: ynhHNexysa.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          208.91.198.1432FBexXRCHR.rtfGet hashmaliciousAgentTeslaBrowse
                            file.exeGet hashmaliciousSystemBCBrowse
                              file.exeGet hashmaliciousSystemBCBrowse
                                LisectAVT_2403002A_52.exeGet hashmaliciousAgentTeslaBrowse
                                  SecuriteInfo.com.Win32.PWSX-gen.14778.18726.exeGet hashmaliciousAgentTeslaBrowse
                                    8hOkq9mMQu.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      Order List Pdf.exeGet hashmaliciousAgentTeslaBrowse
                                        payment order.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          Mt103.exeGet hashmaliciousAgentTeslaBrowse
                                            PO-070724-WA00002.exeGet hashmaliciousAgentTeslaBrowse
                                              208.91.199.2252FBexXRCHR.rtfGet hashmaliciousAgentTeslaBrowse
                                                LisectAVT_2403002A_124.exeGet hashmaliciousAgentTeslaBrowse
                                                  jRlq1fSUW5.exeGet hashmaliciousAgentTeslaBrowse
                                                    IEnetcache.htaGet hashmaliciousCobalt Strike, AgentTesla, PureLog StealerBrowse
                                                      winiti.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        0RA0ngi2c2.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          z1X3Z1ohoefF078ij.exeGet hashmaliciousAgentTeslaBrowse
                                                            Products and Quote.exeGet hashmaliciousAgentTeslaBrowse
                                                              Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                                ATTACHMENT OF PAYMENT.exeGet hashmaliciousAgentTeslaBrowse
                                                                  208.91.199.2232FBexXRCHR.rtfGet hashmaliciousAgentTeslaBrowse
                                                                    LisectAVT_2403002B_465.exeGet hashmaliciousAgentTeslaBrowse
                                                                      LCWGT83qLa.exeGet hashmaliciousAgentTeslaBrowse
                                                                        Solicitud urgente de presupuestoNueva colaboraci#U00f3n pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                          z2PKRSEkM9edbE7Om.exeGet hashmaliciousAgentTeslaBrowse
                                                                            SOA-Al Daleel.exeGet hashmaliciousAgentTeslaBrowse
                                                                              SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exeGet hashmaliciousAgentTeslaBrowse
                                                                                QUOTATION.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  Attached Quotation.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    Swift Copy_98754.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      208.91.199.2242FBexXRCHR.rtfGet hashmaliciousAgentTeslaBrowse
                                                                                        SWIFT COPY.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          PO-020716-WA0002.pdf..exeGet hashmaliciousAgentTeslaBrowse
                                                                                            SOA-Al Daleel.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              SOA-Al Daleel.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                001 Tech. Spec pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                  Quotation No.06262024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    Urgent PO.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                      z1PURCHASEORDER736353.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                        PO#0094321.exeGet hashmaliciousAgentTeslaBrowse

                                                                                                          Domains

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          us2.smtp.mailhostbox.com2FBexXRCHR.rtfGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.224
                                                                                                          file.exeGet hashmaliciousSystemBCBrowse
                                                                                                          • 208.91.199.224
                                                                                                          file.exeGet hashmaliciousSystemBCBrowse
                                                                                                          • 208.91.199.223
                                                                                                          LisectAVT_2403002A_124.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.225
                                                                                                          LisectAVT_2403002A_52.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.198.143
                                                                                                          SWIFT COPY.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.224
                                                                                                          LisectAVT_2403002B_465.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.224
                                                                                                          jRlq1fSUW5.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.225
                                                                                                          SecuriteInfo.com.Win32.PWSX-gen.14778.18726.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.198.143
                                                                                                          LCWGT83qLa.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.223
                                                                                                          api.ipify.org2FBexXRCHR.rtfGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 172.67.74.152
                                                                                                          https://pub-bc1e99c17d21413c8c62ead228907d1f.r2.dev/auth_gen.html?folder=inf0gudkij&module&user-agent=Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/86.0.4240.75+Safari/537.36Get hashmaliciousGreatness Phishing Kit, HTMLPhisherBrowse
                                                                                                          • 104.26.13.205
                                                                                                          https://b14d.lnsd.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                          • 104.26.13.205
                                                                                                          LisectAVT_2403002A_124.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 104.26.12.205
                                                                                                          LisectAVT_2403002A_127.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 104.26.13.205
                                                                                                          LisectAVT_2403002A_133.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 172.67.74.152
                                                                                                          LisectAVT_2403002A_2.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 172.67.74.152
                                                                                                          LisectAVT_2403002A_460.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 104.26.13.205
                                                                                                          LisectAVT_2403002A_481.exeGet hashmaliciousLuna Grabber, Luna LoggerBrowse
                                                                                                          • 104.26.12.205
                                                                                                          LisectAVT_2403002A_63.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 172.67.74.152

                                                                                                          ASNs

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          PUBLIC-DOMAIN-REGISTRYUS2FBexXRCHR.rtfGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.224
                                                                                                          file.exeGet hashmaliciousSystemBCBrowse
                                                                                                          • 103.50.162.156
                                                                                                          file.exeGet hashmaliciousSystemBCBrowse
                                                                                                          • 103.50.162.156
                                                                                                          LisectAVT_2403002A_124.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.225
                                                                                                          LisectAVT_2403002A_16.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 199.79.62.115
                                                                                                          LisectAVT_2403002A_52.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.198.143
                                                                                                          SWIFT COPY.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.224
                                                                                                          LisectAVT_2403002B_290.exeGet hashmaliciousBdaejecBrowse
                                                                                                          • 74.119.239.234
                                                                                                          LisectAVT_2403002B_465.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.223
                                                                                                          jRlq1fSUW5.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.225
                                                                                                          PUBLIC-DOMAIN-REGISTRYUS2FBexXRCHR.rtfGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.224
                                                                                                          file.exeGet hashmaliciousSystemBCBrowse
                                                                                                          • 103.50.162.156
                                                                                                          file.exeGet hashmaliciousSystemBCBrowse
                                                                                                          • 103.50.162.156
                                                                                                          LisectAVT_2403002A_124.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.225
                                                                                                          LisectAVT_2403002A_16.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 199.79.62.115
                                                                                                          LisectAVT_2403002A_52.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.198.143
                                                                                                          SWIFT COPY.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.224
                                                                                                          LisectAVT_2403002B_290.exeGet hashmaliciousBdaejecBrowse
                                                                                                          • 74.119.239.234
                                                                                                          LisectAVT_2403002B_465.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.223
                                                                                                          jRlq1fSUW5.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.225
                                                                                                          PUBLIC-DOMAIN-REGISTRYUS2FBexXRCHR.rtfGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.224
                                                                                                          file.exeGet hashmaliciousSystemBCBrowse
                                                                                                          • 103.50.162.156
                                                                                                          file.exeGet hashmaliciousSystemBCBrowse
                                                                                                          • 103.50.162.156
                                                                                                          LisectAVT_2403002A_124.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.225
                                                                                                          LisectAVT_2403002A_16.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 199.79.62.115
                                                                                                          LisectAVT_2403002A_52.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.198.143
                                                                                                          SWIFT COPY.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.224
                                                                                                          LisectAVT_2403002B_290.exeGet hashmaliciousBdaejecBrowse
                                                                                                          • 74.119.239.234
                                                                                                          LisectAVT_2403002B_465.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.223
                                                                                                          jRlq1fSUW5.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.225
                                                                                                          PUBLIC-DOMAIN-REGISTRYUS2FBexXRCHR.rtfGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.224
                                                                                                          file.exeGet hashmaliciousSystemBCBrowse
                                                                                                          • 103.50.162.156
                                                                                                          file.exeGet hashmaliciousSystemBCBrowse
                                                                                                          • 103.50.162.156
                                                                                                          LisectAVT_2403002A_124.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.225
                                                                                                          LisectAVT_2403002A_16.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 199.79.62.115
                                                                                                          LisectAVT_2403002A_52.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.198.143
                                                                                                          SWIFT COPY.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.224
                                                                                                          LisectAVT_2403002B_290.exeGet hashmaliciousBdaejecBrowse
                                                                                                          • 74.119.239.234
                                                                                                          LisectAVT_2403002B_465.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.223
                                                                                                          jRlq1fSUW5.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 208.91.199.225
                                                                                                          CLOUDFLARENETUShttp://lotsa.pplanr.comGet hashmaliciousUnknownBrowse
                                                                                                          • 104.21.44.162
                                                                                                          2FBexXRCHR.rtfGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 172.67.74.152
                                                                                                          QMe7JpPtde.exeGet hashmaliciousUnknownBrowse
                                                                                                          • 104.26.2.16
                                                                                                          http://leostop.comGet hashmaliciousUnknownBrowse
                                                                                                          • 104.16.141.114
                                                                                                          file.exeGet hashmaliciousBabadedaBrowse
                                                                                                          • 172.64.41.3
                                                                                                          file.exeGet hashmaliciousBabadedaBrowse
                                                                                                          • 172.64.41.3
                                                                                                          https://odc.officeapps.live.com.mcas.ms/odc/v2.1/hrd?rs=en-US&Ver=16&app=111&p=6&hm=0&fpEnabled=1&McasTsid=REDACTEDGet hashmaliciousUnknownBrowse
                                                                                                          • 1.1.1.1
                                                                                                          file.exeGet hashmaliciousBabadedaBrowse
                                                                                                          • 172.64.41.3
                                                                                                          file.exeGet hashmaliciousBabadedaBrowse
                                                                                                          • 172.64.41.3
                                                                                                          7Y18r(191).exeGet hashmaliciousUnknownBrowse
                                                                                                          • 104.16.149.130

                                                                                                          JA3 Fingerprints

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          3b5074b1b5d032e5620f69f9f700ff0e7Y18r(191).exeGet hashmaliciousUnknownBrowse
                                                                                                          • 172.67.74.152
                                                                                                          7Y18r(169).exeGet hashmaliciousCryptOneBrowse
                                                                                                          • 172.67.74.152
                                                                                                          7Y18r(191).exeGet hashmaliciousUnknownBrowse
                                                                                                          • 172.67.74.152
                                                                                                          xptRc4P9NV.exeGet hashmaliciousUnknownBrowse
                                                                                                          • 172.67.74.152
                                                                                                          fps-booster.exeGet hashmaliciousStormKittyBrowse
                                                                                                          • 172.67.74.152
                                                                                                          https://metamaskwalletexetention.webflow.io/Get hashmaliciousUnknownBrowse
                                                                                                          • 172.67.74.152
                                                                                                          http://56edthdxfhbx.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                                                                                          • 172.67.74.152
                                                                                                          https://banco.estado-app.comGet hashmaliciousUnknownBrowse
                                                                                                          • 172.67.74.152
                                                                                                          http://contact-office-kawai9lpoe9srsi9lpoe9srsi.narymar.com/Get hashmaliciousUnknownBrowse
                                                                                                          • 172.67.74.152
                                                                                                          http://gentle-union.wordsowd.workers.dev/Get hashmaliciousUnknownBrowse
                                                                                                          • 172.67.74.152

                                                                                                          Dropped Files

                                                                                                          No context

                                                                                                          Created / dropped Files

                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ynhHNexysa.exe.log

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\ynhHNexysa.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1216
                                                                                                          Entropy (8bit):5.34331486778365
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                          Malicious:true
                                                                                                          Reputation:high, very likely benign file
                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Entropy (8bit):7.848719392804634
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                          • Windows Screen Saver (13104/52) 0.07%
                                                                                                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                          File name:ynhHNexysa.exe
                                                                                                          File size:671'744 bytes
                                                                                                          MD5:3d33cbde84d0a1197ec0d459d634473e
                                                                                                          SHA1:abd0074c5b2eed8fbab4d30443ceac4b403ad09d
                                                                                                          SHA256:33647cf1d7ba05386d44a608a94979925883f8e8c0e5f63b3f2e7ffdc7380461
                                                                                                          SHA512:36f31309dddf020fd9fee7c44d8847924c4f8a9306a7f04dfa15fd2b73645c982f98d4b7a616b2b31d4b3c14510f2858608beda519eb8475780b544a4eedcea1
                                                                                                          SSDEEP:12288:6ChcU7r3FL0YtcCCvLLgov4CnDUOt7TDM2DG0oSb3fqEVzXfmhujHeis3c:Jco3FYYtajLX4stTA2DGbSeEUh+ei8c
                                                                                                          TLSH:71E412057B81A777D22FABB15111C2960BF2721B20B0D3FC1CDA3AB899E27D046A3747
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0......@......B.... ........@.. ... ...................@... ........@................................

                                                                                                          File Icon

                                                                                                          Icon Hash:00928e8e8686b000

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x49fd42
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                          Time Stamp:0x66A1D211 [Thu Jul 25 04:18:25 2024 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:4
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:4
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:4
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          jmp dword ptr [00402000h]
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x9fcf00x4f.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xa00000x5e0.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xa20000xc.reloc
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x20000x9dd480x9e0006ca31c7a27c5f4f31d963044cdf48407False0.960245253164557data7.962364275489502IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                          .rsrc0xa00000x5e00x2000e4c45285e393fe40e2c72b4476017462False0.0855712890625data1.0966777007684447IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .reloc0xa20000xc0x200025ea05bb96e8c918e99eb4d6126291b2False0.005126953125data0.008814852707337104IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                          Resources

                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                          RT_VERSION0xa00900x350data0.4339622641509434
                                                                                                          RT_MANIFEST0xa03f00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          mscoree.dll_CorExeMain

                                                                                                          Network Behavior

                                                                                                          Suricata IDS Alerts

                                                                                                          TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                                                                          2024-07-26T07:30:16.711253+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971140.68.123.157192.168.2.5
                                                                                                          2024-07-26T07:30:56.019190+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971740.68.123.157192.168.2.5

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jul 26, 2024 07:29:57.732228994 CEST49706443192.168.2.5172.67.74.152
                                                                                                          Jul 26, 2024 07:29:57.732323885 CEST44349706172.67.74.152192.168.2.5
                                                                                                          Jul 26, 2024 07:29:57.732503891 CEST49706443192.168.2.5172.67.74.152
                                                                                                          Jul 26, 2024 07:29:57.743882895 CEST49706443192.168.2.5172.67.74.152
                                                                                                          Jul 26, 2024 07:29:57.743923903 CEST44349706172.67.74.152192.168.2.5
                                                                                                          Jul 26, 2024 07:29:58.346380949 CEST44349706172.67.74.152192.168.2.5
                                                                                                          Jul 26, 2024 07:29:58.346482992 CEST49706443192.168.2.5172.67.74.152
                                                                                                          Jul 26, 2024 07:29:58.349952936 CEST49706443192.168.2.5172.67.74.152
                                                                                                          Jul 26, 2024 07:29:58.349977970 CEST44349706172.67.74.152192.168.2.5
                                                                                                          Jul 26, 2024 07:29:58.350405931 CEST44349706172.67.74.152192.168.2.5
                                                                                                          Jul 26, 2024 07:29:58.404711008 CEST49706443192.168.2.5172.67.74.152
                                                                                                          Jul 26, 2024 07:29:58.416848898 CEST49706443192.168.2.5172.67.74.152
                                                                                                          Jul 26, 2024 07:29:58.464540958 CEST44349706172.67.74.152192.168.2.5
                                                                                                          Jul 26, 2024 07:29:58.525414944 CEST44349706172.67.74.152192.168.2.5
                                                                                                          Jul 26, 2024 07:29:58.525563002 CEST44349706172.67.74.152192.168.2.5
                                                                                                          Jul 26, 2024 07:29:58.525825977 CEST49706443192.168.2.5172.67.74.152
                                                                                                          Jul 26, 2024 07:29:58.555790901 CEST49706443192.168.2.5172.67.74.152
                                                                                                          Jul 26, 2024 07:29:59.670833111 CEST4970825192.168.2.5208.91.199.225
                                                                                                          Jul 26, 2024 07:30:00.670382023 CEST4970825192.168.2.5208.91.199.225
                                                                                                          Jul 26, 2024 07:30:02.685961962 CEST4970825192.168.2.5208.91.199.225
                                                                                                          Jul 26, 2024 07:30:06.701596022 CEST4970825192.168.2.5208.91.199.225
                                                                                                          Jul 26, 2024 07:30:14.701581001 CEST4970825192.168.2.5208.91.199.225
                                                                                                          Jul 26, 2024 07:30:20.704653978 CEST4970825192.168.2.5208.91.198.143
                                                                                                          Jul 26, 2024 07:30:21.717278004 CEST4970825192.168.2.5208.91.198.143
                                                                                                          Jul 26, 2024 07:30:23.733042002 CEST4970825192.168.2.5208.91.198.143
                                                                                                          Jul 26, 2024 07:30:27.748655081 CEST4970825192.168.2.5208.91.198.143
                                                                                                          Jul 26, 2024 07:30:35.764183998 CEST4970825192.168.2.5208.91.198.143
                                                                                                          Jul 26, 2024 07:30:41.780111074 CEST4970825192.168.2.5208.91.199.223
                                                                                                          Jul 26, 2024 07:30:42.779783010 CEST4970825192.168.2.5208.91.199.223
                                                                                                          Jul 26, 2024 07:30:44.779861927 CEST4970825192.168.2.5208.91.199.223
                                                                                                          Jul 26, 2024 07:30:48.779777050 CEST4970825192.168.2.5208.91.199.223
                                                                                                          Jul 26, 2024 07:30:56.779781103 CEST4970825192.168.2.5208.91.199.223
                                                                                                          Jul 26, 2024 07:31:02.780028105 CEST4970825192.168.2.5208.91.199.224
                                                                                                          Jul 26, 2024 07:31:03.779814959 CEST4970825192.168.2.5208.91.199.224
                                                                                                          Jul 26, 2024 07:31:05.779905081 CEST4970825192.168.2.5208.91.199.224
                                                                                                          Jul 26, 2024 07:31:09.795511007 CEST4970825192.168.2.5208.91.199.224
                                                                                                          Jul 26, 2024 07:31:17.811055899 CEST4970825192.168.2.5208.91.199.224
                                                                                                          Jul 26, 2024 07:31:24.079329967 CEST4971825192.168.2.5208.91.199.225
                                                                                                          Jul 26, 2024 07:31:25.093646049 CEST4971825192.168.2.5208.91.199.225
                                                                                                          Jul 26, 2024 07:31:27.092525005 CEST4971825192.168.2.5208.91.199.225
                                                                                                          Jul 26, 2024 07:31:31.108915091 CEST4971825192.168.2.5208.91.199.225
                                                                                                          Jul 26, 2024 07:31:39.125735998 CEST4971825192.168.2.5208.91.199.225
                                                                                                          Jul 26, 2024 07:31:45.123810053 CEST4971825192.168.2.5208.91.198.143
                                                                                                          Jul 26, 2024 07:31:46.123491049 CEST4971825192.168.2.5208.91.198.143
                                                                                                          Jul 26, 2024 07:31:48.123512983 CEST4971825192.168.2.5208.91.198.143
                                                                                                          Jul 26, 2024 07:31:52.123553991 CEST4971825192.168.2.5208.91.198.143
                                                                                                          Jul 26, 2024 07:32:00.279761076 CEST4971825192.168.2.5208.91.198.143
                                                                                                          Jul 26, 2024 07:32:06.280030966 CEST4971825192.168.2.5208.91.199.223
                                                                                                          Jul 26, 2024 07:32:07.281800985 CEST4971825192.168.2.5208.91.199.223
                                                                                                          Jul 26, 2024 07:32:09.297744036 CEST4971825192.168.2.5208.91.199.223
                                                                                                          Jul 26, 2024 07:32:13.295386076 CEST4971825192.168.2.5208.91.199.223
                                                                                                          Jul 26, 2024 07:32:21.311064005 CEST4971825192.168.2.5208.91.199.223
                                                                                                          Jul 26, 2024 07:32:27.327055931 CEST4971825192.168.2.5208.91.199.224
                                                                                                          Jul 26, 2024 07:32:28.326634884 CEST4971825192.168.2.5208.91.199.224
                                                                                                          Jul 26, 2024 07:32:30.326931953 CEST4971825192.168.2.5208.91.199.224
                                                                                                          Jul 26, 2024 07:32:34.326647997 CEST4971825192.168.2.5208.91.199.224
                                                                                                          Jul 26, 2024 07:32:42.326667070 CEST4971825192.168.2.5208.91.199.224

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jul 26, 2024 07:29:57.482494116 CEST6083553192.168.2.51.1.1.1
                                                                                                          Jul 26, 2024 07:29:57.721447945 CEST53608351.1.1.1192.168.2.5
                                                                                                          Jul 26, 2024 07:29:59.350464106 CEST5623153192.168.2.51.1.1.1
                                                                                                          Jul 26, 2024 07:29:59.669230938 CEST53562311.1.1.1192.168.2.5

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                          Jul 26, 2024 07:29:57.482494116 CEST192.168.2.51.1.1.10x669cStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                          Jul 26, 2024 07:29:59.350464106 CEST192.168.2.51.1.1.10x7f81Standard query (0)smtp.jlahuachem.comA (IP address)IN (0x0001)false

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                          Jul 26, 2024 07:29:57.721447945 CEST1.1.1.1192.168.2.50x669cNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                                          Jul 26, 2024 07:29:57.721447945 CEST1.1.1.1192.168.2.50x669cNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                                          Jul 26, 2024 07:29:57.721447945 CEST1.1.1.1192.168.2.50x669cNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                                          Jul 26, 2024 07:29:59.669230938 CEST1.1.1.1192.168.2.50x7f81No error (0)smtp.jlahuachem.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                          Jul 26, 2024 07:29:59.669230938 CEST1.1.1.1192.168.2.50x7f81No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                                                                                          Jul 26, 2024 07:29:59.669230938 CEST1.1.1.1192.168.2.50x7f81No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                                                                                          Jul 26, 2024 07:29:59.669230938 CEST1.1.1.1192.168.2.50x7f81No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                                                                                          Jul 26, 2024 07:29:59.669230938 CEST1.1.1.1192.168.2.50x7f81No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false

                                                                                                          HTTP Request Dependency Graph

                                                                                                          • api.ipify.org

                                                                                                          HTTPS Proxied Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.549706172.67.74.1524432684C:\Users\user\Desktop\ynhHNexysa.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-07-26 05:29:58 UTC155OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                          Host: api.ipify.org
                                                                                                          Connection: Keep-Alive
                                                                                                          2024-07-26 05:29:58 UTC211INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 26 Jul 2024 05:29:58 GMT
                                                                                                          Content-Type: text/plain
                                                                                                          Content-Length: 11
                                                                                                          Connection: close
                                                                                                          Vary: Origin
                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8a91febc6e4172b6-EWR
                                                                                                          2024-07-26 05:29:58 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                                                                                          Data Ascii: 8.46.123.33


                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          General

                                                                                                          Target ID:0
                                                                                                          Start time:01:29:54
                                                                                                          Start date:26/07/2024
                                                                                                          Path:C:\Users\user\Desktop\ynhHNexysa.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\ynhHNexysa.exe"
                                                                                                          Imagebase:0xc50000
                                                                                                          File size:671'744 bytes
                                                                                                          MD5 hash:3D33CBDE84D0A1197EC0D459D634473E
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2065195598.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2065195598.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2065195598.0000000004024000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2065195598.0000000004024000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:3
                                                                                                          Start time:01:29:56
                                                                                                          Start date:26/07/2024
                                                                                                          Path:C:\Users\user\Desktop\ynhHNexysa.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Users\user\Desktop\ynhHNexysa.exe"
                                                                                                          Imagebase:0x410000
                                                                                                          File size:671'744 bytes
                                                                                                          MD5 hash:3D33CBDE84D0A1197EC0D459D634473E
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:4
                                                                                                          Start time:01:29:56
                                                                                                          Start date:26/07/2024
                                                                                                          Path:C:\Users\user\Desktop\ynhHNexysa.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Users\user\Desktop\ynhHNexysa.exe"
                                                                                                          Imagebase:0x110000
                                                                                                          File size:671'744 bytes
                                                                                                          MD5 hash:3D33CBDE84D0A1197EC0D459D634473E
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:5
                                                                                                          Start time:01:29:56
                                                                                                          Start date:26/07/2024
                                                                                                          Path:C:\Users\user\Desktop\ynhHNexysa.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\ynhHNexysa.exe"
                                                                                                          Imagebase:0x670000
                                                                                                          File size:671'744 bytes
                                                                                                          MD5 hash:3D33CBDE84D0A1197EC0D459D634473E
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4495357530.0000000002AB5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.4492696673.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4492696673.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.4495357530.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4495357530.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Reputation:low
                                                                                                          Has exited:false

                                                                                                          Disassembly

                                                                                                          Reset < >

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:10.8%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:1.5%
                                                                                                            Total number of Nodes:326
                                                                                                            Total number of Limit Nodes:8
                                                                                                            execution_graph 33719 760c100 33720 760c128 33719->33720 33721 760c11e 33719->33721 33724 760c153 33721->33724 33728 760c168 33721->33728 33725 760c173 33724->33725 33733 760ba80 33725->33733 33729 760c176 33728->33729 33732 760c195 33728->33732 33730 760ba80 FindCloseChangeNotification 33729->33730 33731 760c191 33730->33731 33731->33720 33732->33720 33734 760c2e0 FindCloseChangeNotification 33733->33734 33735 760c191 33734->33735 33735->33720 33383 7607f61 33387 7608c50 33383->33387 33407 7608c4a 33383->33407 33384 7607f8a 33388 7608c6a 33387->33388 33389 7608c8e 33388->33389 33427 76094a0 33388->33427 33432 76092be 33388->33432 33440 7609a9e 33388->33440 33444 76093bb 33388->33444 33449 760931b 33388->33449 33454 760929a 33388->33454 33459 7609196 33388->33459 33464 7609b94 33388->33464 33470 7609453 33388->33470 33475 760942e 33388->33475 33480 760924d 33388->33480 33484 76093ec 33388->33484 33489 7609549 33388->33489 33494 7609a68 33388->33494 33500 76090e7 33388->33500 33506 7609165 33388->33506 33511 7609062 33388->33511 33389->33384 33408 7608c50 33407->33408 33409 7608c8e 33408->33409 33410 76094a0 2 API calls 33408->33410 33411 7609062 2 API calls 33408->33411 33412 7609165 2 API calls 33408->33412 33413 76090e7 2 API calls 33408->33413 33414 7609a68 2 API calls 33408->33414 33415 7609549 2 API calls 33408->33415 33416 76093ec 2 API calls 33408->33416 33417 760924d 2 API calls 33408->33417 33418 760942e 2 API calls 33408->33418 33419 7609453 2 API calls 33408->33419 33420 7609b94 2 API calls 33408->33420 33421 7609196 2 API calls 33408->33421 33422 760929a 2 API calls 33408->33422 33423 760931b 2 API calls 33408->33423 33424 76093bb 2 API calls 33408->33424 33425 7609a9e 2 API calls 33408->33425 33426 76092be 4 API calls 33408->33426 33409->33384 33410->33409 33411->33409 33412->33409 33413->33409 33414->33409 33415->33409 33416->33409 33417->33409 33418->33409 33419->33409 33420->33409 33421->33409 33422->33409 33423->33409 33424->33409 33425->33409 33426->33409 33428 76093e1 33427->33428 33516 7607820 33428->33516 33520 7607828 33428->33520 33429 7609ac4 33433 760926b 33432->33433 33434 76092cb 33432->33434 33435 760927b 33433->33435 33524 7607732 33433->33524 33528 7607738 33433->33528 33532 7609cc7 33434->33532 33537 7609cd8 33434->33537 33435->33389 33435->33435 33441 7609ac4 33440->33441 33442 7607820 ReadProcessMemory 33440->33442 33443 7607828 ReadProcessMemory 33440->33443 33442->33441 33443->33441 33445 76093c1 33444->33445 33447 7607820 ReadProcessMemory 33445->33447 33448 7607828 ReadProcessMemory 33445->33448 33446 7609ac4 33447->33446 33448->33446 33450 76097a7 33449->33450 33550 76075a0 33450->33550 33554 7607598 33450->33554 33451 76097c2 33455 76092c8 33454->33455 33456 76092e4 33455->33456 33457 7609cc7 2 API calls 33455->33457 33458 7609cd8 2 API calls 33455->33458 33456->33389 33456->33456 33457->33456 33458->33456 33460 76092f9 33459->33460 33462 7607732 WriteProcessMemory 33460->33462 33463 7607738 WriteProcessMemory 33460->33463 33461 760919b 33461->33389 33462->33461 33463->33461 33466 7609070 33464->33466 33465 7609b47 33465->33389 33466->33465 33558 76079c0 33466->33558 33562 76079b6 33466->33562 33471 76093e1 33470->33471 33473 7607820 ReadProcessMemory 33471->33473 33474 7607828 ReadProcessMemory 33471->33474 33472 7609ac4 33473->33472 33474->33472 33476 76093e1 33475->33476 33478 7607820 ReadProcessMemory 33476->33478 33479 7607828 ReadProcessMemory 33476->33479 33477 7609ac4 33478->33477 33479->33477 33482 7607732 WriteProcessMemory 33480->33482 33483 7607738 WriteProcessMemory 33480->33483 33481 760927b 33481->33389 33481->33481 33482->33481 33483->33481 33485 76093e1 33484->33485 33487 7607820 ReadProcessMemory 33485->33487 33488 7607828 ReadProcessMemory 33485->33488 33486 7609ac4 33487->33486 33488->33486 33490 760954b 33489->33490 33492 76075a0 Wow64SetThreadContext 33490->33492 33493 7607598 Wow64SetThreadContext 33490->33493 33491 7609566 33492->33491 33493->33491 33495 76095c2 33494->33495 33496 7609a75 33494->33496 33566 76074f0 33495->33566 33570 76074e8 33495->33570 33497 7609598 33502 7609070 33500->33502 33501 7609b47 33501->33389 33502->33501 33504 76079c0 CreateProcessA 33502->33504 33505 76079b6 CreateProcessA 33502->33505 33503 7609122 33503->33389 33504->33503 33505->33503 33507 76095f3 33506->33507 33509 7607732 WriteProcessMemory 33507->33509 33510 7607738 WriteProcessMemory 33507->33510 33508 760914d 33509->33508 33510->33508 33512 760908e 33511->33512 33514 76079c0 CreateProcessA 33512->33514 33515 76079b6 CreateProcessA 33512->33515 33513 7609122 33513->33389 33514->33513 33515->33513 33517 7607873 ReadProcessMemory 33516->33517 33519 76078b7 33517->33519 33519->33429 33521 7607873 ReadProcessMemory 33520->33521 33523 76078b7 33521->33523 33523->33429 33525 7607780 WriteProcessMemory 33524->33525 33527 76077d7 33525->33527 33527->33435 33529 7607780 WriteProcessMemory 33528->33529 33531 76077d7 33529->33531 33531->33435 33533 7609cd5 33532->33533 33542 7607678 33533->33542 33546 7607672 33533->33546 33534 7609d0c 33534->33435 33538 7609ced 33537->33538 33540 7607672 VirtualAllocEx 33538->33540 33541 7607678 VirtualAllocEx 33538->33541 33539 7609d0c 33539->33435 33540->33539 33541->33539 33543 76076b8 VirtualAllocEx 33542->33543 33545 76076f5 33543->33545 33545->33534 33547 7607678 VirtualAllocEx 33546->33547 33549 76076f5 33547->33549 33549->33534 33551 76075e5 Wow64SetThreadContext 33550->33551 33553 760762d 33551->33553 33553->33451 33555 76075a0 Wow64SetThreadContext 33554->33555 33557 760762d 33555->33557 33557->33451 33559 7607a49 CreateProcessA 33558->33559 33561 7607c0b 33559->33561 33563 7607a49 CreateProcessA 33562->33563 33565 7607c0b 33563->33565 33567 7607530 ResumeThread 33566->33567 33569 7607561 33567->33569 33569->33497 33571 76074ed ResumeThread 33570->33571 33573 7607561 33571->33573 33573->33497 33574 15dd01c 33575 15dd034 33574->33575 33576 15dd08e 33575->33576 33581 5632808 33575->33581 33586 5631a98 33575->33586 33591 5631aa8 33575->33591 33596 5632818 33575->33596 33582 5632818 33581->33582 33583 5632877 33582->33583 33601 5632da8 33582->33601 33606 5632d88 33582->33606 33587 5631aa8 33586->33587 33589 5632808 2 API calls 33587->33589 33590 5632818 2 API calls 33587->33590 33588 5631aef 33588->33576 33589->33588 33590->33588 33592 5631ace 33591->33592 33594 5632808 2 API calls 33592->33594 33595 5632818 2 API calls 33592->33595 33593 5631aef 33593->33576 33594->33593 33595->33593 33597 5632845 33596->33597 33598 5632877 33597->33598 33599 5632da8 2 API calls 33597->33599 33600 5632d88 2 API calls 33597->33600 33599->33598 33600->33598 33603 5632dbc 33601->33603 33602 5632e48 33602->33583 33611 5632e60 33603->33611 33614 5632e50 33603->33614 33608 5632daa 33606->33608 33607 5632e48 33607->33583 33609 5632e60 2 API calls 33608->33609 33610 5632e50 2 API calls 33608->33610 33609->33607 33610->33607 33613 5632e71 33611->33613 33618 5634022 33611->33618 33613->33602 33615 5632e60 33614->33615 33616 5632e71 33615->33616 33617 5634022 2 API calls 33615->33617 33616->33602 33617->33616 33622 5634040 33618->33622 33626 5634050 33618->33626 33619 563403a 33619->33613 33623 5634092 33622->33623 33625 5634099 33622->33625 33624 56340ea CallWindowProcW 33623->33624 33623->33625 33624->33625 33625->33619 33627 5634092 33626->33627 33629 5634099 33626->33629 33628 56340ea CallWindowProcW 33627->33628 33627->33629 33628->33629 33629->33619 33736 162ac50 33737 162ac5f 33736->33737 33740 162ad37 33736->33740 33748 162ad48 33736->33748 33741 162ad59 33740->33741 33742 162ad7c 33740->33742 33741->33742 33756 162afe0 33741->33756 33760 162afd1 33741->33760 33742->33737 33743 162ad74 33743->33742 33744 162af80 GetModuleHandleW 33743->33744 33745 162afad 33744->33745 33745->33737 33749 162ad59 33748->33749 33750 162ad7c 33748->33750 33749->33750 33754 162afe0 LoadLibraryExW 33749->33754 33755 162afd1 LoadLibraryExW 33749->33755 33750->33737 33751 162af80 GetModuleHandleW 33753 162afad 33751->33753 33752 162ad74 33752->33750 33752->33751 33753->33737 33754->33752 33755->33752 33757 162aff4 33756->33757 33758 162b019 33757->33758 33764 162a108 33757->33764 33758->33743 33761 162aff4 33760->33761 33762 162b019 33761->33762 33763 162a108 LoadLibraryExW 33761->33763 33762->33743 33763->33762 33765 162b1c0 LoadLibraryExW 33764->33765 33767 162b239 33765->33767 33767->33758 33768 5637bd0 33769 5637bfb 33768->33769 33775 5637694 33769->33775 33772 5639c6f 33773 5637c3e 33774 5638282 33773->33774 33779 5637880 33773->33779 33776 563769f 33775->33776 33777 5637880 2 API calls 33776->33777 33778 5639c6f 33777->33778 33778->33773 33780 563788b 33779->33780 33781 5639ca2 33780->33781 33783 1625cdc 2 API calls 33780->33783 33784 16282a8 33780->33784 33781->33772 33783->33781 33785 16282e3 33784->33785 33786 16285a9 33785->33786 33787 162cd00 2 API calls 33785->33787 33788 162cd10 2 API calls 33785->33788 33786->33781 33787->33786 33788->33786 33712 760a2f8 33713 760a483 33712->33713 33714 760a31e 33712->33714 33714->33713 33716 7609ef0 33714->33716 33717 760a578 PostMessageW 33716->33717 33718 760a5e4 33717->33718 33718->33714 33630 1624668 33631 1624672 33630->33631 33635 1624759 33630->33635 33640 1624210 33631->33640 33633 162468d 33636 162477d 33635->33636 33644 1624868 33636->33644 33648 1624859 33636->33648 33641 162421b 33640->33641 33656 1625c5c 33641->33656 33643 1626fea 33643->33633 33646 162488f 33644->33646 33645 162496c 33645->33645 33646->33645 33652 16244d4 33646->33652 33650 1624868 33648->33650 33649 162496c 33650->33649 33651 16244d4 CreateActCtxA 33650->33651 33651->33649 33653 16258f8 CreateActCtxA 33652->33653 33655 16259bb 33653->33655 33657 1625c67 33656->33657 33660 1625c7c 33657->33660 33659 162708d 33659->33643 33661 1625c87 33660->33661 33664 1625cac 33661->33664 33663 1627162 33663->33659 33665 1625cb7 33664->33665 33668 1625cdc 33665->33668 33667 1627265 33667->33663 33670 1625ce7 33668->33670 33669 16285a9 33669->33667 33670->33669 33673 162cd00 33670->33673 33678 162cd10 33670->33678 33675 162cd05 33673->33675 33674 162cd55 33674->33669 33675->33674 33683 162cec0 33675->33683 33687 162ceb0 33675->33687 33679 162cd31 33678->33679 33680 162cd55 33679->33680 33681 162cec0 2 API calls 33679->33681 33682 162ceb0 2 API calls 33679->33682 33680->33669 33681->33680 33682->33680 33684 162cecd 33683->33684 33686 162cf07 33684->33686 33691 162b720 33684->33691 33686->33674 33688 162cec0 33687->33688 33689 162cf07 33688->33689 33690 162b720 2 API calls 33688->33690 33689->33674 33690->33689 33692 162b72b 33691->33692 33694 162dc18 33692->33694 33695 162d024 33692->33695 33696 162d02f 33695->33696 33697 1625cdc 2 API calls 33696->33697 33698 162dc87 33697->33698 33702 162fa08 33698->33702 33707 162f9f0 33698->33707 33699 162dcc1 33699->33694 33703 162fa45 33702->33703 33704 162fa39 33702->33704 33703->33699 33704->33703 33705 56309b2 CreateWindowExW CreateWindowExW 33704->33705 33706 56309c0 CreateWindowExW CreateWindowExW 33704->33706 33705->33703 33706->33703 33708 162fa45 33707->33708 33709 162fa39 33707->33709 33708->33699 33709->33708 33710 56309b2 CreateWindowExW CreateWindowExW 33709->33710 33711 56309c0 CreateWindowExW CreateWindowExW 33709->33711 33710->33708 33711->33708 33789 162d3d8 33790 162d41e 33789->33790 33794 162d5a8 33790->33794 33797 162d5b8 33790->33797 33791 162d50b 33800 162b730 33794->33800 33798 162d5e6 33797->33798 33799 162b730 DuplicateHandle 33797->33799 33798->33791 33799->33798 33801 162d620 DuplicateHandle 33800->33801 33802 162d5e6 33801->33802 33802->33791

                                                                                                            Executed Functions

                                                                                                            Function 05637BD0 Relevance: 43.2, Strings: 33, Instructions: 1941COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 294 5637bd0-5637df5 call 5637694 call 56376a4 call 56376b4 call 56376c4 * 2 call 56376d4 * 2 call 56376e4 * 5 350 5637dfb-5637e01 294->350 351 5637f0f-5638256 call 56376e4 * 3 call 56376f4 call 5637704 call 5637714 call 5637724 call 5637734 call 56376f4 call 5637704 call 5637744 call 5637714 call 5637724 294->351 352 5637e04-5637e39 350->352 411 5638258-563825e 351->411 412 563826e-563827c 351->412 353 5639c48-5639c6f call 5637880 352->353 354 5637e3f-5637e74 352->354 354->353 356 5637e7a-5637e9e 354->356 356->353 358 5637ea4-5637ebf 356->358 361 5637ec1-5637ec7 358->361 362 5637ec8-5637ed9 358->362 361->362 364 5637ee2-5637f09 362->364 365 5637edb-5637ee1 362->365 364->351 364->352 365->364 413 5638262-5638264 411->413 414 5638260 411->414 412->353 416 5638282-56382f3 call 5637754 412->416 413->412 414->412 423 56382f9-5639c47 call 5637764 call 5637774 call 56376f4 call 5637704 call 5637714 call 5637724 call 5637784 call 5637794 call 56377c0 call 56376f4 call 5637704 call 5637714 call 5637724 call 5637784 call 5637794 call 56377c0 call 56377d0 call 56376f4 call 5637704 call 5637714 call 5637724 call 5637794 call 56376f4 call 5637704 call 5637714 call 5637724 call 56377d0 call 56376f4 call 5637704 call 5637714 call 5637724 call 5637784 call 56377e0 call 56377c0 call 56377d0 call 56376f4 call 5637704 call 5637714 call 5637724 call 5637784 call 56377e0 call 56377c0 call 56377d0 call 56376f4 call 5637704 call 5637714 call 5637724 call 5637784 call 56377e0 call 56377c0 call 56377d0 call 56376f4 call 5637704 call 5637714 call 5637724 call 5637784 call 56377e0 call 56377c0 call 56377d0 call 56376f4 call 5637704 call 5637714 call 5637724 call 5637784 call 56377e0 call 56377c0 call 56377d0 call 56376f4 call 5637704 call 5637714 call 5637724 call 5637784 call 56377e0 call 56377c0 call 56377d0 call 56376f4 call 5637704 call 5637714 call 5637724 call 5637784 call 56377e0 call 56377c0 call 56377d0 call 56376f4 call 5637704 call 5637714 call 5637724 call 5637784 call 56377e0 call 56377c0 call 56377f0 call 5637800 call 5637810 call 5637820 * 14 call 5637830 call 5637840 call 5637850 call 5637860 call 5637704 call 56354e4 call 5637870 * 2 416->423
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2066890308.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_5630000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $ $ $&$($($-$7$7$7$C$Pp]q$Q$_$_$_$_$_$_$_$_$d$d$g$i$k$k$k$k$k$k$k$k
                                                                                                            • API String ID: 0-3898640276
                                                                                                            • Opcode ID: 6f60ce4880862fec0dfa995f3b33b70cbd4a7249efa0c847edadc6e4bd8eb38e
                                                                                                            • Instruction ID: 8c5e970ce4a3af743bd5cf90024dc23585bffe99f321ac89c8c76bafefd9bc06
                                                                                                            • Opcode Fuzzy Hash: 6f60ce4880862fec0dfa995f3b33b70cbd4a7249efa0c847edadc6e4bd8eb38e
                                                                                                            • Instruction Fuzzy Hash: 3713F674A107198FC725EF38C895BAAB7B2FF89300F50869DD4496B360DB71AA85CF41
                                                                                                            Function 05637BC0 Relevance: 43.2, Strings: 33, Instructions: 1931COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 762 5637bc0-5637c49 call 5637694 770 5637c53-5637c57 call 56376a4 762->770 772 5637c5c-5637c67 770->772 774 5637c71-5637c75 call 56376b4 772->774 776 5637c7a-5637c85 774->776 778 5637c8f-5637c93 call 56376c4 776->778 780 5637c98-5637df5 call 56376c4 call 56376d4 * 2 call 56376e4 * 5 778->780 818 5637dfb-5637e01 780->818 819 5637f0f-5637f76 call 56376e4 * 3 780->819 820 5637e04-5637e39 818->820 846 5637f7d-5637fb2 call 56376f4 819->846 821 5639c48-5639c5b 820->821 822 5637e3f-5637e74 820->822 831 5639c60-5639c6f call 5637880 821->831 822->821 824 5637e7a-5637e9e 822->824 824->821 826 5637ea4-5637ebf 824->826 829 5637ec1-5637ec7 826->829 830 5637ec8-5637ed9 826->830 829->830 832 5637ee2-5637f09 830->832 833 5637edb-5637ee1 830->833 832->819 832->820 833->832 848 5637fb7-56380d6 call 5637704 call 5637714 call 5637724 call 5637734 846->848 861 56380dd-56380e2 848->861 862 56380ea-5638234 call 56376f4 call 5637704 call 5637744 call 5637714 call 5637724 861->862 877 563823b-563824c 862->877 878 5638254-5638256 877->878 879 5638258-563825e 878->879 880 563826e-5638272 878->880 881 5638262-5638264 879->881 882 5638260 879->882 883 5638278-563827c 880->883 881->880 882->880 883->821 884 5638282-56382cb call 5637754 883->884 890 56382d5-56382f3 884->890 891 56382f9-5639c47 call 5637764 call 5637774 call 56376f4 call 5637704 call 5637714 call 5637724 call 5637784 call 5637794 call 56377c0 call 56376f4 call 5637704 call 5637714 call 5637724 call 5637784 call 5637794 call 56377c0 call 56377d0 call 56376f4 call 5637704 call 5637714 call 5637724 call 5637794 call 56376f4 call 5637704 call 5637714 call 5637724 call 56377d0 call 56376f4 call 5637704 call 5637714 call 5637724 call 5637784 call 56377e0 call 56377c0 call 56377d0 call 56376f4 call 5637704 call 5637714 call 5637724 call 5637784 call 56377e0 call 56377c0 call 56377d0 call 56376f4 call 5637704 call 5637714 call 5637724 call 5637784 call 56377e0 call 56377c0 call 56377d0 call 56376f4 call 5637704 call 5637714 call 5637724 call 5637784 call 56377e0 call 56377c0 call 56377d0 call 56376f4 call 5637704 call 5637714 call 5637724 call 5637784 call 56377e0 call 56377c0 call 56377d0 call 56376f4 call 5637704 call 5637714 call 5637724 call 5637784 call 56377e0 call 56377c0 call 56377d0 call 56376f4 call 5637704 call 5637714 call 5637724 call 5637784 call 56377e0 call 56377c0 call 56377d0 call 56376f4 call 5637704 call 5637714 call 5637724 call 5637784 call 56377e0 call 56377c0 call 56377f0 call 5637800 call 5637810 call 5637820 * 14 call 5637830 call 5637840 call 5637850 call 5637860 call 5637704 call 56354e4 call 5637870 * 2 890->891
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2066890308.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_5630000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $ $ $&$($($-$7$7$7$C$Pp]q$Q$_$_$_$_$_$_$_$_$d$d$g$i$k$k$k$k$k$k$k$k
                                                                                                            • API String ID: 0-3898640276
                                                                                                            • Opcode ID: bba3248dfe0a8094008bf00e44821606dc9f5e9e0ad3a2160be819b8434b5c4a
                                                                                                            • Instruction ID: bf8c4daa1f9e261204af7a424e51586bc02a4f89e33be9795be436b5eb4e0f3d
                                                                                                            • Opcode Fuzzy Hash: bba3248dfe0a8094008bf00e44821606dc9f5e9e0ad3a2160be819b8434b5c4a
                                                                                                            • Instruction Fuzzy Hash: 6C13F674A107198FC725EF38C895BAAB7B2FF89300F50869DD4496B360DB71AA85CF41
                                                                                                            Function 076079B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 249processCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1230 76079b6-7607a55 1232 7607a57-7607a61 1230->1232 1233 7607a8e-7607aae 1230->1233 1232->1233 1234 7607a63-7607a65 1232->1234 1238 7607ab0-7607aba 1233->1238 1239 7607ae7-7607b16 1233->1239 1236 7607a67-7607a71 1234->1236 1237 7607a88-7607a8b 1234->1237 1240 7607a73 1236->1240 1241 7607a75-7607a84 1236->1241 1237->1233 1238->1239 1242 7607abc-7607abe 1238->1242 1249 7607b18-7607b22 1239->1249 1250 7607b4f-7607c09 CreateProcessA 1239->1250 1240->1241 1241->1241 1243 7607a86 1241->1243 1244 7607ac0-7607aca 1242->1244 1245 7607ae1-7607ae4 1242->1245 1243->1237 1247 7607acc 1244->1247 1248 7607ace-7607add 1244->1248 1245->1239 1247->1248 1248->1248 1251 7607adf 1248->1251 1249->1250 1252 7607b24-7607b26 1249->1252 1261 7607c12-7607c98 1250->1261 1262 7607c0b-7607c11 1250->1262 1251->1245 1253 7607b28-7607b32 1252->1253 1254 7607b49-7607b4c 1252->1254 1256 7607b34 1253->1256 1257 7607b36-7607b45 1253->1257 1254->1250 1256->1257 1257->1257 1258 7607b47 1257->1258 1258->1254 1272 7607ca8-7607cac 1261->1272 1273 7607c9a-7607c9e 1261->1273 1262->1261 1275 7607cbc-7607cc0 1272->1275 1276 7607cae-7607cb2 1272->1276 1273->1272 1274 7607ca0 1273->1274 1274->1272 1278 7607cd0-7607cd4 1275->1278 1279 7607cc2-7607cc6 1275->1279 1276->1275 1277 7607cb4 1276->1277 1277->1275 1280 7607ce6-7607ced 1278->1280 1281 7607cd6-7607cdc 1278->1281 1279->1278 1282 7607cc8 1279->1282 1283 7607d04 1280->1283 1284 7607cef-7607cfe 1280->1284 1281->1280 1282->1278 1286 7607d05 1283->1286 1284->1283 1286->1286
                                                                                                            APIs
                                                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07607BF6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateProcess
                                                                                                            • String ID: *$*
                                                                                                            • API String ID: 963392458-2806035931
                                                                                                            • Opcode ID: 86be8ec4f306423b6b9361f69d1eab665ee25201e2bd8565bddf02e179e382b6
                                                                                                            • Instruction ID: 73e388438845ac63c21818db5de41e90580caec9718ae98d7fe746f5158c3b9f
                                                                                                            • Opcode Fuzzy Hash: 86be8ec4f306423b6b9361f69d1eab665ee25201e2bd8565bddf02e179e382b6
                                                                                                            • Instruction Fuzzy Hash: 8FA14DB1D0025ADFDF28CF68C8417EEBBB2BF44314F1485A9D809A7280DB75A985CF91
                                                                                                            Function 076079C0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243processCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1287 76079c0-7607a55 1289 7607a57-7607a61 1287->1289 1290 7607a8e-7607aae 1287->1290 1289->1290 1291 7607a63-7607a65 1289->1291 1295 7607ab0-7607aba 1290->1295 1296 7607ae7-7607b16 1290->1296 1293 7607a67-7607a71 1291->1293 1294 7607a88-7607a8b 1291->1294 1297 7607a73 1293->1297 1298 7607a75-7607a84 1293->1298 1294->1290 1295->1296 1299 7607abc-7607abe 1295->1299 1306 7607b18-7607b22 1296->1306 1307 7607b4f-7607c09 CreateProcessA 1296->1307 1297->1298 1298->1298 1300 7607a86 1298->1300 1301 7607ac0-7607aca 1299->1301 1302 7607ae1-7607ae4 1299->1302 1300->1294 1304 7607acc 1301->1304 1305 7607ace-7607add 1301->1305 1302->1296 1304->1305 1305->1305 1308 7607adf 1305->1308 1306->1307 1309 7607b24-7607b26 1306->1309 1318 7607c12-7607c98 1307->1318 1319 7607c0b-7607c11 1307->1319 1308->1302 1310 7607b28-7607b32 1309->1310 1311 7607b49-7607b4c 1309->1311 1313 7607b34 1310->1313 1314 7607b36-7607b45 1310->1314 1311->1307 1313->1314 1314->1314 1315 7607b47 1314->1315 1315->1311 1329 7607ca8-7607cac 1318->1329 1330 7607c9a-7607c9e 1318->1330 1319->1318 1332 7607cbc-7607cc0 1329->1332 1333 7607cae-7607cb2 1329->1333 1330->1329 1331 7607ca0 1330->1331 1331->1329 1335 7607cd0-7607cd4 1332->1335 1336 7607cc2-7607cc6 1332->1336 1333->1332 1334 7607cb4 1333->1334 1334->1332 1337 7607ce6-7607ced 1335->1337 1338 7607cd6-7607cdc 1335->1338 1336->1335 1339 7607cc8 1336->1339 1340 7607d04 1337->1340 1341 7607cef-7607cfe 1337->1341 1338->1337 1339->1335 1343 7607d05 1340->1343 1341->1340 1343->1343
                                                                                                            APIs
                                                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07607BF6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateProcess
                                                                                                            • String ID: *$*
                                                                                                            • API String ID: 963392458-2806035931
                                                                                                            • Opcode ID: 9aba83c3209910c41a6d61fd9890870ebf7a6254321d893e3b093941f58bcbd7
                                                                                                            • Instruction ID: 2d785a30cbef46de67718d9b3232490c3e08c359298901d2d86811cc811f7e43
                                                                                                            • Opcode Fuzzy Hash: 9aba83c3209910c41a6d61fd9890870ebf7a6254321d893e3b093941f58bcbd7
                                                                                                            • Instruction Fuzzy Hash: D3914CB1D0021ADFDF28CF68C8417EEBBB2BF44314F1485A9D809A7280DB75A985CF91
                                                                                                            Function 056318E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1344 56318e5-5631956 1345 5631961-5631968 1344->1345 1346 5631958-563195e 1344->1346 1347 5631973-5631a12 CreateWindowExW 1345->1347 1348 563196a-5631970 1345->1348 1346->1345 1350 5631a14-5631a1a 1347->1350 1351 5631a1b-5631a53 1347->1351 1348->1347 1350->1351 1355 5631a60 1351->1355 1356 5631a55-5631a58 1351->1356 1357 5631a61 1355->1357 1356->1355 1357->1357
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05631A02
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2066890308.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_5630000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID: *$*
                                                                                                            • API String ID: 716092398-2806035931
                                                                                                            • Opcode ID: 4daa6f8e355b41c7990bc1448144d0f27280bd46b9e4fc064b6ea75942b084f9
                                                                                                            • Instruction ID: 8d8e6f2e48904a1d2956f62ba7e9770c1a506a8d273fcff92871512348c27b9d
                                                                                                            • Opcode Fuzzy Hash: 4daa6f8e355b41c7990bc1448144d0f27280bd46b9e4fc064b6ea75942b084f9
                                                                                                            • Instruction Fuzzy Hash: 4651D0B1C003499FDB14CF99C985ADEBBB5BF88310F24852AE419AB310DB74A985CF90
                                                                                                            Function 056318F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1358 56318f0-5631956 1359 5631961-5631968 1358->1359 1360 5631958-563195e 1358->1360 1361 5631973-5631a12 CreateWindowExW 1359->1361 1362 563196a-5631970 1359->1362 1360->1359 1364 5631a14-5631a1a 1361->1364 1365 5631a1b-5631a53 1361->1365 1362->1361 1364->1365 1369 5631a60 1365->1369 1370 5631a55-5631a58 1365->1370 1371 5631a61 1369->1371 1370->1369 1371->1371
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05631A02
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2066890308.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_5630000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID: *$*
                                                                                                            • API String ID: 716092398-2806035931
                                                                                                            • Opcode ID: b806c9ef45a6372d363eb37422ddcb7588440e70a942fa65d8a2d5b1eccc1989
                                                                                                            • Instruction ID: 5fd86f59bdcbc7ceb44c15bc6e7d8f0daed6cb4d4ddc3a9f5841323903320ed9
                                                                                                            • Opcode Fuzzy Hash: b806c9ef45a6372d363eb37422ddcb7588440e70a942fa65d8a2d5b1eccc1989
                                                                                                            • Instruction Fuzzy Hash: C141C1B1D003499FDB14CF99C885ADEBBB5FF89310F24812AE419AB350DB74A945CF90
                                                                                                            Function 0162AD48 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1478 162ad48-162ad57 1479 162ad83-162ad87 1478->1479 1480 162ad59-162ad66 call 1629374 1478->1480 1481 162ad9b-162addc 1479->1481 1482 162ad89-162ad93 1479->1482 1487 162ad68 1480->1487 1488 162ad7c 1480->1488 1489 162ade9-162adf7 1481->1489 1490 162adde-162ade6 1481->1490 1482->1481 1536 162ad6e call 162afe0 1487->1536 1537 162ad6e call 162afd1 1487->1537 1488->1479 1492 162ae1b-162ae1d 1489->1492 1493 162adf9-162adfe 1489->1493 1490->1489 1491 162ad74-162ad76 1491->1488 1494 162aeb8-162aecf 1491->1494 1495 162ae20-162ae27 1492->1495 1496 162ae00-162ae07 call 162a0b0 1493->1496 1497 162ae09 1493->1497 1511 162aed1-162af30 1494->1511 1499 162ae34-162ae3b 1495->1499 1500 162ae29-162ae31 1495->1500 1498 162ae0b-162ae19 1496->1498 1497->1498 1498->1495 1503 162ae48-162ae51 call 162a0c0 1499->1503 1504 162ae3d-162ae45 1499->1504 1500->1499 1509 162ae53-162ae5b 1503->1509 1510 162ae5e-162ae63 1503->1510 1504->1503 1509->1510 1512 162ae81-162ae85 1510->1512 1513 162ae65-162ae6c 1510->1513 1529 162af32-162af78 1511->1529 1516 162ae8b-162ae8e 1512->1516 1513->1512 1514 162ae6e-162ae7e call 162a0d0 call 162a0e0 1513->1514 1514->1512 1520 162ae90-162aeae 1516->1520 1521 162aeb1-162aeb7 1516->1521 1520->1521 1531 162af80-162afab GetModuleHandleW 1529->1531 1532 162af7a-162af7d 1529->1532 1533 162afb4-162afc8 1531->1533 1534 162afad-162afb3 1531->1534 1532->1531 1534->1533 1536->1491 1537->1491
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0162AF9E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2064592244.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1620000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HandleModule
                                                                                                            • String ID: *
                                                                                                            • API String ID: 4139908857-4271904048
                                                                                                            • Opcode ID: 8cdfa345393cb8142e34cf2e74ae7cecb71b33240236a5b383f1a4fb81b258ac
                                                                                                            • Instruction ID: a529ab894aca0fa7b16b5c499a389bdf0f00e83fcddf8b6007c225d0d4be559f
                                                                                                            • Opcode Fuzzy Hash: 8cdfa345393cb8142e34cf2e74ae7cecb71b33240236a5b383f1a4fb81b258ac
                                                                                                            • Instruction Fuzzy Hash: B3711370A00B158FD724DF69D85475ABBF6FF88204F008929D48A97B50DBB5E846CF91
                                                                                                            Function 016244D4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1538 16244d4-16259b9 CreateActCtxA 1541 16259c2-1625a1c 1538->1541 1542 16259bb-16259c1 1538->1542 1549 1625a2b-1625a2f 1541->1549 1550 1625a1e-1625a21 1541->1550 1542->1541 1551 1625a40 1549->1551 1552 1625a31-1625a3d 1549->1552 1550->1549 1554 1625a41 1551->1554 1552->1551 1554->1554
                                                                                                            APIs
                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 016259A9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2064592244.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1620000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Create
                                                                                                            • String ID: *
                                                                                                            • API String ID: 2289755597-4271904048
                                                                                                            • Opcode ID: 2536030cb5cc01689a4f1c08c6a0862576683aac5aea9e3824ee0ed64f16c72c
                                                                                                            • Instruction ID: 6b6cc31c4f123f4c770c87abb3da4eef39584f557cbe1456475c70dc73ac321c
                                                                                                            • Opcode Fuzzy Hash: 2536030cb5cc01689a4f1c08c6a0862576683aac5aea9e3824ee0ed64f16c72c
                                                                                                            • Instruction Fuzzy Hash: C941B0B0C00729CBDB24DFA9C884BDEBBF5BF49304F20806AD419AB255DB756946CF91
                                                                                                            Function 016258EC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1555 16258ec-16259b9 CreateActCtxA 1557 16259c2-1625a1c 1555->1557 1558 16259bb-16259c1 1555->1558 1565 1625a2b-1625a2f 1557->1565 1566 1625a1e-1625a21 1557->1566 1558->1557 1567 1625a40 1565->1567 1568 1625a31-1625a3d 1565->1568 1566->1565 1570 1625a41 1567->1570 1568->1567 1570->1570
                                                                                                            APIs
                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 016259A9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2064592244.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1620000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Create
                                                                                                            • String ID: *
                                                                                                            • API String ID: 2289755597-4271904048
                                                                                                            • Opcode ID: 629a9316b4f995057d85b00f0e4eaf113fc7b2a23df0c194345c491d16c2a982
                                                                                                            • Instruction ID: e3929f89c443adb275ea7007e6caa2a1933173ca9bf89a00cc800831d13b7cd2
                                                                                                            • Opcode Fuzzy Hash: 629a9316b4f995057d85b00f0e4eaf113fc7b2a23df0c194345c491d16c2a982
                                                                                                            • Instruction Fuzzy Hash: 9C41EDB0C00719CADB24DFA9C984BDEBBB5BF48304F20806AD409AB255DB75694ACF91
                                                                                                            Function 05634050 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1571 5634050-563408c 1572 5634092-5634097 1571->1572 1573 563413c-563415c 1571->1573 1574 56340ea-5634122 CallWindowProcW 1572->1574 1575 5634099-56340d0 1572->1575 1580 563415f-563416c 1573->1580 1576 5634124-563412a 1574->1576 1577 563412b-563413a 1574->1577 1581 56340d2-56340d8 1575->1581 1582 56340d9-56340e8 1575->1582 1576->1577 1577->1580 1581->1582 1582->1580
                                                                                                            APIs
                                                                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 05634111
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2066890308.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_5630000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CallProcWindow
                                                                                                            • String ID: *
                                                                                                            • API String ID: 2714655100-4271904048
                                                                                                            • Opcode ID: d4d737ef7915ad3e30530c0e5cbd3cc84494b0dc06e54e79e5499485a9c7c63b
                                                                                                            • Instruction ID: 2990593b1ca99c234beddde28ef7e416cfda69de77bc7e72f8c75ec3fd8c549c
                                                                                                            • Opcode Fuzzy Hash: d4d737ef7915ad3e30530c0e5cbd3cc84494b0dc06e54e79e5499485a9c7c63b
                                                                                                            • Instruction Fuzzy Hash: F1413AB4A007058FCB14CF89C449AAAFBF5FF89314F24C499D519A7321D774A845CFA0
                                                                                                            Function 07607732 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71injectionCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 076077C8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProcessWrite
                                                                                                            • String ID: *
                                                                                                            • API String ID: 3559483778-4271904048
                                                                                                            • Opcode ID: 7ffdcce46568aed5acd04c37aadd42c8336a4f0a9d93ccb18678ef7350054994
                                                                                                            • Instruction ID: 2b1cb91254d71fe361e96056dcc49bedaf6e54b3e140fc98ed191b75249b9958
                                                                                                            • Opcode Fuzzy Hash: 7ffdcce46568aed5acd04c37aadd42c8336a4f0a9d93ccb18678ef7350054994
                                                                                                            • Instruction Fuzzy Hash: FC2128B59002499FCB14DFA9C885BEEBBF1FF88310F10882AE519A7240D7789945CBA1
                                                                                                            Function 07607738 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 076077C8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProcessWrite
                                                                                                            • String ID: *
                                                                                                            • API String ID: 3559483778-4271904048
                                                                                                            • Opcode ID: 0db3bad3789272dcb4759bd043241f0e7fda32094c677075edd19be2449166ec
                                                                                                            • Instruction ID: 4894bc52f4ced4a24733fa5c7013d1e632dce9345a1d1b81ecb2a87ab160374b
                                                                                                            • Opcode Fuzzy Hash: 0db3bad3789272dcb4759bd043241f0e7fda32094c677075edd19be2449166ec
                                                                                                            • Instruction Fuzzy Hash: 482126B59003499FCB14DFA9C885BEEBBF5FF48310F108829E919A7240D778A944CBA0
                                                                                                            Function 07607598 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0760761E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ContextThreadWow64
                                                                                                            • String ID: *
                                                                                                            • API String ID: 983334009-4271904048
                                                                                                            • Opcode ID: cc00c62fdbdd348a3610709c2a7d7214fdb3e16bb73a0df18891285775c5b2b4
                                                                                                            • Instruction ID: 944a96c8dd7294a718cfaa2ac234fdb983904d4e44bad7eb50f731cf64bb51d6
                                                                                                            • Opcode Fuzzy Hash: cc00c62fdbdd348a3610709c2a7d7214fdb3e16bb73a0df18891285775c5b2b4
                                                                                                            • Instruction Fuzzy Hash: E62116B59003099FDB14DFAAC4857AEFBF4FF48314F10842AD55AA7240CB78A945CFA5
                                                                                                            Function 07607820 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 076078A8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProcessRead
                                                                                                            • String ID: *
                                                                                                            • API String ID: 1726664587-4271904048
                                                                                                            • Opcode ID: 37bd4e89e8e769e18b3ea0fb71fa0613a480d0d1f51ae3c9e057231529b731ef
                                                                                                            • Instruction ID: 3d538423bb1f45398cd773f89f98958f92a713b766b05783e9fc16c75ca13788
                                                                                                            • Opcode Fuzzy Hash: 37bd4e89e8e769e18b3ea0fb71fa0613a480d0d1f51ae3c9e057231529b731ef
                                                                                                            • Instruction Fuzzy Hash: A2214AB1C002499FCB14DFAAD8416EEFBF5FF88310F10842AE919A7240D738A945CBA1
                                                                                                            Function 0162B730 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0162D5E6,?,?,?,?,?), ref: 0162D6A7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2064592244.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1620000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID: *
                                                                                                            • API String ID: 3793708945-4271904048
                                                                                                            • Opcode ID: c4bfc15a5842e3fdf9c7ca626ebfb699367c1cdbfb7be2cac624ee2be8c0cea9
                                                                                                            • Instruction ID: 34d26d69f7f30f0a01a3b60dc7ce5d482d49801a95e3258b20ae4b767736faf4
                                                                                                            • Opcode Fuzzy Hash: c4bfc15a5842e3fdf9c7ca626ebfb699367c1cdbfb7be2cac624ee2be8c0cea9
                                                                                                            • Instruction Fuzzy Hash: 4321E4B59002589FDB10DF9AD984AEEFFF8FB48310F14841AE918A7350D378A944CFA5
                                                                                                            Function 076075A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0760761E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ContextThreadWow64
                                                                                                            • String ID: *
                                                                                                            • API String ID: 983334009-4271904048
                                                                                                            • Opcode ID: 0241693366665cacbebcfa5466837fd755d75c450fb367ef61b4632a69c32d7e
                                                                                                            • Instruction ID: 7c995a54fdff092d14be3d99e886d48e0dd20878e46b46f2e86deaa9c1b495e0
                                                                                                            • Opcode Fuzzy Hash: 0241693366665cacbebcfa5466837fd755d75c450fb367ef61b4632a69c32d7e
                                                                                                            • Instruction Fuzzy Hash: 902134B5D002098FDB14DFAAC4857EEBBF4EF88314F10842AD45AA7240CB78A945CBA1
                                                                                                            Function 07607828 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 076078A8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProcessRead
                                                                                                            • String ID: *
                                                                                                            • API String ID: 1726664587-4271904048
                                                                                                            • Opcode ID: d81ca0f62a0a7989f83a2b957830ace4bf5c28fb3afeef92f8a8b5ea0be342d4
                                                                                                            • Instruction ID: 2fa86c9dffa212db27f2e4d1e9ae39967bfa1c85091f42617154a0ff49824cbb
                                                                                                            • Opcode Fuzzy Hash: d81ca0f62a0a7989f83a2b957830ace4bf5c28fb3afeef92f8a8b5ea0be342d4
                                                                                                            • Instruction Fuzzy Hash: 242139B1C003499FDB14DFAAC845AEEFBF5FF48310F108429E519A7240D778A945CBA1
                                                                                                            Function 0162D618 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0162D5E6,?,?,?,?,?), ref: 0162D6A7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2064592244.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1620000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID: *
                                                                                                            • API String ID: 3793708945-4271904048
                                                                                                            • Opcode ID: 197c8c401552f8dda8a50009dc02c884ebc8ceb65923a75e586098f66c714447
                                                                                                            • Instruction ID: 77d0f91a4ecdda4840c8a84cf368d5346186950feee5151152319a60a9a3b8fc
                                                                                                            • Opcode Fuzzy Hash: 197c8c401552f8dda8a50009dc02c884ebc8ceb65923a75e586098f66c714447
                                                                                                            • Instruction Fuzzy Hash: 2821E3B5D002189FDB10CF9AD984AEEBBF5EB48310F14841AE918B3350D378A944CF61
                                                                                                            Function 07607672 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 076076E6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID: *
                                                                                                            • API String ID: 4275171209-4271904048
                                                                                                            • Opcode ID: 8135b85d32b306f0f9ab3b4e5699940dd8bb61a8c13afec7de69d13f78a5965b
                                                                                                            • Instruction ID: 92c40546cb4754eb924c053504e4370ee7e03d31982f753ccd0fbd6677948458
                                                                                                            • Opcode Fuzzy Hash: 8135b85d32b306f0f9ab3b4e5699940dd8bb61a8c13afec7de69d13f78a5965b
                                                                                                            • Instruction Fuzzy Hash: FE115CB59002499FCB10DFAAD8456DFFFF5EF88320F108819D519A7250C775A544CBA1
                                                                                                            Function 0162A108 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0162B019,00000800,00000000,00000000), ref: 0162B22A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2064592244.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1620000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad
                                                                                                            • String ID: *
                                                                                                            • API String ID: 1029625771-4271904048
                                                                                                            • Opcode ID: 75c1b7b3d4b8868eed09b06476ba0103dffe46f4b0ac96c4f8ed2566578ee631
                                                                                                            • Instruction ID: c8887182d41038f726ac77fb1b1b2cf6d80429dddbbf4e7b99df4e143eaa1156
                                                                                                            • Opcode Fuzzy Hash: 75c1b7b3d4b8868eed09b06476ba0103dffe46f4b0ac96c4f8ed2566578ee631
                                                                                                            • Instruction Fuzzy Hash: 7C1129B5C007088FDB10DF9AD844AEEFBF4EB49310F10842AD519A7300C379A545CFA5
                                                                                                            Function 0162B1B9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0162B019,00000800,00000000,00000000), ref: 0162B22A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2064592244.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1620000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad
                                                                                                            • String ID: *
                                                                                                            • API String ID: 1029625771-4271904048
                                                                                                            • Opcode ID: e484e7d05cbfb7664312e432c979c0c90a4211dd06ac662de5f319879e9a0457
                                                                                                            • Instruction ID: 9406c3d8b4a16534e37d56b8af45c10f5df11eb82bd28d896a3ddaa774dfbc30
                                                                                                            • Opcode Fuzzy Hash: e484e7d05cbfb7664312e432c979c0c90a4211dd06ac662de5f319879e9a0457
                                                                                                            • Instruction Fuzzy Hash: 0B1112B68007088FDB10CF9AD844BEEFBF4EB89310F10842AD519A7700C379A545CFA5
                                                                                                            Function 07607678 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 076076E6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID: *
                                                                                                            • API String ID: 4275171209-4271904048
                                                                                                            • Opcode ID: b004e5056a919fe9d3156f4ea2073eacd67b5fb794cd0f072d8820a4636a69d5
                                                                                                            • Instruction ID: 980b8001c98942e0c9941cad2add397499d58a5edbc3e04565b78dbb7d1e815a
                                                                                                            • Opcode Fuzzy Hash: b004e5056a919fe9d3156f4ea2073eacd67b5fb794cd0f072d8820a4636a69d5
                                                                                                            • Instruction Fuzzy Hash: 85110AB59002499FCB14DFAAC845ADFFFF5EF88310F148819D519A7250C779A544CFA1
                                                                                                            Function 0760C2D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,0760C191,?,?), ref: 0760C338
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ChangeCloseFindNotification
                                                                                                            • String ID: *
                                                                                                            • API String ID: 2591292051-4271904048
                                                                                                            • Opcode ID: d28b3f0057efd1c2bdf2e910250d4d734372411ddb95c7e32c2a83bbeff02dd0
                                                                                                            • Instruction ID: 04afbb60c0bcbcfe4cf53a2323b9f929b5904a252e0ab24b01f17645f795363d
                                                                                                            • Opcode Fuzzy Hash: d28b3f0057efd1c2bdf2e910250d4d734372411ddb95c7e32c2a83bbeff02dd0
                                                                                                            • Instruction Fuzzy Hash: 811155B58002498FCB24DF99D445BEEBBF4EB88320F10842AD559A3340C338A985CFA1
                                                                                                            Function 076074E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ResumeThread
                                                                                                            • String ID: *
                                                                                                            • API String ID: 947044025-4271904048
                                                                                                            • Opcode ID: ce5fad777c6601a8de42a0dafabed37d1a72cd2512d2059393a1f411ac39096a
                                                                                                            • Instruction ID: 3b233eed724b41a17b80ffd9d3a10f1cd6e2de9da8b808b3b428c7072c4e53b5
                                                                                                            • Opcode Fuzzy Hash: ce5fad777c6601a8de42a0dafabed37d1a72cd2512d2059393a1f411ac39096a
                                                                                                            • Instruction Fuzzy Hash: 731149B1C003488FCB14DFAAC4456EEFBF4EF88314F108819D519A7240CB78A944CBA1
                                                                                                            Function 0760BA80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,0760C191,?,?), ref: 0760C338
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ChangeCloseFindNotification
                                                                                                            • String ID: *
                                                                                                            • API String ID: 2591292051-4271904048
                                                                                                            • Opcode ID: ed810cf365461f61ffd3f94805cc7bf3f199d584e86df4506d4b193892125c17
                                                                                                            • Instruction ID: 63aa6e9bcbcaee5c4af75f8dc1d141be002712f89c26b118e949566f2f9f8114
                                                                                                            • Opcode Fuzzy Hash: ed810cf365461f61ffd3f94805cc7bf3f199d584e86df4506d4b193892125c17
                                                                                                            • Instruction Fuzzy Hash: 4B1125B58002499FCB14DF9AC545BEEBBF4EB48320F10881AD559A7340D778A945CFA5
                                                                                                            Function 076074F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ResumeThread
                                                                                                            • String ID: *
                                                                                                            • API String ID: 947044025-4271904048
                                                                                                            • Opcode ID: 267c9528a33a3040a2838eac81cfc7b05e6c8e6e16ca3e89496c0a786a9ab363
                                                                                                            • Instruction ID: b8253ed48af61609fe8a44d9ae386e3f77b87ded1edf4e03d3742c932d8d1d01
                                                                                                            • Opcode Fuzzy Hash: 267c9528a33a3040a2838eac81cfc7b05e6c8e6e16ca3e89496c0a786a9ab363
                                                                                                            • Instruction Fuzzy Hash: E31125B1D002498BCB24DFAAC4457EEFBF5EF88324F208819D519A7340CB79A944CBA1
                                                                                                            Function 07609EF0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0760A5D5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePost
                                                                                                            • String ID: *
                                                                                                            • API String ID: 410705778-4271904048
                                                                                                            • Opcode ID: db1e7bfb3af3a91f2d39235405b16017904e1c72b937510cbfd9f5460e29de40
                                                                                                            • Instruction ID: b937c72563a41a6898c9d622a3f9c1ca0f50fa503cf21a954c335584903dd33c
                                                                                                            • Opcode Fuzzy Hash: db1e7bfb3af3a91f2d39235405b16017904e1c72b937510cbfd9f5460e29de40
                                                                                                            • Instruction Fuzzy Hash: CA11F2B58003499FCB10DF9AD489BEEBBF8FB49310F108819E519A7340D379A944CFA1
                                                                                                            Function 0162AF38 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0162AF9E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2064592244.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1620000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HandleModule
                                                                                                            • String ID: *
                                                                                                            • API String ID: 4139908857-4271904048
                                                                                                            • Opcode ID: fb2891301762feaa4dbccb6b7c1d858a0eca16b025046d6de2837bfe91f91401
                                                                                                            • Instruction ID: 430adab136c242cacaaf24bd5bd5473f350c67ec682207f29a4174a6322dec35
                                                                                                            • Opcode Fuzzy Hash: fb2891301762feaa4dbccb6b7c1d858a0eca16b025046d6de2837bfe91f91401
                                                                                                            • Instruction Fuzzy Hash: C81110B5C006498FDB10DF9AD844ADEFBF4EF88314F10842AD918A7740C3B9A545CFA1
                                                                                                            Function 0760A570 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0760A5D5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePost
                                                                                                            • String ID: *
                                                                                                            • API String ID: 410705778-4271904048
                                                                                                            • Opcode ID: e45aa0f3f27bb84ba4c8387518926b4f2763b0f5b4820402d04c09d5eed68076
                                                                                                            • Instruction ID: 80d6614f2aaf0d8550db8c343e0897f469727f011af657946cc7789714d50d9d
                                                                                                            • Opcode Fuzzy Hash: e45aa0f3f27bb84ba4c8387518926b4f2763b0f5b4820402d04c09d5eed68076
                                                                                                            • Instruction Fuzzy Hash: EB1110B58003499FCB10DF99C488BDEFBF4FB48310F10885AE559A7650C378A944CFA1
                                                                                                            Function 015CD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2064385417.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_15cd000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d98a186d5d7b20b23ea32239b96d2c185bfa45eba1a8f578d7560c2dbdc99114
                                                                                                            • Instruction ID: 1ec41f37b77a1990d1e9a315d357a41671082697244ce130200f53d41e605dc9
                                                                                                            • Opcode Fuzzy Hash: d98a186d5d7b20b23ea32239b96d2c185bfa45eba1a8f578d7560c2dbdc99114
                                                                                                            • Instruction Fuzzy Hash: F921F171100204DFDB05DF98C9C0B6ABFB5FB88714F20857DDA098E256C37AE406C6E1
                                                                                                            Function 015DD01C Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2064445620.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_15dd000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 298985e4b69e0ef510d93368a8c3f43a288c707a2e447aa3d0fd0616e52e9817
                                                                                                            • Instruction ID: 241a84d5fb5eae767306f2fbbafe6543b8a04cc5b9ecc9e13141b7e49fb37162
                                                                                                            • Opcode Fuzzy Hash: 298985e4b69e0ef510d93368a8c3f43a288c707a2e447aa3d0fd0616e52e9817
                                                                                                            • Instruction Fuzzy Hash: B3210071604204DFCB25DF6CD980B26BFB5FB88314F20C969D90A4F296D33AD406CBA1
                                                                                                            Function 015DD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2064445620.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_15dd000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d13152f8ae3c7b48f38fe3a1ebbc4da3b129e80906f6be6e980c8cc40a59918c
                                                                                                            • Instruction ID: e91db0b64ef1ce4082aa7ed68d72213843cf67a1ff64e615e7926dd6ca6ae79d
                                                                                                            • Opcode Fuzzy Hash: d13152f8ae3c7b48f38fe3a1ebbc4da3b129e80906f6be6e980c8cc40a59918c
                                                                                                            • Instruction Fuzzy Hash: 2421D371544204AFDB25DFA8D980B26BBB5FB84324F20C96DD9494F296C33AD446CB61
                                                                                                            Function 015DD005 Relevance: .1, Instructions: 63COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2064445620.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_15dd000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fcbb4407db537e072a131b90d0a7993b75b40d5ecd2861b3cf176692e8073150
                                                                                                            • Instruction ID: 25cf9fa6699f64721e1dc6f9b20ff7014d3c4a0b2a1b9fb4fb2c4a8f468daa7b
                                                                                                            • Opcode Fuzzy Hash: fcbb4407db537e072a131b90d0a7993b75b40d5ecd2861b3cf176692e8073150
                                                                                                            • Instruction Fuzzy Hash: BB2183755083849FCB13CF68D994715BF71FB86214F28C5DAD8498F2A7D33A9806CB62
                                                                                                            Function 015CD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2064385417.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_15cd000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                                            • Instruction ID: 6ab952ccc636442c65e04d52a324e803330a1c82771b4ad062ea636bcb6326b4
                                                                                                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                                            • Instruction Fuzzy Hash: E311CD72404240DFDB02CF84D9C4B5ABF71FB84224F24C6ADDA094A256C37AE45ACBA2
                                                                                                            Function 015DD1CF Relevance: .1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2064445620.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_15dd000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                                                            • Instruction ID: 6934d2350de23a538f3517ec0df803ac430453170dc98ad12f2d2d5743d83a05
                                                                                                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                                                            • Instruction Fuzzy Hash: BA11BB75504280DFDB12CF58C5C4B19BFB1FB84224F24C6A9D8494F696C33AD40ACB62

                                                                                                            Non-executed Functions

                                                                                                            Function 0760C800 Relevance: .4, Instructions: 358COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 721b8f7a8e6931a5ecf13bbd1a825f1ab3ab456e3f83493eff61a4c93fab3e35
                                                                                                            • Instruction ID: cc8b793a40a9eec5e7a3331dcf3867d00fe2f34edc3c500e9e3826f59cfa905a
                                                                                                            • Opcode Fuzzy Hash: 721b8f7a8e6931a5ecf13bbd1a825f1ab3ab456e3f83493eff61a4c93fab3e35
                                                                                                            • Instruction Fuzzy Hash: 33D1B8B0700A158BDB29DB75C850BAF77FAAF89600F14856DD14ACB7D0DB74E801CBA5
                                                                                                            Function 05630040 Relevance: .3, Instructions: 315COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2066890308.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_5630000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fd6939905a121692c3911ddcb740cd405047c8c41cfb073fc8f380f64fcb7cc6
                                                                                                            • Instruction ID: 04fe900f2700716ab396c8c6c7d93bb8f6e181c54d9e70497cb1392bf9eda0d4
                                                                                                            • Opcode Fuzzy Hash: fd6939905a121692c3911ddcb740cd405047c8c41cfb073fc8f380f64fcb7cc6
                                                                                                            • Instruction Fuzzy Hash: 491275F0C8974A8AD710CF65E94C189BAB1FB45398BD04B09D2B27F2E1DBB4156ACF44
                                                                                                            Function 07604D30 Relevance: .3, Instructions: 312COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: bb6a637dc61f830313c1036790e45ab876887df20c6d059fb0b1824e570b33e1
                                                                                                            • Instruction ID: c7afa90799e1e8d7f3a11d66e41a7ca44bbc39d564da5c0363b5fc545324b397
                                                                                                            • Opcode Fuzzy Hash: bb6a637dc61f830313c1036790e45ab876887df20c6d059fb0b1824e570b33e1
                                                                                                            • Instruction Fuzzy Hash: 95E11CB4E002598FCB18DFA9C5809AEFBF2FF89305F248169D515AB356D731A941CFA0
                                                                                                            Function 076055A0 Relevance: .3, Instructions: 312COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8c55e49f6539e922924dcea01a3e3bcd972440c05c27e221b8c4561297b36311
                                                                                                            • Instruction ID: cce7cdf7bdceb8c76652b43bc07f8da81310187614299605898483fa1201f9d2
                                                                                                            • Opcode Fuzzy Hash: 8c55e49f6539e922924dcea01a3e3bcd972440c05c27e221b8c4561297b36311
                                                                                                            • Instruction Fuzzy Hash: D3E1FAB4E001198FDB18DFA9C5849AEFBF2BF89305F248159E416AB356D730AD41CFA1
                                                                                                            Function 07606C78 Relevance: .3, Instructions: 312COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: be0ee84dd42b1168cb93780059df8285c89e73eb07eed28ed719eae5a4f71344
                                                                                                            • Instruction ID: e465d154b052ba6ac0a5056f1d4937d60f0c5ed203e50a42a7b205e9d8e48c72
                                                                                                            • Opcode Fuzzy Hash: be0ee84dd42b1168cb93780059df8285c89e73eb07eed28ed719eae5a4f71344
                                                                                                            • Instruction Fuzzy Hash: 4DE1FCB4E002198FCB14DFA9C590AAEFBF2FF89305F248169D415AB356D731A941CFA1
                                                                                                            Function 07605168 Relevance: .3, Instructions: 312COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fe0ae09dea47daaff424f28b4ecd099c60d1206b6523c91774169ff71276d701
                                                                                                            • Instruction ID: 52713484b7b548b0bf07a47db7af52af55806068fb67fa03ba404637f13c3dec
                                                                                                            • Opcode Fuzzy Hash: fe0ae09dea47daaff424f28b4ecd099c60d1206b6523c91774169ff71276d701
                                                                                                            • Instruction Fuzzy Hash: 26E10EB4E001198FCB18DFA9C5909AEFBF2FF89305F248159E416AB356D730A945CFA1
                                                                                                            Function 07606840 Relevance: .3, Instructions: 312COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5c276eeb08e34e5bfd6579befd9074d1e143eda2e0457627ea9ff89f155f82d6
                                                                                                            • Instruction ID: f03d835327beef80cca1fab9baec3f0e6416fe0e8fbd596c4d7cf0b376bbdc62
                                                                                                            • Opcode Fuzzy Hash: 5c276eeb08e34e5bfd6579befd9074d1e143eda2e0457627ea9ff89f155f82d6
                                                                                                            • Instruction Fuzzy Hash: 07E1E9B4E001198FCB18DFA9C5909AEBBF2FF89305F248169D415AB356D731AD41CFA1
                                                                                                            Function 0162D304 Relevance: .3, Instructions: 264COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2064592244.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1620000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1557a40a815f64876ddbae087c40579d3e4dedbe73f8e9721985ffa85cab166f
                                                                                                            • Instruction ID: 148c2f31525cd3ff6bb878398e2f0b003c93dd8dba460e98d96f9be68cc658b5
                                                                                                            • Opcode Fuzzy Hash: 1557a40a815f64876ddbae087c40579d3e4dedbe73f8e9721985ffa85cab166f
                                                                                                            • Instruction Fuzzy Hash: F7A18031E0062A8FCF05DFB4C85499EBBB2FF94300B1585AAE901BB261DB35E916CF40
                                                                                                            Function 05630007 Relevance: .2, Instructions: 237COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2066890308.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_5630000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 70f8f32b1f4a14e0acd423cbad35d093065af38c10d1ca14c68fcae61e2fa43b
                                                                                                            • Instruction ID: 88c91a227dca604c2f9fdd01390b2f6e9e3a684d1e88fa8af1c8beb91f7c3d73
                                                                                                            • Opcode Fuzzy Hash: 70f8f32b1f4a14e0acd423cbad35d093065af38c10d1ca14c68fcae61e2fa43b
                                                                                                            • Instruction Fuzzy Hash: 0DC107B0C8474A8AD711CF75E84C189BBB2FB85398F904B19D1B27B2E1DBB4146ACF44
                                                                                                            Function 07604D11 Relevance: .1, Instructions: 147COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d9d0c0034b5b125fd24cc41fce2d65cf1610e58ec7d505783bd23ea7b0b66253
                                                                                                            • Instruction ID: 61a38e05805a152d75045fd9b01727c937dfd964f4000b3dbf8624e4fe4c4f33
                                                                                                            • Opcode Fuzzy Hash: d9d0c0034b5b125fd24cc41fce2d65cf1610e58ec7d505783bd23ea7b0b66253
                                                                                                            • Instruction Fuzzy Hash: B0514EB1E002598FCB18DF69C5405AEFBF2FF89315F24816AD419A7356D7309A42CFA1
                                                                                                            Function 07606831 Relevance: .1, Instructions: 133COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2068370111.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7600000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9c3a35545d27b14d17535eb83da5b7944ce5643038ef68f314cf8246dab53918
                                                                                                            • Instruction ID: e10c3d1d4d46932b9d418f7e827bad0d86f1bbba6eadffc8d90698fd9fddefae
                                                                                                            • Opcode Fuzzy Hash: 9c3a35545d27b14d17535eb83da5b7944ce5643038ef68f314cf8246dab53918
                                                                                                            • Instruction Fuzzy Hash: 8551FCB4E002198FCB18DFA9C5805AEBBF2BF89305F24C5AAD419A7356D7309D45CFA1

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:12.3%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:117
                                                                                                            Total number of Limit Nodes:11
                                                                                                            execution_graph 39656 c26620 DuplicateHandle 39657 c266b6 39656->39657 39658 c263d8 39659 c2641e GetCurrentProcess 39658->39659 39661 c26470 GetCurrentThread 39659->39661 39662 c26469 39659->39662 39663 c264a6 39661->39663 39664 c264ad GetCurrentProcess 39661->39664 39662->39661 39663->39664 39667 c264e3 39664->39667 39665 c2650b GetCurrentThreadId 39666 c2653c 39665->39666 39667->39665 39668 f60848 39670 f6084e 39668->39670 39669 f6091b 39670->39669 39674 c252c2 39670->39674 39678 c252d0 39670->39678 39682 f61380 39670->39682 39675 c252df 39674->39675 39692 c24a9c 39675->39692 39679 c252df 39678->39679 39680 c24a9c 2 API calls 39679->39680 39681 c25300 39680->39681 39681->39670 39684 f6132d 39682->39684 39685 f6138b 39682->39685 39683 f61484 39683->39670 39684->39670 39685->39683 39761 f67c64 39685->39761 39765 f67eb8 39685->39765 39772 f67d20 39685->39772 39776 f67da0 39685->39776 39780 f67ca5 39685->39780 39784 f67d34 39685->39784 39694 c24aa1 39692->39694 39696 c261fc 39694->39696 39695 c26c86 39695->39695 39697 c26207 39696->39697 39698 c273ac 39697->39698 39701 c28fc1 39697->39701 39706 c29028 39697->39706 39698->39695 39703 c28fc2 39701->39703 39702 c2906d 39702->39698 39703->39702 39711 c291d7 39703->39711 39715 c291d8 39703->39715 39707 c29049 39706->39707 39708 c2906d 39707->39708 39709 c291d7 2 API calls 39707->39709 39710 c291d8 2 API calls 39707->39710 39708->39698 39709->39708 39710->39708 39712 c291e5 39711->39712 39713 c2921e 39712->39713 39719 c27f2c 39712->39719 39713->39702 39716 c291e5 39715->39716 39717 c2921e 39716->39717 39718 c27f2c 2 API calls 39716->39718 39717->39702 39718->39717 39720 c27f37 39719->39720 39722 c29290 39720->39722 39723 c27f60 39720->39723 39722->39722 39724 c27f6b 39723->39724 39730 c27f70 39724->39730 39726 c292ff 39734 c2e520 39726->39734 39740 c2e51f 39726->39740 39727 c29339 39727->39722 39731 c27f7b 39730->39731 39732 c2a4a0 39731->39732 39733 c29028 2 API calls 39731->39733 39732->39726 39733->39732 39736 c2e551 39734->39736 39737 c2e59d 39734->39737 39735 c2e55d 39735->39727 39736->39735 39746 c2e798 39736->39746 39749 c2e789 39736->39749 39737->39727 39742 c2e551 39740->39742 39743 c2e59d 39740->39743 39741 c2e55d 39741->39727 39742->39741 39744 c2e798 2 API calls 39742->39744 39745 c2e789 2 API calls 39742->39745 39743->39727 39744->39743 39745->39743 39753 c2e7d8 39746->39753 39747 c2e7a2 39747->39737 39750 c2e798 39749->39750 39752 c2e7d8 2 API calls 39750->39752 39751 c2e7a2 39751->39737 39752->39751 39754 c2e7f9 39753->39754 39755 c2e81c 39753->39755 39754->39755 39759 c2ea80 LoadLibraryExW 39754->39759 39760 c2ea70 LoadLibraryExW 39754->39760 39755->39747 39756 c2ea20 GetModuleHandleW 39758 c2ea4d 39756->39758 39757 c2e814 39757->39755 39757->39756 39758->39747 39759->39757 39760->39757 39763 f67c65 39761->39763 39762 f67cad 39762->39685 39763->39762 39788 f6f3ff 39763->39788 39767 f67ec2 39765->39767 39766 f67edc 39768 f67f22 39766->39768 39771 f6f3ff 2 API calls 39766->39771 39767->39766 39769 670fa50 2 API calls 39767->39769 39770 670fa40 2 API calls 39767->39770 39768->39685 39769->39766 39770->39766 39771->39768 39774 f67d2b 39772->39774 39773 f67f22 39773->39685 39774->39773 39775 f6f3ff 2 API calls 39774->39775 39775->39773 39778 f67db6 39776->39778 39777 f67f22 39777->39685 39778->39777 39779 f6f3ff 2 API calls 39778->39779 39779->39777 39782 f67c65 39780->39782 39781 f67cad 39781->39685 39782->39780 39782->39781 39783 f6f3ff 2 API calls 39782->39783 39783->39781 39785 f67d96 39784->39785 39786 f67f22 39785->39786 39787 f6f3ff 2 API calls 39785->39787 39786->39685 39787->39786 39789 f6f40a 39788->39789 39793 670fa40 39789->39793 39797 670fa50 39789->39797 39790 f6f411 39790->39762 39795 670fa50 39793->39795 39794 670fc7a 39794->39790 39795->39794 39796 670fc90 GlobalMemoryStatusEx GlobalMemoryStatusEx 39795->39796 39796->39795 39798 670fa65 39797->39798 39799 670fc7a 39798->39799 39800 670fc90 GlobalMemoryStatusEx GlobalMemoryStatusEx 39798->39800 39799->39790 39800->39798

                                                                                                            Executed Functions

                                                                                                            Function 06703060 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 891 6703060-6703081 892 6703083-6703086 891->892 893 6703827-670382a 892->893 894 670308c-67030ab 892->894 895 6703850-6703852 893->895 896 670382c-670384b 893->896 903 67030c4-67030ce 894->903 904 67030ad-67030b0 894->904 897 6703854 895->897 898 6703859-670385c 895->898 896->895 897->898 898->892 901 6703862-670386b 898->901 909 67030d4-67030e3 903->909 904->903 906 67030b2-67030c2 904->906 906->909 1017 67030e5 call 6703880 909->1017 1018 67030e5 call 6703878 909->1018 910 67030ea-67030ef 911 67030f1-67030f7 910->911 912 67030fc-67033d9 910->912 911->901 933 6703819-6703826 912->933 934 67033df-670348e 912->934 943 6703490-67034b5 934->943 944 67034b7 934->944 946 67034c0-67034d3 943->946 944->946 948 6703800-670380c 946->948 949 67034d9-67034fb 946->949 948->934 950 6703812 948->950 949->948 952 6703501-670350b 949->952 950->933 952->948 953 6703511-670351c 952->953 953->948 954 6703522-67035f8 953->954 966 6703606-6703636 954->966 967 67035fa-67035fc 954->967 971 6703644-6703650 966->971 972 6703638-670363a 966->972 967->966 973 67036b0-67036b4 971->973 974 6703652-6703656 971->974 972->971 975 67037f1-67037fa 973->975 976 67036ba-67036f6 973->976 974->973 977 6703658-6703682 974->977 975->948 975->954 987 6703704-6703712 976->987 988 67036f8-67036fa 976->988 984 6703690-67036ad 977->984 985 6703684-6703686 977->985 984->973 985->984 991 6703714-670371f 987->991 992 6703729-6703734 987->992 988->987 991->992 995 6703721 991->995 996 6703736-670373c 992->996 997 670374c-670375d 992->997 995->992 998 6703740-6703742 996->998 999 670373e 996->999 1001 6703775-6703781 997->1001 1002 670375f-6703765 997->1002 998->997 999->997 1006 6703783-6703789 1001->1006 1007 6703799-67037ea 1001->1007 1003 6703767 1002->1003 1004 6703769-670376b 1002->1004 1003->1001 1004->1001 1008 670378b 1006->1008 1009 670378d-670378f 1006->1009 1007->975 1008->1007 1009->1007 1017->910 1018->910
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                                                                            • API String ID: 0-3723351465
                                                                                                            • Opcode ID: f9c73427452f07936db8b7c2bab085364f2fc06a33edcb621dd6cddb9268ed74
                                                                                                            • Instruction ID: 9df386bddb71bcfccb51f6f6c81bab6b79cc6d65911d75db2430196b522ef0bc
                                                                                                            • Opcode Fuzzy Hash: f9c73427452f07936db8b7c2bab085364f2fc06a33edcb621dd6cddb9268ed74
                                                                                                            • Instruction Fuzzy Hash: A6323E31E1061ACFDB15EF79D89459DB7F2FF89310F20C6AAD409A7254EB30A985CB90
                                                                                                            Function 0670B638 Relevance: 8.0, Strings: 6, Instructions: 475COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1019 670b638-670b65a 1020 670b65c-670b65f 1019->1020 1021 670b661-670b668 1020->1021 1022 670b689-670b68c 1020->1022 1023 670b9e4-670ba1e 1021->1023 1024 670b66e-670b67e 1021->1024 1025 670b6a3-670b6a6 1022->1025 1026 670b68e-670b691 1022->1026 1035 670ba20-670ba23 1023->1035 1039 670b684 1024->1039 1040 670b82b-670b832 1024->1040 1028 670b80b-670b80c 1025->1028 1029 670b6ac-670b6af 1025->1029 1026->1023 1027 670b697-670b69e 1026->1027 1027->1025 1034 670b811-670b814 1028->1034 1031 670b6b5-670b6b8 1029->1031 1032 670b73a-670b73d 1029->1032 1036 670b6c5-670b6c8 1031->1036 1037 670b6ba-670b6c0 1031->1037 1032->1026 1038 670b743 1032->1038 1041 670b826-670b829 1034->1041 1042 670b816 1034->1042 1043 670ba25-670ba41 1035->1043 1044 670ba46-670ba49 1035->1044 1045 670b6ca-670b6d3 1036->1045 1046 670b6de-670b6e1 1036->1046 1037->1036 1047 670b748-670b74b 1038->1047 1039->1022 1040->1023 1049 670b838-670b848 1040->1049 1041->1040 1048 670b853-670b856 1041->1048 1050 670b81e-670b821 1042->1050 1043->1044 1057 670bcb5-670bcb7 1044->1057 1058 670ba4f-670ba77 1044->1058 1051 670b9b0-670b9b9 1045->1051 1052 670b6d9 1045->1052 1055 670b6e3-670b6e8 1046->1055 1056 670b6eb-670b6ee 1046->1056 1053 670b755-670b758 1047->1053 1054 670b74d-670b750 1047->1054 1059 670b860-670b863 1048->1059 1060 670b858-670b85b 1048->1060 1073 670b8ce-670b8d5 1049->1073 1074 670b84e 1049->1074 1050->1041 1051->1023 1065 670b9bb-670b9c2 1051->1065 1052->1046 1053->1028 1067 670b75e-670b761 1053->1067 1054->1053 1055->1056 1063 670b6f0-670b6f9 1056->1063 1064 670b6fe-670b701 1056->1064 1061 670bcb9 1057->1061 1062 670bcbe-670bcc1 1057->1062 1122 670ba81-670bac5 1058->1122 1123 670ba79-670ba7c 1058->1123 1069 670b865-670b86c 1059->1069 1070 670b877-670b87a 1059->1070 1060->1059 1061->1062 1062->1035 1075 670bcc7-670bcd0 1062->1075 1063->1064 1076 670b703-670b70a 1064->1076 1077 670b71b-670b71e 1064->1077 1078 670b9c7-670b9c9 1065->1078 1071 670b763-670b77f 1067->1071 1072 670b784-670b787 1067->1072 1080 670b872 1069->1080 1081 670b72a-670b730 1069->1081 1082 670b8b9-670b8bc 1070->1082 1083 670b87c-670b891 1070->1083 1071->1072 1094 670b799-670b79c 1072->1094 1095 670b789-670b794 1072->1095 1073->1023 1086 670b8db-670b8eb 1073->1086 1074->1048 1076->1023 1087 670b710-670b716 1076->1087 1090 670b720-670b722 1077->1090 1091 670b725-670b728 1077->1091 1088 670b9d0-670b9d3 1078->1088 1089 670b9cb 1078->1089 1080->1070 1092 670b735-670b738 1081->1092 1084 670b8c9-670b8cc 1082->1084 1085 670b8be-670b8c4 1082->1085 1083->1023 1102 670b897-670b8b4 1083->1102 1084->1073 1098 670b8f6-670b8f9 1084->1098 1085->1084 1086->1028 1110 670b8f1 1086->1110 1087->1077 1088->1020 1099 670b9d9-670b9e3 1088->1099 1089->1088 1090->1091 1091->1081 1091->1092 1092->1032 1092->1047 1094->1028 1097 670b79e-670b7a1 1094->1097 1095->1094 1103 670b7e0-670b7e3 1097->1103 1104 670b7a3-670b7b8 1097->1104 1106 670b95a-670b95d 1098->1106 1107 670b8fb-670b955 call 6706598 1098->1107 1102->1082 1103->1045 1109 670b7e9-670b7ec 1103->1109 1104->1023 1125 670b7be-670b7db 1104->1125 1112 670b97f-670b982 1106->1112 1113 670b95f-670b97a 1106->1113 1107->1106 1119 670b806-670b809 1109->1119 1120 670b7ee-670b7f5 1109->1120 1110->1098 1116 670b984-670b98b 1112->1116 1117 670b998-670b99b 1112->1117 1113->1112 1116->1023 1124 670b98d-670b993 1116->1124 1126 670b9ab-670b9ae 1117->1126 1127 670b99d-670b9a6 1117->1127 1119->1028 1119->1034 1120->1023 1128 670b7fb-670b801 1120->1128 1139 670bcaa-670bcb4 1122->1139 1140 670bacb-670bad4 1122->1140 1123->1075 1124->1117 1125->1103 1126->1051 1126->1078 1127->1126 1128->1119 1141 670bca0-670bca5 1140->1141 1142 670bada-670bb46 call 6706598 1140->1142 1141->1139 1153 670bc40-670bc55 1142->1153 1154 670bb4c-670bb51 1142->1154 1153->1141 1155 670bb53-670bb59 1154->1155 1156 670bb6d 1154->1156 1158 670bb5b-670bb5d 1155->1158 1159 670bb5f-670bb61 1155->1159 1160 670bb6f-670bb75 1156->1160 1161 670bb6b 1158->1161 1159->1161 1162 670bb77-670bb7d 1160->1162 1163 670bb8a-670bb97 1160->1163 1161->1160 1164 670bb83 1162->1164 1165 670bc2b-670bc3a 1162->1165 1169 670bb99-670bb9f 1163->1169 1170 670bbaf-670bbbc 1163->1170 1164->1163 1166 670bbf2-670bbff 1164->1166 1167 670bbbe-670bbcb 1164->1167 1165->1153 1165->1154 1179 670bc01-670bc07 1166->1179 1180 670bc17-670bc24 1166->1180 1177 670bbe3-670bbf0 1167->1177 1178 670bbcd-670bbd3 1167->1178 1172 670bba1 1169->1172 1173 670bba3-670bba5 1169->1173 1170->1165 1172->1170 1173->1170 1177->1165 1181 670bbd5 1178->1181 1182 670bbd7-670bbd9 1178->1182 1183 670bc09 1179->1183 1184 670bc0b-670bc0d 1179->1184 1180->1165 1181->1177 1182->1177 1183->1180 1184->1180
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                                                                            • API String ID: 0-3723351465
                                                                                                            • Opcode ID: 821126ea79bf5c8161349c728c5d2d1518fcc5589298c2395de3ba9bb28237fc
                                                                                                            • Instruction ID: fe8213a1c75d55a4effda4a4afb7f06246c070c91c09d5eca6428838b72883f8
                                                                                                            • Opcode Fuzzy Hash: 821126ea79bf5c8161349c728c5d2d1518fcc5589298c2395de3ba9bb28237fc
                                                                                                            • Instruction Fuzzy Hash: B2026D30E1020ACFEBA4CBA8D580AADB7F5FB45714F108526D405DB395DB36DE46CBA1
                                                                                                            Function 06707D78 Relevance: 3.0, Strings: 2, Instructions: 473COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1604 6707d78-6707d96 1605 6707d98-6707d9b 1604->1605 1606 6707d9d-6707db9 1605->1606 1607 6707dbe-6707dc1 1605->1607 1606->1607 1608 6707dc3-6707dd1 1607->1608 1609 6707dd8-6707ddb 1607->1609 1616 6707dd3 1608->1616 1617 6707e1e-6707e34 1608->1617 1610 6707de8-6707deb 1609->1610 1611 6707ddd-6707de7 1609->1611 1614 6707e0c-6707e0e 1610->1614 1615 6707ded-6707e07 1610->1615 1618 6707e10 1614->1618 1619 6707e15-6707e18 1614->1619 1615->1614 1616->1609 1623 6707e3a-6707e43 1617->1623 1624 670804f-6708059 1617->1624 1618->1619 1619->1605 1619->1617 1626 6707e49-6707e66 1623->1626 1627 670805a-670808f 1623->1627 1636 670803c-6708049 1626->1636 1637 6707e6c-6707e94 1626->1637 1630 6708091-6708094 1627->1630 1632 6708141-6708144 1630->1632 1633 670809a-67080a6 1630->1633 1634 6708146-6708162 1632->1634 1635 6708167-670816a 1632->1635 1640 67080b1-67080b3 1633->1640 1634->1635 1638 6708170-670817f 1635->1638 1639 670839f-67083a1 1635->1639 1636->1623 1636->1624 1637->1636 1660 6707e9a-6707ea3 1637->1660 1655 6708181-670819c 1638->1655 1656 670819e-67081e2 1638->1656 1642 67083a3 1639->1642 1643 67083a8-67083ab 1639->1643 1645 67080b5-67080bb 1640->1645 1646 67080cb-67080cf 1640->1646 1642->1643 1643->1630 1651 67083b1-67083ba 1643->1651 1647 67080bd 1645->1647 1648 67080bf-67080c1 1645->1648 1649 67080d1-67080db 1646->1649 1650 67080dd 1646->1650 1647->1646 1648->1646 1653 67080e2-67080e4 1649->1653 1650->1653 1658 67080e6-67080e9 1653->1658 1659 67080fb-6708134 1653->1659 1655->1656 1664 6708373-6708389 1656->1664 1665 67081e8-67081f9 1656->1665 1658->1651 1659->1638 1683 6708136-6708140 1659->1683 1660->1627 1663 6707ea9-6707ec5 1660->1663 1670 670802a-6708036 1663->1670 1671 6707ecb-6707ef5 1663->1671 1664->1639 1675 670835e-670836d 1665->1675 1676 67081ff-670821c 1665->1676 1670->1636 1670->1660 1687 6708020-6708025 1671->1687 1688 6707efb-6707f23 1671->1688 1675->1664 1675->1665 1676->1675 1686 6708222-6708318 call 6706598 1676->1686 1737 6708326 1686->1737 1738 670831a-6708324 1686->1738 1687->1670 1688->1687 1695 6707f29-6707f57 1688->1695 1695->1687 1700 6707f5d-6707f66 1695->1700 1700->1687 1701 6707f6c-6707f9e 1700->1701 1709 6707fa0-6707fa4 1701->1709 1710 6707fa9-6707fc5 1701->1710 1709->1687 1712 6707fa6 1709->1712 1710->1670 1713 6707fc7-670801e call 6706598 1710->1713 1712->1710 1713->1670 1739 670832b-670832d 1737->1739 1738->1739 1739->1675 1740 670832f-6708334 1739->1740 1741 6708342 1740->1741 1742 6708336-6708340 1740->1742 1743 6708347-6708349 1741->1743 1742->1743 1743->1675 1744 670834b-6708357 1743->1744 1744->1675
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $]q$$]q
                                                                                                            • API String ID: 0-127220927
                                                                                                            • Opcode ID: 95fb8c6d290b1bd7e1dabffd061cc6c89580cbf9c6c9c8477e7a06cc5b01918b
                                                                                                            • Instruction ID: e57981930f822d9f645431e846dae42ded4c248847c1c61eabcd70a2c4885912
                                                                                                            • Opcode Fuzzy Hash: 95fb8c6d290b1bd7e1dabffd061cc6c89580cbf9c6c9c8477e7a06cc5b01918b
                                                                                                            • Instruction Fuzzy Hash: B9028C30B01206DFEB58DF68D890A6EB7E6FF84304F148529D4099B395DB35EC46CBA2
                                                                                                            Function 067055A0 Relevance: 1.8, Strings: 1, Instructions: 588COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $
                                                                                                            • API String ID: 0-3993045852
                                                                                                            • Opcode ID: 4d122e74dda3ad2d757c4be1dff5c55526c24578f4f841eb29049d85bf28ab76
                                                                                                            • Instruction ID: afc555d1adedbd4b1ee475750f1cc1609ddfaaec68449b03185a7279427ce495
                                                                                                            • Opcode Fuzzy Hash: 4d122e74dda3ad2d757c4be1dff5c55526c24578f4f841eb29049d85bf28ab76
                                                                                                            • Instruction Fuzzy Hash: EC22A035E00205CFFB64DBA4CA806AEB7F2EB84314F208569D409AB385DB35DD42CFA1
                                                                                                            Function 06702348 Relevance: 1.0, Instructions: 1004COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0a6324fe4bc4ea2f14ab36c891047a27304171709a1b2ec9b66fa70c7e5fa92b
                                                                                                            • Instruction ID: cc7d723a1debe1c6b8df638105dc690ed91d1fe4a2192bac806db6aca5585f1f
                                                                                                            • Opcode Fuzzy Hash: 0a6324fe4bc4ea2f14ab36c891047a27304171709a1b2ec9b66fa70c7e5fa92b
                                                                                                            • Instruction Fuzzy Hash: 57927735E00204CFEB64DB68C588A6DB7F2FB45314F54C4A9D419AB3A2DB35ED85CBA0
                                                                                                            Function 067065E8 Relevance: .8, Instructions: 814COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6e7cfebe1c3e3a819310d28f1afd9c2b60d786ab84339c240cde4a3e706b15ef
                                                                                                            • Instruction ID: cc9579e08c7bbf5353921f41691c566dc239b13a11421f5a5623f545d8c9f344
                                                                                                            • Opcode Fuzzy Hash: 6e7cfebe1c3e3a819310d28f1afd9c2b60d786ab84339c240cde4a3e706b15ef
                                                                                                            • Instruction Fuzzy Hash: 1462AC34B10205CFEB54DB68D594AADB7F2EF88314F248469E40ADB394DB35ED46CBA0
                                                                                                            Function 0670C180 Relevance: .6, Instructions: 638COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 39f72a6b8168b948981d830b5eeea9281d6c24505bc2ceda77b8d15e6457c434
                                                                                                            • Instruction ID: 02b03c6102f543d7bf47b2cef59ea90964295c37a873c19c3729846b94d374cc
                                                                                                            • Opcode Fuzzy Hash: 39f72a6b8168b948981d830b5eeea9281d6c24505bc2ceda77b8d15e6457c434
                                                                                                            • Instruction Fuzzy Hash: 8132AF34B00205CFEB55DFA8D990AAEB7F6EB89310F108525E406E7395DB35EC46CBA1
                                                                                                            Function 0670B217 Relevance: .6, Instructions: 570COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 89a657285dd8793bd6561616b33a88955df7730a69c97c0992a073949919ada3
                                                                                                            • Instruction ID: a80a0914468611c3d987e2be8d17a2a356945ea353844f4ba6dbf311830e2b4c
                                                                                                            • Opcode Fuzzy Hash: 89a657285dd8793bd6561616b33a88955df7730a69c97c0992a073949919ada3
                                                                                                            • Instruction Fuzzy Hash: 8C224030E10109DFEB64DBA8D5807BEB7E6EB45710F208525E445DB3D1DA36DE81CBA1
                                                                                                            Function 0670ACC0 Relevance: 10.4, Strings: 8, Instructions: 412COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 756 670acc0-670acde 757 670ace0-670ace3 756->757 758 670acf4-670acf7 757->758 759 670ace5-670ace9 757->759 762 670ad11-670ad14 758->762 763 670acf9-670ad02 758->763 760 670aeec-670aef6 759->760 761 670acef 759->761 761->758 766 670ad16-670ad1b 762->766 767 670ad1e-670ad21 762->767 764 670aef7-670af01 763->764 765 670ad08-670ad0c 763->765 776 670af03-670af05 764->776 777 670af6b-670af6c 764->777 765->762 766->767 768 670ad23-670ad30 767->768 769 670ad35-670ad38 767->769 768->769 770 670ad52-670ad55 769->770 771 670ad3a-670ad4d 769->771 774 670ad57-670ad73 770->774 775 670ad78-670ad7b 770->775 771->770 774->775 781 670ad8b-670ad8e 775->781 782 670ad7d-670ad86 775->782 783 670af07-670af09 776->783 784 670af6f-670af72 776->784 779 670af56-670af5c 777->779 780 670af6d-670af6e 777->780 785 670af2e 779->785 786 670af5e-670af68 779->786 780->784 789 670ad94-670ad96 781->789 790 670aedd-670aee6 781->790 782->781 788 670af73-670af74 783->788 791 670af0b-670af2c 783->791 784->788 792 670af30-670af33 785->792 786->777 794 670af76-670af86 788->794 795 670b167-670b17a 788->795 796 670ad98 789->796 797 670ad9d-670ada0 789->797 790->760 790->763 791->785 798 670af39-670af55 792->798 799 670b19c-670b19f 792->799 813 670afa6-670afea 794->813 814 670af88-670afa1 794->814 803 670b17c 795->803 796->797 797->757 800 670ada6-670adca 797->800 798->779 804 670b1a1 call 670b217 799->804 805 670b1ae-670b1b1 799->805 822 670add0-670addf 800->822 823 670aeda 800->823 803->799 810 670b1a7-670b1a9 804->810 807 670b1b3-670b1bd 805->807 808 670b1be-670b1c1 805->808 811 670b1d2-670b1d5 808->811 812 670b1c3-670b1c7 808->812 810->805 817 670b1d7-670b1f3 811->817 818 670b1f8-670b1fa 811->818 812->798 816 670b1cd 812->816 840 670b006-670b045 813->840 841 670afec-670affe 813->841 814->803 816->811 817->818 819 670b201-670b204 818->819 820 670b1fc 818->820 819->792 824 670b20a-670b214 819->824 820->819 828 670ade1-670ade7 822->828 829 670adf7-670ae32 call 6706598 822->829 823->790 832 670ade9 828->832 833 670adeb-670aded 828->833 851 670ae34-670ae3a 829->851 852 670ae4a-670ae61 829->852 832->829 833->829 845 670b04b-670b126 call 6706598 840->845 846 670b12c-670b141 840->846 841->840 845->846 846->795 854 670ae3c 851->854 855 670ae3e-670ae40 851->855 860 670ae63-670ae69 852->860 861 670ae79-670ae8a 852->861 854->852 855->852 862 670ae6b 860->862 863 670ae6d-670ae6f 860->863 866 670aea2-670aed3 861->866 867 670ae8c-670ae92 861->867 862->861 863->861 866->823 869 670ae94 867->869 870 670ae96-670ae98 867->870 869->866 870->866
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                                                            • API String ID: 0-1273862796
                                                                                                            • Opcode ID: e274ef9dbed9dddc46bae4fc70ee5301982ef3568af732ec2bf8ea257affba55
                                                                                                            • Instruction ID: f7305531c317faa6dbd2447e409f62fca218504e4f0d0c2c175e4722639b7630
                                                                                                            • Opcode Fuzzy Hash: e274ef9dbed9dddc46bae4fc70ee5301982ef3568af732ec2bf8ea257affba55
                                                                                                            • Instruction Fuzzy Hash: 00E19030E1030ACFDB69DF68D8906AEB7F6EF85300F208529D4059B395DB75E946CBA1
                                                                                                            Function 00C263C8 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1187 c263c8-c26467 GetCurrentProcess 1191 c26470-c264a4 GetCurrentThread 1187->1191 1192 c26469-c2646f 1187->1192 1193 c264a6-c264ac 1191->1193 1194 c264ad-c264e1 GetCurrentProcess 1191->1194 1192->1191 1193->1194 1196 c264e3-c264e9 1194->1196 1197 c264ea-c26505 call c265a7 1194->1197 1196->1197 1200 c2650b-c2653a GetCurrentThreadId 1197->1200 1201 c26543-c265a5 1200->1201 1202 c2653c-c26542 1200->1202 1202->1201
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 00C26456
                                                                                                            • GetCurrentThread.KERNEL32 ref: 00C26493
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 00C264D0
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00C26529
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4493088335.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_c20000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Current$ProcessThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2063062207-0
                                                                                                            • Opcode ID: 99dc7a518eea57680b27d8cf1335d2bf2bd70f5534aee9b869869abcad06372a
                                                                                                            • Instruction ID: 2187559c81374f59580e8efaf95fd803eb2074703e25c03e58dc1f974bd25c34
                                                                                                            • Opcode Fuzzy Hash: 99dc7a518eea57680b27d8cf1335d2bf2bd70f5534aee9b869869abcad06372a
                                                                                                            • Instruction Fuzzy Hash: BA5167B09103498FDB14DFAAE548BAEBBF1FF48314F208459E059A73A0D774A944CB75
                                                                                                            Function 00C263D8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1209 c263d8-c26467 GetCurrentProcess 1213 c26470-c264a4 GetCurrentThread 1209->1213 1214 c26469-c2646f 1209->1214 1215 c264a6-c264ac 1213->1215 1216 c264ad-c264e1 GetCurrentProcess 1213->1216 1214->1213 1215->1216 1218 c264e3-c264e9 1216->1218 1219 c264ea-c26505 call c265a7 1216->1219 1218->1219 1222 c2650b-c2653a GetCurrentThreadId 1219->1222 1223 c26543-c265a5 1222->1223 1224 c2653c-c26542 1222->1224 1224->1223
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 00C26456
                                                                                                            • GetCurrentThread.KERNEL32 ref: 00C26493
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 00C264D0
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00C26529
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4493088335.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_c20000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Current$ProcessThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2063062207-0
                                                                                                            • Opcode ID: 4fa665d64c5496b8cd2746114d3a482a1b29c94a1243bead3480e68b99353ad7
                                                                                                            • Instruction ID: 3f4c5ee1f3de2e83eb8417f5da011c4c8f23fae67cfc0f6868bff28335f43fb5
                                                                                                            • Opcode Fuzzy Hash: 4fa665d64c5496b8cd2746114d3a482a1b29c94a1243bead3480e68b99353ad7
                                                                                                            • Instruction Fuzzy Hash: DC5147B09102498FDB14DFAAE548BAEBBF5FF48314F20C459E019A73A0D774A944CF65
                                                                                                            Function 06709148 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1231 6709148-670916d 1232 670916f-6709172 1231->1232 1233 6709a30-6709a33 1232->1233 1234 6709178-670918d 1232->1234 1235 6709a35-6709a54 1233->1235 1236 6709a59-6709a5b 1233->1236 1241 67091a5-67091bb 1234->1241 1242 670918f-6709195 1234->1242 1235->1236 1238 6709a62-6709a65 1236->1238 1239 6709a5d 1236->1239 1238->1232 1243 6709a6b-6709a75 1238->1243 1239->1238 1248 67091c6-67091c8 1241->1248 1244 6709197 1242->1244 1245 6709199-670919b 1242->1245 1244->1241 1245->1241 1249 67091e0-6709251 1248->1249 1250 67091ca-67091d0 1248->1250 1261 6709253-6709276 1249->1261 1262 670927d-6709299 1249->1262 1251 67091d2 1250->1251 1252 67091d4-67091d6 1250->1252 1251->1249 1252->1249 1261->1262 1267 67092c5-67092e0 1262->1267 1268 670929b-67092be 1262->1268 1273 67092e2-6709304 1267->1273 1274 670930b-6709326 1267->1274 1268->1267 1273->1274 1279 6709328-6709344 1274->1279 1280 670934b-6709359 1274->1280 1279->1280 1281 6709369-67093e3 1280->1281 1282 670935b-6709364 1280->1282 1288 6709430-6709445 1281->1288 1289 67093e5-6709403 1281->1289 1282->1243 1288->1233 1293 6709405-6709414 1289->1293 1294 670941f-670942e 1289->1294 1293->1294 1294->1288 1294->1289
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $]q$$]q$$]q$$]q
                                                                                                            • API String ID: 0-858218434
                                                                                                            • Opcode ID: 6860005eb682cd9b8b4e235cff4ecfecf165a934427b219db060496abedc0631
                                                                                                            • Instruction ID: e645b11b2d0b04d23148f8c03edd4f58efaa7f923cceb33a654c875b1e5178ff
                                                                                                            • Opcode Fuzzy Hash: 6860005eb682cd9b8b4e235cff4ecfecf165a934427b219db060496abedc0631
                                                                                                            • Instruction Fuzzy Hash: 54915F31B0060A9FEB94DF65D8507AFB3F6FF84204F108465D909EB385EB319D468BA1
                                                                                                            Function 0670CF50 Relevance: 4.5, Strings: 3, Instructions: 797COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1297 670cf50-670cf6b 1298 670cf6d-670cf70 1297->1298 1299 670cf76-670cf79 1298->1299 1300 670d43c-670d448 1298->1300 1301 670cf83-670cf86 1299->1301 1302 670cf7b-670cf80 1299->1302 1303 670d16e-670d17d 1300->1303 1304 670d44e-670d73b 1300->1304 1305 670cf88-670cfca 1301->1305 1306 670cfcf-670cfd2 1301->1306 1302->1301 1307 670d18c-670d198 1303->1307 1308 670d17f-670d184 1303->1308 1510 670d741-670d747 1304->1510 1511 670d962-670d96c 1304->1511 1305->1306 1312 670cfd4-670d016 1306->1312 1313 670d01b-670d01e 1306->1313 1309 670d96d-670d9a6 1307->1309 1310 670d19e-670d1b0 1307->1310 1308->1307 1327 670d9a8-670d9ab 1309->1327 1325 670d1b5-670d1b8 1310->1325 1312->1313 1315 670d020-670d02f 1313->1315 1316 670d067-670d06a 1313->1316 1322 670d031-670d036 1315->1322 1323 670d03e-670d04a 1315->1323 1319 670d0b3-670d0b6 1316->1319 1320 670d06c-670d0ae 1316->1320 1328 670d0d3-670d0d6 1319->1328 1329 670d0b8-670d0ce 1319->1329 1320->1319 1322->1323 1323->1309 1330 670d050-670d062 1323->1330 1333 670d201-670d204 1325->1333 1334 670d1ba-670d1fc 1325->1334 1338 670d9ad-670d9c9 1327->1338 1339 670d9ce-670d9d1 1327->1339 1336 670d0d8-670d0f4 1328->1336 1337 670d0f9-670d0fc 1328->1337 1329->1328 1330->1316 1340 670d206-670d248 1333->1340 1341 670d24d-670d250 1333->1341 1334->1333 1336->1337 1347 670d145-670d148 1337->1347 1348 670d0fe-670d140 1337->1348 1338->1339 1344 670d9d3-670d9ff 1339->1344 1345 670da04-670da07 1339->1345 1340->1341 1359 670d252-670d294 1341->1359 1360 670d299-670d29c 1341->1360 1344->1345 1354 670da16-670da18 1345->1354 1355 670da09 call 670dac5 1345->1355 1357 670d157-670d15a 1347->1357 1358 670d14a-670d14c 1347->1358 1348->1347 1368 670da1a 1354->1368 1369 670da1f-670da22 1354->1369 1380 670da0f-670da11 1355->1380 1370 670d169-670d16c 1357->1370 1371 670d15c-670d15e 1357->1371 1366 670d152 1358->1366 1367 670d2f7-670d300 1358->1367 1359->1360 1362 670d2e5-670d2e7 1360->1362 1363 670d29e-670d2e0 1360->1363 1377 670d2e9 1362->1377 1378 670d2ee-670d2f1 1362->1378 1363->1362 1366->1357 1381 670d302-670d307 1367->1381 1382 670d30f-670d31b 1367->1382 1368->1369 1369->1327 1384 670da24-670da33 1369->1384 1370->1303 1370->1325 1385 670d164 1371->1385 1386 670d439 1371->1386 1377->1378 1378->1298 1378->1367 1380->1354 1381->1382 1391 670d321-670d335 1382->1391 1392 670d42c-670d431 1382->1392 1405 670da35-670da98 call 6706598 1384->1405 1406 670da9a-670daaf 1384->1406 1385->1370 1386->1300 1391->1386 1412 670d33b-670d34d 1391->1412 1392->1386 1405->1406 1420 670dab0 1406->1420 1423 670d371-670d373 1412->1423 1424 670d34f-670d355 1412->1424 1420->1420 1435 670d37d-670d389 1423->1435 1429 670d357 1424->1429 1430 670d359-670d365 1424->1430 1433 670d367-670d36f 1429->1433 1430->1433 1433->1435 1443 670d397 1435->1443 1444 670d38b-670d395 1435->1444 1446 670d39c-670d39e 1443->1446 1444->1446 1446->1386 1448 670d3a4-670d3c0 call 6706598 1446->1448 1457 670d3c2-670d3c7 1448->1457 1458 670d3cf-670d3db 1448->1458 1457->1458 1458->1392 1460 670d3dd-670d42a 1458->1460 1460->1386 1512 670d756-670d75f 1510->1512 1513 670d749-670d74e 1510->1513 1512->1309 1514 670d765-670d778 1512->1514 1513->1512 1516 670d952-670d95c 1514->1516 1517 670d77e-670d784 1514->1517 1516->1510 1516->1511 1518 670d793-670d79c 1517->1518 1519 670d786-670d78b 1517->1519 1518->1309 1520 670d7a2-670d7c3 1518->1520 1519->1518 1523 670d7d2-670d7db 1520->1523 1524 670d7c5-670d7ca 1520->1524 1523->1309 1525 670d7e1-670d7fe 1523->1525 1524->1523 1525->1516 1528 670d804-670d80a 1525->1528 1528->1309 1529 670d810-670d829 1528->1529 1531 670d945-670d94c 1529->1531 1532 670d82f-670d856 1529->1532 1531->1516 1531->1528 1532->1309 1535 670d85c-670d866 1532->1535 1535->1309 1536 670d86c-670d883 1535->1536 1538 670d892-670d8ad 1536->1538 1539 670d885-670d890 1536->1539 1538->1531 1544 670d8b3-670d8cc call 6706598 1538->1544 1539->1538 1548 670d8db-670d8e4 1544->1548 1549 670d8ce-670d8d3 1544->1549 1548->1309 1550 670d8ea-670d93e 1548->1550 1549->1548 1550->1531
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $]q$$]q$$]q
                                                                                                            • API String ID: 0-182748909
                                                                                                            • Opcode ID: e1068400c1e2e3991ec5c1df2bde57bbe92d93eedad98edcccbf04a88bdff403
                                                                                                            • Instruction ID: af3e6841bb8793b138b0045664b1d5945b00da13cf642cba22fb6821de5328a1
                                                                                                            • Opcode Fuzzy Hash: e1068400c1e2e3991ec5c1df2bde57bbe92d93eedad98edcccbf04a88bdff403
                                                                                                            • Instruction Fuzzy Hash: 39622E34600206CFDB65EFA8D590A5EB7E6FF85304B20C928D0099F399DB75ED4ACB91
                                                                                                            Function 06704B68 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1558 6704b68-6704b8c 1559 6704b8e-6704b91 1558->1559 1560 6704bb2-6704bb5 1559->1560 1561 6704b93-6704bad 1559->1561 1562 6705294-6705296 1560->1562 1563 6704bbb-6704cb3 1560->1563 1561->1560 1565 6705298 1562->1565 1566 670529d-67052a0 1562->1566 1581 6704d36-6704d3d 1563->1581 1582 6704cb9-6704d06 call 6705418 1563->1582 1565->1566 1566->1559 1567 67052a6-67052b3 1566->1567 1583 6704dc1-6704dca 1581->1583 1584 6704d43-6704db3 1581->1584 1595 6704d0c-6704d28 1582->1595 1583->1567 1601 6704db5 1584->1601 1602 6704dbe 1584->1602 1598 6704d33 1595->1598 1599 6704d2a 1595->1599 1598->1581 1599->1598 1601->1602 1602->1583
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: fbq$XPbq$\Obq
                                                                                                            • API String ID: 0-4057264190
                                                                                                            • Opcode ID: 67cf12f37fe0ca51877b359d635079106c0be699e9713bfb92fbf7371d7efca9
                                                                                                            • Instruction ID: c47557dfdf4dca736bae7b8d222a20e16dd551a8e8f6e62cd3af5c46808e9fea
                                                                                                            • Opcode Fuzzy Hash: 67cf12f37fe0ca51877b359d635079106c0be699e9713bfb92fbf7371d7efca9
                                                                                                            • Instruction Fuzzy Hash: 24616231E00219DFEB549FA8C8547AEBBF6FF88700F208429D209AB3D5DB754D458BA5
                                                                                                            Function 06709137 Relevance: 2.7, Strings: 2, Instructions: 162COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $]q$$]q
                                                                                                            • API String ID: 0-127220927
                                                                                                            • Opcode ID: 761ffbec7873264a4f30a797a2440fed5280029d0dd9f53c68e9250aa2797452
                                                                                                            • Instruction ID: 129a0ad95d06ee6d52aa1730194c534058fb1d21f2dbcf55b31ece0f77a8aeea
                                                                                                            • Opcode Fuzzy Hash: 761ffbec7873264a4f30a797a2440fed5280029d0dd9f53c68e9250aa2797452
                                                                                                            • Instruction Fuzzy Hash: 5E514231B005069FEB55DBB8D850B6FB3F6EB88604F108869D50AEB395DB319D43CBA1
                                                                                                            Function 06704B59 Relevance: 2.6, Strings: 2, Instructions: 142COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: fbq$XPbq
                                                                                                            • API String ID: 0-2292610095
                                                                                                            • Opcode ID: ea91e2703ccbc92b4d969f808bf6820aedc9dc03206e19f4d7e072b643214e0a
                                                                                                            • Instruction ID: a4dd6bf1c6be93f726f8420c5a79f03621bd190ff42d37520fbed057f70248e5
                                                                                                            • Opcode Fuzzy Hash: ea91e2703ccbc92b4d969f808bf6820aedc9dc03206e19f4d7e072b643214e0a
                                                                                                            • Instruction Fuzzy Hash: 1B518530F00209DFEB549FA5C854BAEBAF6FF88700F208529E105AB3D5DA758C458BA1
                                                                                                            Function 00C2E7D8 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00C2EA3E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4493088335.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_c20000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HandleModule
                                                                                                            • String ID:
                                                                                                            • API String ID: 4139908857-0
                                                                                                            • Opcode ID: 17d0b226fc56461f24ac04e646fda35e1526cca99816bd2449e5c18992e2a37e
                                                                                                            • Instruction ID: 98364cc28e5462e1cc30164b4b965ed333247e8b63eeec9434e5d73c237fda91
                                                                                                            • Opcode Fuzzy Hash: 17d0b226fc56461f24ac04e646fda35e1526cca99816bd2449e5c18992e2a37e
                                                                                                            • Instruction Fuzzy Hash: 07815670A00B558FD724DF2AE44179ABBF5FF88300F00892ED49AE7A91DB75E945CB90
                                                                                                            Function 00F6EB48 Relevance: 1.7, APIs: 1, Instructions: 154COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4494599389.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_f60000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 67c282b5f90efa3565d3167a31060540db1564a7af08c3243309d90c0cc2da5c
                                                                                                            • Instruction ID: 7839f573317a1af6fb00a6dde0fd085c319e5ef7f9844520ed4bcce4518adfcf
                                                                                                            • Opcode Fuzzy Hash: 67c282b5f90efa3565d3167a31060540db1564a7af08c3243309d90c0cc2da5c
                                                                                                            • Instruction Fuzzy Hash: EA513532D043598FCB14CF69D8446EABBF6AFCA310F14856BD805A7291DB34AC45CBE1
                                                                                                            Function 00C2661F Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C266A7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4493088335.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_c20000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: fff3b5ba14133a8b14a2f8fdeb52de5c0f1461693fed22a45b74e269af28b385
                                                                                                            • Instruction ID: 86586a964d1afb4257a515786647a9139ee0a799890e6825b808db28936fb221
                                                                                                            • Opcode Fuzzy Hash: fff3b5ba14133a8b14a2f8fdeb52de5c0f1461693fed22a45b74e269af28b385
                                                                                                            • Instruction Fuzzy Hash: 4321E2B59002489FDB10CFAAD984AEEBFF5FB48310F14801AE918A7350C378A944CFA0
                                                                                                            Function 00C26620 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C266A7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4493088335.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_c20000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: afff796471d5b7731e69f4e44194cf58d8e9873b862271574c60f0563d575b50
                                                                                                            • Instruction ID: db7fb7e8a8061de433939e5e1c5e677efc42626d4887a2c0102fb2a57b390cfe
                                                                                                            • Opcode Fuzzy Hash: afff796471d5b7731e69f4e44194cf58d8e9873b862271574c60f0563d575b50
                                                                                                            • Instruction Fuzzy Hash: C421C2B59002589FDB10CFAAD984ADEBBF9FB48310F14841AE918A7350D379A944CFA5
                                                                                                            Function 00C2EC38 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C2EAB9,00000800,00000000,00000000), ref: 00C2ECAA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4493088335.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_c20000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 1029625771-0
                                                                                                            • Opcode ID: b6156daae0fe2104ce838c78e64fd3f3df622522a96e2686394a31162624aeca
                                                                                                            • Instruction ID: 31f1d2ade51a6c84c23436d5b33ca447442beaf9f49a3ce6c752726fded4f18b
                                                                                                            • Opcode Fuzzy Hash: b6156daae0fe2104ce838c78e64fd3f3df622522a96e2686394a31162624aeca
                                                                                                            • Instruction Fuzzy Hash: A81112B68003089FDB10CF9AD544ADEFBF4EB88320F10842AE429B7700C379A945CFA4
                                                                                                            Function 00C2D780 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C2EAB9,00000800,00000000,00000000), ref: 00C2ECAA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4493088335.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_c20000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 1029625771-0
                                                                                                            • Opcode ID: b5741f3bf80c2f88b466870a41941702456a546fc9d9e04bab4964ca9be7b071
                                                                                                            • Instruction ID: aa297f573af42824f6ec2f16a3a39ceddfce1fd7d3afbfff7b09dd9cbc65275b
                                                                                                            • Opcode Fuzzy Hash: b5741f3bf80c2f88b466870a41941702456a546fc9d9e04bab4964ca9be7b071
                                                                                                            • Instruction Fuzzy Hash: E01114B68003589FDB10CF9AD544ADEFBF4EB88320F10842AE919B7700C379A945CFA5
                                                                                                            Function 00F6EC30 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GlobalMemoryStatusEx.KERNELBASE ref: 00F6EC97
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4494599389.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_f60000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: GlobalMemoryStatus
                                                                                                            • String ID:
                                                                                                            • API String ID: 1890195054-0
                                                                                                            • Opcode ID: c31bba261fab92b8359af105032d57d0c4122d9395104661a94bdd48cdf3860b
                                                                                                            • Instruction ID: 58c53ca5b4bbda7199b9907b47d13b9f4ce9b9cedc755591a71012989aa76cc8
                                                                                                            • Opcode Fuzzy Hash: c31bba261fab92b8359af105032d57d0c4122d9395104661a94bdd48cdf3860b
                                                                                                            • Instruction Fuzzy Hash: 00111FB2C006599FCB10DF9AC544A9EFBF4AF48320F10812AD818A7241D378A940CFA1
                                                                                                            Function 00C2E9D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00C2EA3E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4493088335.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_c20000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HandleModule
                                                                                                            • String ID:
                                                                                                            • API String ID: 4139908857-0
                                                                                                            • Opcode ID: 102d3a1bc9082d6bb823f5ac0fd4654e6a2df637e505e4a2bfa80c320b866b50
                                                                                                            • Instruction ID: 939a4e6c1b37c659d205f266e024a11a5534f853fb77a8ac43800df162643310
                                                                                                            • Opcode Fuzzy Hash: 102d3a1bc9082d6bb823f5ac0fd4654e6a2df637e505e4a2bfa80c320b866b50
                                                                                                            • Instruction Fuzzy Hash: F3110FB6C002498FCB10CF9AD444A9EFBF4AB88310F10841AD829B7600C379A545CFA1
                                                                                                            Function 0670DAC5 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: PH]q
                                                                                                            • API String ID: 0-3168235125
                                                                                                            • Opcode ID: b52961e01f76268796229921ad66d4b74ea87b4746f724e80db5042169c36465
                                                                                                            • Instruction ID: 067d14693dbf7969c9f1fe3fcad47f42b29caaa199114f3a355d41cdc007e898
                                                                                                            • Opcode Fuzzy Hash: b52961e01f76268796229921ad66d4b74ea87b4746f724e80db5042169c36465
                                                                                                            • Instruction Fuzzy Hash: D441B030E0034ADFEB64DFA5D5506AEBBF2EF85300F20852AD405D7281EB759946CBA1
                                                                                                            Function 067021BD Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: PH]q
                                                                                                            • API String ID: 0-3168235125
                                                                                                            • Opcode ID: 32f5d129dfd9bdc377198e8a301b5fd567636d0a56a9af3254a2c03491eec320
                                                                                                            • Instruction ID: 2241760e77acb27ebd5df1fa78061707d4404693bb3981da0746cd50004e606d
                                                                                                            • Opcode Fuzzy Hash: 32f5d129dfd9bdc377198e8a301b5fd567636d0a56a9af3254a2c03491eec320
                                                                                                            • Instruction Fuzzy Hash: 3E31CE31B102418FEB99ABB4C96466E7BE2EF89200B148468D406DB396DB35CE46C7B1
                                                                                                            Function 067021D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: PH]q
                                                                                                            • API String ID: 0-3168235125
                                                                                                            • Opcode ID: 528ab3e9f38601d641157293b1e2f4b2cbff71e78cb334799c6f4f01d3048c64
                                                                                                            • Instruction ID: 63ad033be79ee495fbca3a9d69c83fdd6ab96a931ada31de1cbb83c16a29f56c
                                                                                                            • Opcode Fuzzy Hash: 528ab3e9f38601d641157293b1e2f4b2cbff71e78cb334799c6f4f01d3048c64
                                                                                                            • Instruction Fuzzy Hash: 8631E131B10201CFEB99ABB4D95866E7AE6EF89200F108438D406DB396DF35DE46C7B5
                                                                                                            Function 067061E0 Relevance: .2, Instructions: 229COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e9e1a845ea054fdb4e7f541271d5cbc93d85c11f9fd1fd03056b9ae6266cd965
                                                                                                            • Instruction ID: fe833c206da01c32fa3ae713d5de7427504d32a770a337c4be97fe180ad75126
                                                                                                            • Opcode Fuzzy Hash: e9e1a845ea054fdb4e7f541271d5cbc93d85c11f9fd1fd03056b9ae6266cd965
                                                                                                            • Instruction Fuzzy Hash: 3C61A171F000118FDB54AB6EC890A6FBADBAFD4224F154479E80EDB3A4DE65DD0287E1
                                                                                                            Function 06704298 Relevance: .2, Instructions: 225COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9256e72476242cfc2428e222e5390a61b235d2b24b9bd07c4879558363d8b302
                                                                                                            • Instruction ID: e9c295bb10237e129963e5947c9f4a6e1c11b23acc7e4b52bc899165268411c4
                                                                                                            • Opcode Fuzzy Hash: 9256e72476242cfc2428e222e5390a61b235d2b24b9bd07c4879558363d8b302
                                                                                                            • Instruction Fuzzy Hash: 56815E34B002069FEB54DFA8C45476EB7F2EF89304F118528D50AEB398DB35DC468BA1
                                                                                                            Function 067045B8 Relevance: .2, Instructions: 225COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9b164510a4a2fe418563b8247b07c9a391648c0db1487364dc31f9e7ebf7a13d
                                                                                                            • Instruction ID: 54696f12c20455586264e16de1013fbc719e3f95d47e7c55883fdd3fd7ce0e95
                                                                                                            • Opcode Fuzzy Hash: 9b164510a4a2fe418563b8247b07c9a391648c0db1487364dc31f9e7ebf7a13d
                                                                                                            • Instruction Fuzzy Hash: 9C913E30E10619CFEF60DF64C890B9DB7B1FF85304F208595D549AB295EB70AE85CB91
                                                                                                            Function 067045D0 Relevance: .2, Instructions: 210COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 324d63d7341d763d8fe8fd4231e0747ca493ad36d1201cb079b04ae3938fe5e6
                                                                                                            • Instruction ID: 676d7d1eb76295d5ad3fdd5997471e61277e8775edff770bc0746f9038e3a5bb
                                                                                                            • Opcode Fuzzy Hash: 324d63d7341d763d8fe8fd4231e0747ca493ad36d1201cb079b04ae3938fe5e6
                                                                                                            • Instruction Fuzzy Hash: 4C911D30E10619CBEF60DF68C890B9DB7B1FF85304F208595D54DAB295EB70AA85CF51
                                                                                                            Function 0670EF28 Relevance: .2, Instructions: 203COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 927aea847bd859b76f45d2f4da08093f194fcd2dd4b688e3a480add202add1f9
                                                                                                            • Instruction ID: 72ba16c9979022504f6559d1d93f6af1a7d523847237cc6dfaf2e199177ee663
                                                                                                            • Opcode Fuzzy Hash: 927aea847bd859b76f45d2f4da08093f194fcd2dd4b688e3a480add202add1f9
                                                                                                            • Instruction Fuzzy Hash: 8D711F70A00209DFDB54DFA9D990A9EBBF6FF84304F248429E409DB395DB35E946CB60
                                                                                                            Function 0670EF38 Relevance: .2, Instructions: 201COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ccca91fdc38952c49e2793cc79d049c8d45b948dd111f88519321859f8778947
                                                                                                            • Instruction ID: 311e6845e0cbf240f47403388d33a327947345006804a40bf5137f92092964e1
                                                                                                            • Opcode Fuzzy Hash: ccca91fdc38952c49e2793cc79d049c8d45b948dd111f88519321859f8778947
                                                                                                            • Instruction Fuzzy Hash: 00711C70A00209DFDB54DFA9D990AAEBBF6FF84304F148429E409DB395DB35E946CB60
                                                                                                            Function 0670FC90 Relevance: .2, Instructions: 177COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f2ae1f0cd26f95fb7a245857ce5db63d4ae2c4b1855e6f98f2ac89ca37ce8eb6
                                                                                                            • Instruction ID: 2e46f73e23541be636e2fd56827ecfc82f60fc1dd3a6790c131fc6ef22eb162e
                                                                                                            • Opcode Fuzzy Hash: f2ae1f0cd26f95fb7a245857ce5db63d4ae2c4b1855e6f98f2ac89ca37ce8eb6
                                                                                                            • Instruction Fuzzy Hash: 71510531E00105DFEB24EF78E4546AEB7B2FF84314F208869D906D7291DB399855CBA1
                                                                                                            Function 0670FA40 Relevance: .2, Instructions: 168COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6cf31cbcc80b06dd846280c3f46c838e3929a7877a50216db7a41758fd5eb7e4
                                                                                                            • Instruction ID: 9799cfedf33162ac29c7253d20384b0bf98690c9d84f3be1ae69248c12df2d38
                                                                                                            • Opcode Fuzzy Hash: 6cf31cbcc80b06dd846280c3f46c838e3929a7877a50216db7a41758fd5eb7e4
                                                                                                            • Instruction Fuzzy Hash: 1151B674B10215DFFF74666CE95473F669EDB89310F20482AE80AC73E5CA6DCC4687A2
                                                                                                            Function 0670FA50 Relevance: .2, Instructions: 163COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 30e90ce00b7b09bc917802299dfcb07e23aa51d9985c5119c045bc9e5abd80c5
                                                                                                            • Instruction ID: 1153dcc9d0b4ca28a65753f6a30d1f4f38dc0036baa89b5b28c687079353996b
                                                                                                            • Opcode Fuzzy Hash: 30e90ce00b7b09bc917802299dfcb07e23aa51d9985c5119c045bc9e5abd80c5
                                                                                                            • Instruction Fuzzy Hash: 14518374B10214DBFF746669E95473F669EDB89310F20482AE80AC73E5CA6DCC4687A2
                                                                                                            Function 06705418 Relevance: .1, Instructions: 136COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: df977f3fe7bfeb728c5e69f4fd9c600cc6beb6645ec9820a106a549a9f5b824b
                                                                                                            • Instruction ID: 37a5f51a22b947d4d51ae18040059ac58c2ee138d9f6484ffb6513b885eef2e9
                                                                                                            • Opcode Fuzzy Hash: df977f3fe7bfeb728c5e69f4fd9c600cc6beb6645ec9820a106a549a9f5b824b
                                                                                                            • Instruction Fuzzy Hash: 8E418075E00609DFEF60CEA9D980ABEF7F6EB84310F104926E219D7190D730E9958FA1
                                                                                                            Function 06705590 Relevance: .1, Instructions: 118COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 035e57f66ae52c13f67477386f4153bfdbaa028f45e36d66deafa1ea167339d5
                                                                                                            • Instruction ID: 136e3b265741cdd80a82f28d90dfb3967ac55c6b3bfeb165b5de4219058f3f44
                                                                                                            • Opcode Fuzzy Hash: 035e57f66ae52c13f67477386f4153bfdbaa028f45e36d66deafa1ea167339d5
                                                                                                            • Instruction Fuzzy Hash: 88419175E10105CBFF708A69CA8077EB7F2EB85710F20892AD559D72C0EA75D842DF61
                                                                                                            Function 06702080 Relevance: .1, Instructions: 97COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c12f1a58ee46f768986d9014019f645699ce5c660b31a363534089efae57f997
                                                                                                            • Instruction ID: 5ddb8bbb3cb8fde3e2d015844b3c59f219e0eada0e6b2ff4ae10d10759557b42
                                                                                                            • Opcode Fuzzy Hash: c12f1a58ee46f768986d9014019f645699ce5c660b31a363534089efae57f997
                                                                                                            • Instruction Fuzzy Hash: 8D318E31E00206DFDB55CF64D858AAEBBF2BF89300F108419E916E7391DB71AD46CBA1
                                                                                                            Function 0670D978 Relevance: .1, Instructions: 97COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1210d1f6f6c218d449ba498218211121c195ff17a38880dac80e62c92f674b2e
                                                                                                            • Instruction ID: 621ad33f661838c631d5a40606c22bd218651d4c65cbb00637095f0d6d99c37d
                                                                                                            • Opcode Fuzzy Hash: 1210d1f6f6c218d449ba498218211121c195ff17a38880dac80e62c92f674b2e
                                                                                                            • Instruction Fuzzy Hash: 7C316770A1030A9FDF64DFA9D94069EB7F6FF85300F208929E445E7284DB71E946CB51
                                                                                                            Function 06702090 Relevance: .1, Instructions: 91COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7a66cce7170ef49facecb3cd0b33114d19644612e765360990005a8bd07ead85
                                                                                                            • Instruction ID: ba0d072e544caccc93b24bb735455b6d8489acbe696b65badab333cbca539538
                                                                                                            • Opcode Fuzzy Hash: 7a66cce7170ef49facecb3cd0b33114d19644612e765360990005a8bd07ead85
                                                                                                            • Instruction Fuzzy Hash: CA319C31E1020ADBDB55CF64C858AAEB7F2FF89300F108529E916E7391DB71AD46CB90
                                                                                                            Function 06703EA0 Relevance: .1, Instructions: 84COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d8cf84b36cc216999cb084cb1851b9564bdeea4831f40700499685beab336ed5
                                                                                                            • Instruction ID: 264edbbe5dea0b4143a52c7ebd711f7a26b4d3385680af505f61631de0ae04c3
                                                                                                            • Opcode Fuzzy Hash: d8cf84b36cc216999cb084cb1851b9564bdeea4831f40700499685beab336ed5
                                                                                                            • Instruction Fuzzy Hash: EB216076F106169FDB50DFA9D840AAEBBF5EB48710F108025E909E7381D731D8428BA1
                                                                                                            Function 06703EB0 Relevance: .1, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 01b544e04d893bf4f97362cd5151e6c31e6d876296cc780880df194ecc20ceb4
                                                                                                            • Instruction ID: 4c10bb29be0ed4c8aa6d9d834d9f792ddad5e0eb045307ead2d09ee63457a9de
                                                                                                            • Opcode Fuzzy Hash: 01b544e04d893bf4f97362cd5151e6c31e6d876296cc780880df194ecc20ceb4
                                                                                                            • Instruction Fuzzy Hash: C5218376F006169FEB50DFA9D840AAEB7F5EB48710F148025E909E7380D732DD41CB91
                                                                                                            Function 00D1D005 Relevance: .1, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4493595555.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_d1d000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 60346f1f272510c8062c9d27e9ef6fe00111f16e65abc37dd65484546b2ce46d
                                                                                                            • Instruction ID: 43d21102326fc3eea7872abf2593028c16cc0f491a58015ce27f212959b2c7b6
                                                                                                            • Opcode Fuzzy Hash: 60346f1f272510c8062c9d27e9ef6fe00111f16e65abc37dd65484546b2ce46d
                                                                                                            • Instruction Fuzzy Hash: AB316F7150D3C49FC713CB24D890711BF71AB46214F29C5DBD9898F2A3C33A984ACB62
                                                                                                            Function 06706D01 Relevance: .1, Instructions: 74COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2e637301293f7411adc43c08e6c5c5302734fdb28a8193c9e5caba65794205f9
                                                                                                            • Instruction ID: a3e7bd51dc4a0cc24616474fdfdf0e17a8e64f24dce42249ae0ae2e576103e53
                                                                                                            • Opcode Fuzzy Hash: 2e637301293f7411adc43c08e6c5c5302734fdb28a8193c9e5caba65794205f9
                                                                                                            • Instruction Fuzzy Hash: 0621D430B101159FEF54EA68E8546AEBBF7EB84310F248425E409D7380D732AD568BA1
                                                                                                            Function 00D1D030 Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4493595555.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_d1d000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 788ffb5cd6e3921e4043bbc092204aa54d9a1a377060f4d249f8058fda525e00
                                                                                                            • Instruction ID: 2fcbf0515094bf6b3a23d5f93ff0a9a93e7c4f6a8752b983a69cb8381d284aa9
                                                                                                            • Opcode Fuzzy Hash: 788ffb5cd6e3921e4043bbc092204aa54d9a1a377060f4d249f8058fda525e00
                                                                                                            • Instruction Fuzzy Hash: 8E21F575504204EFCB14DF14E980B66BB66FB88314F24C569E9494B256C73AD886CA72
                                                                                                            Function 06703FC0 Relevance: .1, Instructions: 59COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fddfa5635ea08c5537a77d7ff18a9835667e2368e126f16e6025c29d2ca26523
                                                                                                            • Instruction ID: ebb4e0457f8db913c52a26a533873deaad36056bea74e5e6ed31ef19ef8954ff
                                                                                                            • Opcode Fuzzy Hash: fddfa5635ea08c5537a77d7ff18a9835667e2368e126f16e6025c29d2ca26523
                                                                                                            • Instruction Fuzzy Hash: 5D118232B105198FDB54D678C8146AF73EAEBC9251B018579D50AE7384EF26DC068BE2
                                                                                                            Function 0670F1A9 Relevance: .1, Instructions: 57COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7d45c27925c0016da422b2cb5f79af99e2b6fc5dab781fb1b408ca98eeb8bccb
                                                                                                            • Instruction ID: 5f1715e257a285a4f0db09e798c922001817414bce48e41891f2c33415522114
                                                                                                            • Opcode Fuzzy Hash: 7d45c27925c0016da422b2cb5f79af99e2b6fc5dab781fb1b408ca98eeb8bccb
                                                                                                            • Instruction Fuzzy Hash: 9601F535B001115FDB71EA7CD850B2E77EADBC6614F10846AE50EC73C1DA2ADD0787A1
                                                                                                            Function 06703878 Relevance: .1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 851044791aa541bb5b441250c574fd28ad2b9bdb05fae4c852d32fd9969cf5ef
                                                                                                            • Instruction ID: b8cfc58e345d5698ebd6bdecf5bc784b52a1939bd1cb4dd1adace5965720e21b
                                                                                                            • Opcode Fuzzy Hash: 851044791aa541bb5b441250c574fd28ad2b9bdb05fae4c852d32fd9969cf5ef
                                                                                                            • Instruction Fuzzy Hash: 3221C3B5D01259AFCB10DF9AD884ADEFFF8FB49310F10812AE918A7240C3756954CBA5
                                                                                                            Function 067041F8 Relevance: .1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b527fca0a9540ac0049f065cde477c3106a3fb8a0625411e9ddd2cb5763aa55a
                                                                                                            • Instruction ID: 1b4165853228a2b01f9dcbf5b5192bc2e82dbc707ddcfb7636976831f5b1c2c4
                                                                                                            • Opcode Fuzzy Hash: b527fca0a9540ac0049f065cde477c3106a3fb8a0625411e9ddd2cb5763aa55a
                                                                                                            • Instruction Fuzzy Hash: 42019E35B041118FEB65DAAD9814B2AA6DACBC6610F10842AE20AC73D9DD61CD0643E1
                                                                                                            Function 06703FB0 Relevance: .1, Instructions: 54COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cd8df1b5c56fa2c35d65a3151057d907e2b600dc197a9d145e8973088f632574
                                                                                                            • Instruction ID: 90e71f23501dd3950c600a129820d9370becca1974fcceda3c3a5071d7128820
                                                                                                            • Opcode Fuzzy Hash: cd8df1b5c56fa2c35d65a3151057d907e2b600dc197a9d145e8973088f632574
                                                                                                            • Instruction Fuzzy Hash: 3401B536B100159BEB64D5689C14AEF72EBDBC9650F014435E50AE3284EF21D8068BE2
                                                                                                            Function 0670A2F8 Relevance: .1, Instructions: 52COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 54f7951fc12affe0d01cf9175fa577fb5bd49855c7bd967453d8808bdfcb5826
                                                                                                            • Instruction ID: fa605349225cb42b333d92740706ddefca4fb4c54b674f104bded3422ad6d843
                                                                                                            • Opcode Fuzzy Hash: 54f7951fc12affe0d01cf9175fa577fb5bd49855c7bd967453d8808bdfcb5826
                                                                                                            • Instruction Fuzzy Hash: 00018471B006155FEB609B7CD854B6FB7D6EB8A710F108438E10AC73D5DA22DD438391
                                                                                                            Function 06703880 Relevance: .1, Instructions: 52COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2bf3e18bf5d05b81c330815609d5138093cf3e71b963ed1f2588f5d54a6dc4dc
                                                                                                            • Instruction ID: b6d1f2ca9e9d9f2e0103aa8c798f41a9b907bbb6b5bd0e9772937a8a8c30a078
                                                                                                            • Opcode Fuzzy Hash: 2bf3e18bf5d05b81c330815609d5138093cf3e71b963ed1f2588f5d54a6dc4dc
                                                                                                            • Instruction Fuzzy Hash: 8E11D3B1D01259AFCB00DF9AD884ADEFFF4FB49310F10812AE918A7240C374A554CFA5
                                                                                                            Function 06704208 Relevance: .1, Instructions: 51COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8c4d8dad7025642ee3dce866496b17d443097522616cbc7c88c7ebaa28e395ae
                                                                                                            • Instruction ID: d54c5267bd0069c0f017c4fa7695070c9735c2d86205e290d709d4235bc25aeb
                                                                                                            • Opcode Fuzzy Hash: 8c4d8dad7025642ee3dce866496b17d443097522616cbc7c88c7ebaa28e395ae
                                                                                                            • Instruction Fuzzy Hash: A3018135B100118BEB64EAADD414B2FA6DBDBCA714F10843AE60EC73D8DA65DD0643E5
                                                                                                            Function 0670F1B8 Relevance: .0, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a582f284ca257bcf1f46abf5f6b1062d585a159b917425afe342bbac4aee6193
                                                                                                            • Instruction ID: ac167771d8f419c167108ce4b41fd29a64782db692253bcd9991413ad9dc98da
                                                                                                            • Opcode Fuzzy Hash: a582f284ca257bcf1f46abf5f6b1062d585a159b917425afe342bbac4aee6193
                                                                                                            • Instruction Fuzzy Hash: 87018135B000114BDB75DA6DD854B3E66DADBCA624F108439E50EC73C0EE69DD0747A5
                                                                                                            Function 0670A308 Relevance: .0, Instructions: 46COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 68d299e5dbe85cc78bd333a92d3814fee1c17d5f183307dbe009315d288dd08f
                                                                                                            • Instruction ID: 1ba8a92c16c161d62f582903ffd535cf1b82dd10b1cc9c81944cdab842abe680
                                                                                                            • Opcode Fuzzy Hash: 68d299e5dbe85cc78bd333a92d3814fee1c17d5f183307dbe009315d288dd08f
                                                                                                            • Instruction Fuzzy Hash: 2C018131B006158FEB64EA7CD454B2FB7DAEB8A710F108438E10EC7395DA22DD438391
                                                                                                            Function 06706469 Relevance: .0, Instructions: 28COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2e4fc39b4f1986608f633c314d309f3c026fab1c3f34959219a4669697c52c4f
                                                                                                            • Instruction ID: 812815106c180d342a25c90450932a63ba6e9509e605c36a515f47540653caf3
                                                                                                            • Opcode Fuzzy Hash: 2e4fc39b4f1986608f633c314d309f3c026fab1c3f34959219a4669697c52c4f
                                                                                                            • Instruction Fuzzy Hash: 70E092B0D15208FFFB50CEB0C919B6A77EDDB42204F1089A5E404C7181E536DE1183B0

                                                                                                            Non-executed Functions

                                                                                                            Function 06707698 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                                                            • API String ID: 0-2843079600
                                                                                                            • Opcode ID: 5b454bd58cde3373af9d52c846c579c0f3b39932e1a98f8417b43dc1b4b295fd
                                                                                                            • Instruction ID: faff6ce0e36621fe8f16048e5f823f06037eb5ad805f98a6e90284b94968bd0a
                                                                                                            • Opcode Fuzzy Hash: 5b454bd58cde3373af9d52c846c579c0f3b39932e1a98f8417b43dc1b4b295fd
                                                                                                            • Instruction Fuzzy Hash: 2D122F30E00219CFDB68DF68C994A6EB7F6FF85304F208569D409AB295DB34AD46CF91
                                                                                                            Function 0670A928 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                                                            • API String ID: 0-1273862796
                                                                                                            • Opcode ID: 2477fc437c6ca3bad351296b79589e655a0a269215afaefc69bffe54c8c99af8
                                                                                                            • Instruction ID: dd68237b392e339f3e761d345bd9e99437591ad376dcfedcf74aa44ceda3f00c
                                                                                                            • Opcode Fuzzy Hash: 2477fc437c6ca3bad351296b79589e655a0a269215afaefc69bffe54c8c99af8
                                                                                                            • Instruction Fuzzy Hash: 3B916F70A10309DFEB68DF68D994B6E77F6EF84304F208529E402972D6DB759D41CBA0
                                                                                                            Function 06707098 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
                                                                                                            • API String ID: 0-981061697
                                                                                                            • Opcode ID: 831cc0ed6d14c4e13bd520f2a2931f44a9aaee2d3380dff64eb368650094ba39
                                                                                                            • Instruction ID: a7324c39f5d296961a4b8c4d94973dd638440b356ed7a4a29b5e298b2c9d1067
                                                                                                            • Opcode Fuzzy Hash: 831cc0ed6d14c4e13bd520f2a2931f44a9aaee2d3380dff64eb368650094ba39
                                                                                                            • Instruction Fuzzy Hash: 45F12F34B01209CFDB58EFA8D954A6EB7F6FF84300F208569D4069B399DB35AC42CB91
                                                                                                            Function 067083D0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $]q$$]q$$]q$$]q
                                                                                                            • API String ID: 0-858218434
                                                                                                            • Opcode ID: 3a4f4c2a51f1ddee2cad8545c5a7c17ebf24cac63fb380b4a3cf9c7125a6a67d
                                                                                                            • Instruction ID: 81635f3d7546c4908c30b681a2cb6c6b0962a552a5cd0687756458650681137d
                                                                                                            • Opcode Fuzzy Hash: 3a4f4c2a51f1ddee2cad8545c5a7c17ebf24cac63fb380b4a3cf9c7125a6a67d
                                                                                                            • Instruction Fuzzy Hash: 63B12C30B11209CFEB54DFA8C99466EB7F6EF84304F248429D4069B395DB75DC86CBA1
                                                                                                            Function 067087E8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: LR]q$LR]q$$]q$$]q
                                                                                                            • API String ID: 0-3527005858
                                                                                                            • Opcode ID: d2171b8ff2e1e9b8c1398ee14e0596772200340e0afb7515794ac16c96111799
                                                                                                            • Instruction ID: 2e94445ae26799266161499fa4e58a9fa1323ce3f650680e4fe91ebde7c3cba7
                                                                                                            • Opcode Fuzzy Hash: d2171b8ff2e1e9b8c1398ee14e0596772200340e0afb7515794ac16c96111799
                                                                                                            • Instruction Fuzzy Hash: 9C516F30B10205DFEB58EF68D950A6A77F6FF85300B148569E4069B3E5DB31EC41CBA6
                                                                                                            Function 0670ACB0 Relevance: 5.2, Strings: 4, Instructions: 165COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.4501360476.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_5_2_6700000_ynhHNexysa.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $]q$$]q$$]q$$]q
                                                                                                            • API String ID: 0-858218434
                                                                                                            • Opcode ID: f70ab056aa4a07b9a970045e104a772b577dbce48887b25ca3d396068625bebc
                                                                                                            • Instruction ID: 83c50d55b0bed375ff3d9ec00778632cf24b190ac46cb9283574337176007d03
                                                                                                            • Opcode Fuzzy Hash: f70ab056aa4a07b9a970045e104a772b577dbce48887b25ca3d396068625bebc
                                                                                                            • Instruction Fuzzy Hash: B2518130A10305DFEF65DB68D980AAE77F6EF84310F248529E80697396DB35DD42CBA0