Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
x.exe

Overview

General Information

Sample name:x.exe
Analysis ID:1586043
MD5:10454890a3d7c7c0b7ec0bf7018141e4
SHA1:167ab9a5a9e0c56689f73d894a397b9c176701df
SHA256:91fee98b5957d145f144b61107ea0283fc3e02eb7e19b432e868ee45ffdc528e
Tags:exeuser-malrpt
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
AI detected suspicious sample
Allocates memory in foreign processes
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • x.exe (PID: 5732 cmdline: "C:\Users\user\Desktop\x.exe" MD5: 10454890A3D7C7C0B7EC0BF7018141E4)
    • RegAsm.exe (PID: 6996 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.4588333845.0000000002ABE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.4587325909.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000002.00000002.4587325909.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.4588333845.0000000002A91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000002.4588333845.0000000002A91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.RegAsm.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              2.2.RegAsm.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                2.2.RegAsm.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  2.2.RegAsm.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x34735:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x347a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x34831:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x348c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x3492d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x3499f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x34a35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x34ac5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  2.2.RegAsm.exe.400000.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                  • 0x3196b:$s2: GetPrivateProfileString
                  • 0x31018:$s3: get_OSFullName
                  • 0x32706:$s5: remove_Key
                  • 0x328b3:$s5: remove_Key
                  • 0x33795:$s6: FtpWebRequest
                  • 0x34717:$s7: logins
                  • 0x34c89:$s7: logins
                  • 0x3798e:$s7: logins
                  • 0x37a4c:$s7: logins
                  • 0x393a1:$s7: logins
                  • 0x385e6:$s9: 1.85 (Hash, version 2, native byte-order)
                  Click to see the 27 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: x.exeAvira: detected
                  Found malware configuration
                  Source: 2.2.RegAsm.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}
                  Multi AV Scanner detection for submitted file
                  Source: x.exeReversingLabs: Detection: 65%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: x.exeJoe Sandbox ML: detected
                  Source: x.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Networking

                  barindex
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.x.exe.41c3420.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.x.exe.4187600.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.x.exe.414b7d8.0.raw.unpack, type: UNPACKEDPE
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                  Source: Joe Sandbox ViewIP Address: 162.241.62.63 162.241.62.63
                  Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                  Source: unknownDNS query: name: ip-api.com
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: ip-api.com
                  Source: global trafficDNS traffic detected: DNS query: ftp.antoniomayol.com
                  Source: RegAsm.exe, 00000002.00000002.4588333845.0000000002ABE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://antoniomayol.com
                  Source: RegAsm.exe, 00000002.00000002.4588333845.0000000002ABE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.antoniomayol.com
                  Source: RegAsm.exe, 00000002.00000002.4588333845.0000000002A61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                  Source: x.exe, 00000000.00000002.2150081464.000000000401F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4588333845.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4587325909.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                  Source: RegAsm.exe, 00000002.00000002.4588333845.0000000002A61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: x.exe, 00000000.00000002.2150081464.000000000401F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4587325909.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.x.exe.414b7d8.0.raw.unpack, R1W.cs.Net Code: HAg81
                  Source: 0.2.x.exe.41c3420.1.raw.unpack, R1W.cs.Net Code: HAg81
                  Source: 0.2.x.exe.4187600.2.raw.unpack, R1W.cs.Net Code: HAg81

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.x.exe.41c3420.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.x.exe.41c3420.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.x.exe.4187600.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.x.exe.4187600.2.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.x.exe.414b7d8.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.x.exe.414b7d8.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.x.exe.41c3420.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.x.exe.41c3420.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.x.exe.4187600.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.x.exe.4187600.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.x.exe.414b7d8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.x.exe.414b7d8.0.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  PE file contains section with special chars
                  Source: x.exeStatic PE information: section name: PRSq<
                  PE file has nameless sections
                  Source: x.exeStatic PE information: section name:
                  Source: C:\Users\user\Desktop\x.exeCode function: 0_2_00C628D00_2_00C628D0
                  Source: C:\Users\user\Desktop\x.exeCode function: 0_2_00C608480_2_00C60848
                  Source: C:\Users\user\Desktop\x.exeCode function: 0_2_00C611E00_2_00C611E0
                  Source: C:\Users\user\Desktop\x.exeCode function: 0_2_00C628C10_2_00C628C1
                  Source: C:\Users\user\Desktop\x.exeCode function: 0_2_00C607E00_2_00C607E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02A4B48A2_2_02A4B48A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02A44A882_2_02A44A88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02A43E702_2_02A43E70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02A4ECD82_2_02A4ECD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02A4AD982_2_02A4AD98
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02A441B82_2_02A441B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0566C6002_2_0566C600
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0566AD782_2_0566AD78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_063D66C02_2_063D66C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_063D24402_2_063D2440
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_063D52702_2_063D5270
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_063DC2702_2_063DC270
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_063DB3182_2_063DB318
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_063D7E502_2_063D7E50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_063D77702_2_063D7770
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_063DE4782_2_063DE478
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_063D00402_2_063D0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_063D59C02_2_063D59C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_063D00062_2_063D0006
                  Source: x.exe, 00000000.00000002.2146115943.0000000000CAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs x.exe
                  Source: x.exe, 00000000.00000002.2149991627.00000000027B0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamee6c7e90e-20ff-4cd0-a277-0023958459c3.exe4 vs x.exe
                  Source: x.exe, 00000000.00000002.2150081464.000000000401F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamee6c7e90e-20ff-4cd0-a277-0023958459c3.exe4 vs x.exe
                  Source: x.exeBinary or memory string: OriginalFilenameVVXCJEER.exe2 vs x.exe
                  Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.x.exe.41c3420.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.x.exe.41c3420.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.x.exe.4187600.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.x.exe.4187600.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.x.exe.414b7d8.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.x.exe.414b7d8.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.x.exe.41c3420.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.x.exe.41c3420.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.x.exe.4187600.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.x.exe.4187600.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.x.exe.414b7d8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.x.exe.414b7d8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: x.exeStatic PE information: Section: PRSq< ZLIB complexity 1.0003312993096647
                  Source: 0.2.x.exe.414b7d8.0.raw.unpack, KLhJmaON.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.x.exe.414b7d8.0.raw.unpack, KLhJmaON.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.x.exe.414b7d8.0.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.x.exe.414b7d8.0.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.x.exe.414b7d8.0.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.x.exe.414b7d8.0.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.x.exe.414b7d8.0.raw.unpack, 9HIFdl.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.x.exe.414b7d8.0.raw.unpack, 9HIFdl.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                  Source: C:\Users\user\Desktop\x.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.logJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                  Source: x.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\x.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: x.exeReversingLabs: Detection: 65%
                  Source: unknownProcess created: C:\Users\user\Desktop\x.exe "C:\Users\user\Desktop\x.exe"
                  Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\x.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\x.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\x.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\x.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\x.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\x.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\x.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\x.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\x.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\x.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: x.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: x.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: x.exeStatic PE information: 0xB8E5284B [Thu Apr 19 01:50:03 2068 UTC]
                  Source: x.exeStatic PE information: section name: PRSq<
                  Source: x.exeStatic PE information: section name:
                  Source: x.exeStatic PE information: section name: PRSq< entropy: 7.999313087046451
                  Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Check if machine is in data center or colocation facility
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: x.exe, 00000000.00000002.2150081464.000000000401F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4588333845.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4587325909.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\x.exeMemory allocated: C60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\x.exeMemory allocated: 27A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\x.exeMemory allocated: 47A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\x.exeMemory allocated: 4E40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\x.exeMemory allocated: 5E40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\x.exeMemory allocated: 5F70000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\x.exeMemory allocated: 6F70000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 28D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2A60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4A60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598796Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598011Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597859Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597741Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597625Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597515Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597406Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597297Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597187Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597078Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596969Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596844Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596625Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596515Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596406Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596297Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596187Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596076Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595969Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595859Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595750Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595640Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595529Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595421Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595312Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595093Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1275Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 8589Jump to behavior
                  Source: C:\Users\user\Desktop\x.exe TID: 5552Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2820Thread sleep count: 1275 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -599890s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2820Thread sleep count: 8589 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -599781s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -599672s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -599562s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -599453s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -599344s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -599234s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -599125s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -599015s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -598906s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -598796s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -598687s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -598578s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -598469s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -598359s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -598250s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -598125s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -598011s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -597859s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -597741s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -597625s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -597515s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -597406s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -597297s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -597187s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -597078s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -596969s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -596844s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -596734s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -596625s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -596515s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -596406s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -596297s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -596187s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -596076s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -595969s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -595859s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -595750s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -595640s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -595529s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -595421s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -595312s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -595203s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -595093s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -594984s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -594875s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -594765s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -594656s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2244Thread sleep time: -594547s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598796Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598011Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597859Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597741Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597625Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597515Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597406Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597297Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597187Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597078Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596969Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596844Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596625Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596515Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596406Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596297Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596187Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596076Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595969Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595859Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595750Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595640Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595529Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595421Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595312Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595093Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594547Jump to behavior
                  Source: RegAsm.exe, 00000002.00000002.4588333845.0000000002A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                  Source: RegAsm.exe, 00000002.00000002.4587325909.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: x.exe, 00000000.00000002.2150081464.000000000401F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4587325909.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: hgfsZrw6
                  Source: RegAsm.exe, 00000002.00000002.4587325909.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                  Source: RegAsm.exe, 00000002.00000002.4590990823.0000000005D6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02A47070 CheckRemoteDebuggerPresent,2_2_02A47070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\x.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\x.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                  Source: C:\Users\user\Desktop\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000Jump to behavior
                  Source: C:\Users\user\Desktop\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000Jump to behavior
                  Source: C:\Users\user\Desktop\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 9A0008Jump to behavior
                  Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\x.exeQueries volume information: C:\Users\user\Desktop\x.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.x.exe.41c3420.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.x.exe.4187600.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.x.exe.414b7d8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.x.exe.41c3420.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.x.exe.4187600.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.x.exe.414b7d8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4588333845.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4587325909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4588333845.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2150081464.000000000401F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: x.exe PID: 5732, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6996, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.x.exe.41c3420.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.x.exe.4187600.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.x.exe.414b7d8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.x.exe.41c3420.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.x.exe.4187600.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.x.exe.414b7d8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4587325909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4588333845.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2150081464.000000000401F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: x.exe PID: 5732, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6996, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.x.exe.41c3420.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.x.exe.4187600.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.x.exe.414b7d8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.x.exe.41c3420.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.x.exe.4187600.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.x.exe.414b7d8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4588333845.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4587325909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4588333845.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2150081464.000000000401F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: x.exe PID: 5732, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6996, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts311
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		1
                  Input Capture                  		34
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		531
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                  Software Packing                  		NTDS1
                  Process Discovery                  		Distributed Component Object Model1
                  Input Capture                  		2
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Timestomp                  		LSA Secrets261
                  Virtualization/Sandbox Evasion                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Masquerading                  		DCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job261
                  Virtualization/Sandbox Evasion                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt311
                  Process Injection                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  x.exe66%ReversingLabsWin32.Trojan.InfostealerTesla
                  x.exe100%AviraTR/Dropper.Gen
                  x.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://antoniomayol.com0%Avira URL Cloudsafe
                  http://ftp.antoniomayol.com0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  antoniomayol.com
                  		162.241.62.63
                  		truetrue
                    		unknown
                    ip-api.com
                    		208.95.112.1
                    		truefalse
                      		high
                      ftp.antoniomayol.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://ip-api.com/line/?fields=hostingfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://antoniomayol.comRegAsm.exe, 00000002.00000002.4588333845.0000000002ABE000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ftp.antoniomayol.comRegAsm.exe, 00000002.00000002.4588333845.0000000002ABE000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://account.dyn.com/x.exe, 00000000.00000002.2150081464.000000000401F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4587325909.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000002.00000002.4588333845.0000000002A61000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://ip-api.comRegAsm.exe, 00000002.00000002.4588333845.0000000002A61000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                208.95.112.1
                                		ip-api.comUnited States
                                		53334TUT-ASUSfalse
                                162.241.62.63
                                		antoniomayol.comUnited States
                                		46606UNIFIEDLAYER-AS-1UStrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1586043
                                Start date and time:2025-01-08 16:52:06 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 7m 25s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:5
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:x.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@3/1@2/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 83
                                • Number of non-executed functions: 2
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50
                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                • VT rate limit hit for: x.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                10:53:01API Interceptor11544761x Sleep call for process: RegAsm.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                208.95.112.1TR98760H.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                47SXvEQ.exeGet hashmaliciousBlank Grabber, XmrigBrowse
                                • ip-api.com/json/?fields=225545
                                test.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                • ip-api.com/json/
                                HaLCYOFjMN.exeGet hashmaliciousDCRat, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                • ip-api.com/line/?fields=hosting
                                1.exeGet hashmaliciousUnknownBrowse
                                • ip-api.com/json/?fields=hosting,query
                                1.exeGet hashmaliciousUnknownBrowse
                                • ip-api.com/json/?fields=hosting,query
                                YPzNsfg4nR.exeGet hashmaliciousXWormBrowse
                                • ip-api.com/line/?fields=hosting
                                SAL987656700.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                Resource.exeGet hashmaliciousBlank GrabberBrowse
                                • ip-api.com/json/?fields=225545
                                P3A946MOFP.exeGet hashmaliciousXWormBrowse
                                • ip-api.com/line/?fields=hosting
                                162.241.62.63Order 122001-220 guanzo.exeGet hashmaliciousFormBookBrowse
                                • www.pasteleriaruth.com/meub/?6lt4=M6ATVT20FLj&ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5do7SITSAPpSF1hBU/JW21XLBQwE3Ox

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                ip-api.comTR98760H.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                47SXvEQ.exeGet hashmaliciousBlank Grabber, XmrigBrowse
                                • 208.95.112.1
                                test.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                • 208.95.112.1
                                HaLCYOFjMN.exeGet hashmaliciousDCRat, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                • 208.95.112.1
                                1.exeGet hashmaliciousUnknownBrowse
                                • 208.95.112.1
                                1.exeGet hashmaliciousUnknownBrowse
                                • 208.95.112.1
                                YPzNsfg4nR.exeGet hashmaliciousXWormBrowse
                                • 208.95.112.1
                                SAL987656700.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                Resource.exeGet hashmaliciousBlank GrabberBrowse
                                • 208.95.112.1
                                P3A946MOFP.exeGet hashmaliciousXWormBrowse
                                • 208.95.112.1

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                UNIFIEDLAYER-AS-1UShttps://AAYUSHRELOCATEPACKERSANDMOVERS.COMGet hashmaliciousUnknownBrowse
                                • 162.241.148.33
                                EZZGTmJj4O.exeGet hashmaliciousAgentTeslaBrowse
                                • 192.254.186.165
                                https://e.trustifi.com/#/fff2a0/670719/6dc158/ef68bf/5e1243/19ce62/f4cd99/c6b84a/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/d78873/cd64d0/869af2/e9ab57/7015c1/91dda7/f34c0a/f30b47/688cba/a1d645/18dc79/33d9f9/9ee0a0/c61099/8f2456/8e1864/996369/790047/a93a09/347b17/38082d/363d49/f88c07/81bae2/57a7bb/6027c6/942952/b2de1b/e98aef/6a05c2/91297b/c70871/7f29c3/0a450d/ad0cac/967c2a/e7cb67/6e1193/8c4088/13aef1/e1d296/5056d4/51a97e/89a35b/c13e69/fa274a/5b7c2e/a8c901/02856f/1e0211/03ca84/d7b573/7e0de3/e2bdbb/7cab47/4dd465/addb41/2076e1/85559c/dbcb2d/514505/a6a54e/41e864/abb5a5/e59e4b/8c2df6/7e5cf3/b648da/8fbd98/4c7d8a/08e6a3/72f66f/a49cc6/18211b/1e6a5c/0d4fdeGet hashmaliciousHTMLPhisherBrowse
                                • 162.241.149.91
                                https://jmak-service.com/3225640388Get hashmaliciousHTMLPhisherBrowse
                                • 162.241.149.91
                                TR98760H.exeGet hashmaliciousAgentTeslaBrowse
                                • 162.241.62.63
                                https://pozaweclip.upnana.com/Get hashmaliciousUnknownBrowse
                                • 162.241.149.91
                                https://us01-i-prod-estimating-storage.s3.amazonaws.com/598134325679181/562949954787293/Documents/1706942/Hoosier%20Crane%20Service%20Company.pdfGet hashmaliciousHTMLPhisherBrowse
                                • 162.241.149.91
                                miori.m68k.elfGet hashmaliciousUnknownBrowse
                                • 142.7.137.184
                                https://universidad-unidem.edu.mx/mah/i/amFjb2JAc3RlaW5ib3JuLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                • 162.214.205.216
                                https://g248jqtc.r.ap-south-1.awstrack.me/L0/https://fub.direct/1/wpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4WwWGYEcIFo0NTTfcu_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE/https/westcommerce.com.br/e63o/1750871326/Ara/%23%3Fnl=amRpYkBhcmEuY29t/1/0109019433d34740-32de3bb4-8eb6-4b18-a944-d8e7ee993673-000000/ImcP_D-hsLxxvDJopI2vRjkqrI4=188Get hashmaliciousUnknownBrowse
                                • 50.116.112.103
                                TUT-ASUSTR98760H.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                47SXvEQ.exeGet hashmaliciousBlank Grabber, XmrigBrowse
                                • 208.95.112.1
                                test.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                • 208.95.112.1
                                HaLCYOFjMN.exeGet hashmaliciousDCRat, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                • 208.95.112.1
                                1.exeGet hashmaliciousUnknownBrowse
                                • 208.95.112.1
                                1.exeGet hashmaliciousUnknownBrowse
                                • 208.95.112.1
                                YPzNsfg4nR.exeGet hashmaliciousXWormBrowse
                                • 208.95.112.1
                                SAL987656700.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                Resource.exeGet hashmaliciousBlank GrabberBrowse
                                • 208.95.112.1
                                P3A946MOFP.exeGet hashmaliciousXWormBrowse
                                • 208.95.112.1

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.log

                                Download File
                                Process:C:\Users\user\Desktop\x.exe
                                File Type:CSV text
                                Category:dropped
                                Size (bytes):226
                                Entropy (8bit):5.360398796477698
                                Encrypted:false
                                SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                                MD5:3A8957C6382192B71471BD14359D0B12
                                SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                                SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                                SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.890578871500804
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                • Win32 Executable (generic) a (10002005/4) 49.96%
                                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                • DOS Executable Generic (2002/1) 0.01%
                                File name:x.exe
                                File size:294'912 bytes
                                MD5:10454890a3d7c7c0b7ec0bf7018141e4
                                SHA1:167ab9a5a9e0c56689f73d894a397b9c176701df
                                SHA256:91fee98b5957d145f144b61107ea0283fc3e02eb7e19b432e868ee45ffdc528e
                                SHA512:20518fd44aff080fddac3a508bcc3b29336ea87c868bd0faf639726b36479de4562ec639e425dbe06234ba5b4629da84b37228b199f8497a7777d36638f77e04
                                SSDEEP:6144:DT9nXr8bxYfMPcy4OmBag1+pF0lsmxRQQc+gpvEUkxNl:XNQb2fMPSOCwpCFRj0p8UkxNl
                                TLSH:E354D0AD352072EFC85BC4728EA82C78BBA064A7430F4317A46715BD9E4D89BCF150F6
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K(............"...0..~............... ... ....@.. ....................................`................................

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x44c00a
                                Entrypoint Section:
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0xB8E5284B [Thu Apr 19 01:50:03 2068 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [0044C000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x425d40x57.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x4a0000x5a6.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x4e0000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x4c0000x8
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x420000x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                PRSq<0x20000x3f4040x3f6005261171bab6d8a7b4501c897be296e7dFalse1.0003312993096647data7.999313087046451IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .text0x420000x7b1c0x7c0037c9644c8497775def0fc8286e12fde7False0.39642137096774194data4.964421780003819IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rsrc0x4a0000x5a60x600dc18d4b0afd3469c75bccacc71c88f19False0.4186197916666667data4.108775403741988IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                0x4c0000x100x20093a54e833bb343506d34a5f26a043ed5False0.044921875data0.14263576814887827IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .reloc0x4e0000xc0x2007cca55dde79b6ddd1c48f85e6619951bFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_VERSION0x4a0a00x31cdata0.43090452261306533
                                RT_MANIFEST0x4a3bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 8, 2025 16:53:01.125919104 CET4971080192.168.2.6208.95.112.1
                                Jan 8, 2025 16:53:01.130749941 CET8049710208.95.112.1192.168.2.6
                                Jan 8, 2025 16:53:01.130840063 CET4971080192.168.2.6208.95.112.1
                                Jan 8, 2025 16:53:01.131408930 CET4971080192.168.2.6208.95.112.1
                                Jan 8, 2025 16:53:01.136147976 CET8049710208.95.112.1192.168.2.6
                                Jan 8, 2025 16:53:01.595609903 CET8049710208.95.112.1192.168.2.6
                                Jan 8, 2025 16:53:01.642144918 CET4971080192.168.2.6208.95.112.1
                                Jan 8, 2025 16:53:03.251892090 CET4971221192.168.2.6162.241.62.63
                                Jan 8, 2025 16:53:03.256705999 CET2149712162.241.62.63192.168.2.6
                                Jan 8, 2025 16:53:03.256817102 CET4971221192.168.2.6162.241.62.63
                                Jan 8, 2025 16:53:03.261168957 CET4971221192.168.2.6162.241.62.63
                                Jan 8, 2025 16:53:03.266002893 CET2149712162.241.62.63192.168.2.6
                                Jan 8, 2025 16:53:03.266191959 CET4971221192.168.2.6162.241.62.63
                                Jan 8, 2025 16:53:52.923499107 CET4971080192.168.2.6208.95.112.1
                                Jan 8, 2025 16:53:52.928440094 CET8049710208.95.112.1192.168.2.6
                                Jan 8, 2025 16:53:52.928513050 CET4971080192.168.2.6208.95.112.1

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 8, 2025 16:53:01.114375114 CET5645553192.168.2.61.1.1.1
                                Jan 8, 2025 16:53:01.121191978 CET53564551.1.1.1192.168.2.6
                                Jan 8, 2025 16:53:02.911405087 CET6279453192.168.2.61.1.1.1
                                Jan 8, 2025 16:53:03.250587940 CET53627941.1.1.1192.168.2.6

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Jan 8, 2025 16:53:01.114375114 CET192.168.2.61.1.1.10xd3f0Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                Jan 8, 2025 16:53:02.911405087 CET192.168.2.61.1.1.10x983bStandard query (0)ftp.antoniomayol.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Jan 8, 2025 16:53:01.121191978 CET1.1.1.1192.168.2.60xd3f0No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                Jan 8, 2025 16:53:03.250587940 CET1.1.1.1192.168.2.60x983bNo error (0)ftp.antoniomayol.comantoniomayol.comCNAME (Canonical name)IN (0x0001)false
                                Jan 8, 2025 16:53:03.250587940 CET1.1.1.1192.168.2.60x983bNo error (0)antoniomayol.com162.241.62.63A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • ip-api.com

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.649710208.95.112.1806996C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                TimestampBytes transferredDirectionData
                                Jan 8, 2025 16:53:01.131408930 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                Host: ip-api.com
                                Connection: Keep-Alive
                                Jan 8, 2025 16:53:01.595609903 CET175INHTTP/1.1 200 OK
                                Date: Wed, 08 Jan 2025 15:53:01 GMT
                                Content-Type: text/plain; charset=utf-8
                                Content-Length: 6
                                Access-Control-Allow-Origin: *
                                X-Ttl: 60
                                X-Rl: 44
                                Data Raw: 66 61 6c 73 65 0a
                                Data Ascii: false


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:10:52:59
                                Start date:08/01/2025
                                Path:C:\Users\user\Desktop\x.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\x.exe"
                                Imagebase:0x480000
                                File size:294'912 bytes
                                MD5 hash:10454890A3D7C7C0B7EC0BF7018141E4
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2150081464.000000000401F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2150081464.000000000401F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:2
                                Start time:10:52:59
                                Start date:08/01/2025
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                Imagebase:0x790000
                                File size:65'440 bytes
                                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4588333845.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4587325909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4587325909.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4588333845.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4588333845.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:27.4%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:133
                                  Total number of Limit Nodes:1
                                  execution_graph 3356 c66374 3357 c66411 CreateProcessA 3356->3357 3359 c666b8 3357->3359 3337 c67470 3338 c674bd ResumeThread 3337->3338 3339 c67507 3338->3339 3340 c65830 3342 c65835 WriteProcessMemory 3340->3342 3343 c671bf 3342->3343 3352 c66990 3353 c669e5 Wow64SetThreadContext 3352->3353 3355 c66a5b 3353->3355 3360 c66b20 3361 c66b26 3360->3361 3362 c66b9c ReadProcessMemory 3360->3362 3361->3362 3363 c66bee 3362->3363 3344 c61bd1 3345 c61c25 VirtualProtect 3344->3345 3346 c61c91 3345->3346 3197 c61bd8 3198 c61c25 VirtualProtect 3197->3198 3199 c61c91 3198->3199 3200 c655f8 3202 c6561c 3200->3202 3201 c656f1 3202->3201 3205 c65e78 3202->3205 3225 c66139 3202->3225 3207 c65eb5 3205->3207 3206 c66134 3206->3201 3207->3206 3245 c66278 3207->3245 3249 c66269 3207->3249 3208 c65f14 3253 c66860 3208->3253 3257 c66851 3208->3257 3209 c65fa6 3261 c66aa9 3209->3261 3265 c66ab8 3209->3265 3210 c660f5 3277 c66e50 3210->3277 3283 c66e40 3210->3283 3211 c6610d 3289 c67230 3211->3289 3297 c67221 3211->3297 3212 c65ff0 3269 c66c58 3212->3269 3273 c66c49 3212->3273 3227 c65f02 3225->3227 3226 c66134 3226->3201 3227->3226 3243 c66278 CreateProcessA 3227->3243 3244 c66269 CreateProcessA 3227->3244 3228 c65f14 3237 c66860 Wow64SetThreadContext 3228->3237 3238 c66851 Wow64SetThreadContext 3228->3238 3229 c65fa6 3235 c66ab8 ReadProcessMemory 3229->3235 3236 c66aa9 ReadProcessMemory 3229->3236 3230 c660f5 3233 c66e40 WriteProcessMemory 3230->3233 3234 c66e50 WriteProcessMemory 3230->3234 3231 c6610d 3241 c67230 3 API calls 3231->3241 3242 c67221 3 API calls 3231->3242 3232 c65ff0 3239 c66c58 VirtualAllocEx 3232->3239 3240 c66c49 VirtualAllocEx 3232->3240 3233->3231 3234->3231 3235->3232 3236->3232 3237->3229 3238->3229 3239->3230 3240->3230 3241->3226 3242->3226 3243->3228 3244->3228 3246 c6629c 3245->3246 3305 c657cc 3246->3305 3250 c6629c 3249->3250 3251 c657cc CreateProcessA 3250->3251 3252 c66316 3251->3252 3252->3208 3254 c6687c 3253->3254 3256 c668f8 3254->3256 3309 c657e4 3254->3309 3256->3209 3258 c6687c 3257->3258 3259 c657e4 Wow64SetThreadContext 3258->3259 3260 c668f8 3258->3260 3259->3260 3260->3209 3263 c66ab2 3261->3263 3313 c6580c 3263->3313 3266 c66ad5 3265->3266 3267 c6580c ReadProcessMemory 3266->3267 3268 c66afb 3267->3268 3268->3212 3270 c66c7b 3269->3270 3317 c65824 3270->3317 3272 c66cc3 3272->3210 3274 c66c7b 3273->3274 3275 c65824 VirtualAllocEx 3274->3275 3276 c66cc3 3275->3276 3276->3210 3282 c66e7a 3277->3282 3278 c67023 3279 c6583c WriteProcessMemory 3278->3279 3281 c6705b 3279->3281 3281->3211 3282->3278 3321 c6583c 3282->3321 3288 c66e7a 3283->3288 3284 c67023 3285 c6583c WriteProcessMemory 3284->3285 3286 c6705b 3285->3286 3286->3211 3287 c6583c WriteProcessMemory 3287->3288 3288->3284 3288->3287 3290 c67257 3289->3290 3291 c6583c WriteProcessMemory 3290->3291 3292 c672c3 3291->3292 3295 c67377 3292->3295 3325 c65854 3292->3325 3329 c6586c 3295->3329 3298 c67257 3297->3298 3299 c6583c WriteProcessMemory 3298->3299 3300 c672c3 3299->3300 3301 c67377 3300->3301 3302 c65854 Wow64SetThreadContext 3300->3302 3303 c6586c ResumeThread 3301->3303 3302->3301 3304 c67408 3303->3304 3304->3206 3306 c66380 CreateProcessA 3305->3306 3308 c666b8 3306->3308 3310 c66998 Wow64SetThreadContext 3309->3310 3312 c66a5b 3310->3312 3312->3256 3314 c66b28 ReadProcessMemory 3313->3314 3316 c66afb 3314->3316 3316->3212 3318 c66d30 VirtualAllocEx 3317->3318 3320 c66dee 3318->3320 3320->3272 3322 c670d8 WriteProcessMemory 3321->3322 3324 c671bf 3322->3324 3324->3282 3326 c66998 Wow64SetThreadContext 3325->3326 3328 c66a5b 3326->3328 3328->3295 3330 c67478 ResumeThread 3329->3330 3332 c67408 3330->3332 3332->3206 3347 c655e8 3349 c6561c 3347->3349 3348 c656f1 3349->3348 3350 c65e78 7 API calls 3349->3350 3351 c66139 7 API calls 3349->3351 3350->3348 3351->3348 3364 c66d28 3365 c66d2f VirtualAllocEx 3364->3365 3368 c66cdb 3364->3368 3367 c66dee 3365->3367

                                  Executed Functions

                                  Function 00C611E0 Relevance: 3.2, Strings: 2, Instructions: 651COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2143298601.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c60000_x.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: <$@
                                  • API String ID: 0-1426351568
                                  • Opcode ID: e02d1d185cee9fe49fb8d9399708c0424a992933c3032719480f0335494a6256
                                  • Instruction ID: 80a85af89a68746af637a33a4ead92bafc4c87e1bcecd96e4bbd660283b42505
                                  • Opcode Fuzzy Hash: e02d1d185cee9fe49fb8d9399708c0424a992933c3032719480f0335494a6256
                                  • Instruction Fuzzy Hash: 31629074D01219CFDB64DFA9C981A9DFBF2BF48312F19C1A9D858AB211E7309A81CF54
                                  Function 00C60848 Relevance: 1.9, Strings: 1, Instructions: 611COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2143298601.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c60000_x.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: [F
                                  • API String ID: 0-583136422
                                  • Opcode ID: 49b172acd74603a4215fae9fa544b58dd18ff5d1ce56b0e0949d7ebecdd7af21
                                  • Instruction ID: a6cc94d00aa93b2758d966351edc50e29b91a70b85ef00ce2d648b420fed02b5
                                  • Opcode Fuzzy Hash: 49b172acd74603a4215fae9fa544b58dd18ff5d1ce56b0e0949d7ebecdd7af21
                                  • Instruction Fuzzy Hash: 7752D174E012598FDB64DFA9C980A9EFBF2BF49301F25C1A9D448AB212D7309E81CF55
                                  Function 00C607E0 Relevance: 1.5, Strings: 1, Instructions: 267COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2143298601.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c60000_x.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: [F
                                  • API String ID: 0-583136422
                                  • Opcode ID: 9f5d67080a5c9e3b1da682fb34a04b2887414132700363ca5ab3496d3cc72ad9
                                  • Instruction ID: b950e725f9a6332f79a05f1d06ec372377368ef7ebe182bbe489146f9199eb0a
                                  • Opcode Fuzzy Hash: 9f5d67080a5c9e3b1da682fb34a04b2887414132700363ca5ab3496d3cc72ad9
                                  • Instruction Fuzzy Hash: 0AC1E774E012698FEB64CF69C850BDABBB2BF89300F14C4EAD549A7255DB304E85CF51
                                  Function 00C628D0 Relevance: .5, Instructions: 506COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2143298601.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c60000_x.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b03404fdd9def6d9a65621e5cfe8578d779ba7455bb0420e1ef81fad8740dc69
                                  • Instruction ID: 53fab63fbf617632a741d478e8df495b0e4b2e48b387671957be755fe7f22ad4
                                  • Opcode Fuzzy Hash: b03404fdd9def6d9a65621e5cfe8578d779ba7455bb0420e1ef81fad8740dc69
                                  • Instruction Fuzzy Hash: 89427074E01629CFDB64CFA9C984B9DBBF2BF48301F5581A9E809A7355D730AA81CF50
                                  Function 00C628C1 Relevance: .2, Instructions: 151COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2143298601.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c60000_x.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 735698303772c171d993940e1bda0335585162af69a5790a9316a172d1cf9948
                                  • Instruction ID: 4184f9002c86d553752d065f0750aba0a880b5ce0f05d3314d367561b4ef0d3a
                                  • Opcode Fuzzy Hash: 735698303772c171d993940e1bda0335585162af69a5790a9316a172d1cf9948
                                  • Instruction Fuzzy Hash: 6D61B774E01618CFDB14CFA6C994B9DBBF2BF88300F1581A9D809A7365D735A946CF50
                                  Function 00C66374 Relevance: 1.8, APIs: 1, Instructions: 342processCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 321 c66374-c66423 323 c66485-c664b0 321->323 324 c66425-c66455 321->324 327 c66512-c6656b 323->327 328 c664b2-c664e2 323->328 324->323 332 c66457-c6645c 324->332 335 c6656d-c6659a 327->335 336 c665ca-c666b6 CreateProcessA 327->336 328->327 343 c664e4-c664e9 328->343 333 c6645e-c66468 332->333 334 c6647f-c66482 332->334 337 c6646c-c6647b 333->337 338 c6646a 333->338 334->323 335->336 351 c6659c-c665a1 335->351 359 c666bf-c66799 336->359 360 c666b8-c666be 336->360 337->337 340 c6647d 337->340 338->337 340->334 344 c6650c-c6650f 343->344 345 c664eb-c664f5 343->345 344->327 348 c664f7 345->348 349 c664f9-c66508 345->349 348->349 349->349 350 c6650a 349->350 350->344 353 c665c4-c665c7 351->353 354 c665a3-c665ad 351->354 353->336 355 c665b1-c665c0 354->355 356 c665af 354->356 355->355 358 c665c2 355->358 356->355 358->353 371 c6679b-c6679f 359->371 372 c667a9-c667ad 359->372 360->359 371->372 373 c667a1 371->373 374 c667af-c667b3 372->374 375 c667bd-c667c1 372->375 373->372 374->375 376 c667b5 374->376 377 c667c3-c667c7 375->377 378 c667d1-c667d5 375->378 376->375 377->378 379 c667c9 377->379 380 c667d7-c66800 378->380 381 c6680b-c66816 378->381 379->378 380->381 384 c66817 381->384 384->384
                                  APIs
                                  • CreateProcessA.KERNELBASE(?,?,037A358C,037A3590,00C66316,?,?,?,?,?), ref: 00C666A3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2143298601.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c60000_x.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: 1a6abd47acefbebd21e9008a9fc3ffd4e2c3be4bcadf6f722be0f4a7a9cc3072
                                  • Instruction ID: 73c20eae001e7f01382b91b03d3d40b67624ca6668fd792df780b6163048d119
                                  • Opcode Fuzzy Hash: 1a6abd47acefbebd21e9008a9fc3ffd4e2c3be4bcadf6f722be0f4a7a9cc3072
                                  • Instruction Fuzzy Hash: 22D12671D002198FDF24CFA8C981BEDBBF1BF49304F1091AAE459A7290DB749A85CF95
                                  Function 00C657CC Relevance: 1.8, APIs: 1, Instructions: 341processCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 386 c657cc-c66423 389 c66485-c664b0 386->389 390 c66425-c66455 386->390 393 c66512-c6656b 389->393 394 c664b2-c664e2 389->394 390->389 398 c66457-c6645c 390->398 401 c6656d-c6659a 393->401 402 c665ca-c666b6 CreateProcessA 393->402 394->393 409 c664e4-c664e9 394->409 399 c6645e-c66468 398->399 400 c6647f-c66482 398->400 403 c6646c-c6647b 399->403 404 c6646a 399->404 400->389 401->402 417 c6659c-c665a1 401->417 425 c666bf-c66799 402->425 426 c666b8-c666be 402->426 403->403 406 c6647d 403->406 404->403 406->400 410 c6650c-c6650f 409->410 411 c664eb-c664f5 409->411 410->393 414 c664f7 411->414 415 c664f9-c66508 411->415 414->415 415->415 416 c6650a 415->416 416->410 419 c665c4-c665c7 417->419 420 c665a3-c665ad 417->420 419->402 421 c665b1-c665c0 420->421 422 c665af 420->422 421->421 424 c665c2 421->424 422->421 424->419 437 c6679b-c6679f 425->437 438 c667a9-c667ad 425->438 426->425 437->438 439 c667a1 437->439 440 c667af-c667b3 438->440 441 c667bd-c667c1 438->441 439->438 440->441 442 c667b5 440->442 443 c667c3-c667c7 441->443 444 c667d1-c667d5 441->444 442->441 443->444 445 c667c9 443->445 446 c667d7-c66800 444->446 447 c6680b-c66816 444->447 445->444 446->447 450 c66817 447->450 450->450
                                  APIs
                                  • CreateProcessA.KERNELBASE(?,?,037A358C,037A3590,00C66316,?,?,?,?,?), ref: 00C666A3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2143298601.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c60000_x.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: 06dc161548f705f4b7d3bc6390d3970bf9392e89d7fafde002279bc44147b5f1
                                  • Instruction ID: 24b7c3f1199345eb66bf02d836450b0439b9dd07f775ff248bdccebd5b3f90da
                                  • Opcode Fuzzy Hash: 06dc161548f705f4b7d3bc6390d3970bf9392e89d7fafde002279bc44147b5f1
                                  • Instruction Fuzzy Hash: D4D12571D002298FDB24CFA8C981BEDBBF1BF49304F1091A9E459A7290DB749E85CF95
                                  Function 00C65830 Relevance: 1.6, APIs: 1, Instructions: 123injectionCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 452 c65830-c67147 456 c6715e-c671bd WriteProcessMemory 452->456 457 c67149-c6715b 452->457 458 c671c6-c67210 456->458 459 c671bf-c671c5 456->459 457->456 459->458
                                  APIs
                                  • WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 00C671AD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2143298601.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c60000_x.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: a0f05d1eac40192fc2f4723208ab02fc35886a019b957c6cdeeff88f61167aef
                                  • Instruction ID: f59f3380dac87161a6145bcd9c723926c0466d4577d0288be55f3309c5307b98
                                  • Opcode Fuzzy Hash: a0f05d1eac40192fc2f4723208ab02fc35886a019b957c6cdeeff88f61167aef
                                  • Instruction Fuzzy Hash: 4F41BBB5D042589FDB10CFA9D884AEEFBF0BF49314F24946AE818BB210D374A945CF54
                                  Function 00C66D28 Relevance: 1.6, APIs: 1, Instructions: 121memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 463 c66d28-c66d2d 464 c66d2f-c66d70 463->464 465 c66cdb-c66d1c call c64758 463->465 466 c66d78-c66dec VirtualAllocEx 464->466 468 c66df5-c66e37 466->468 469 c66dee-c66df4 466->469 469->468
                                  APIs
                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00C66DDC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2143298601.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c60000_x.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: f0680a974a7396a9b3fbfaf5b82e8314fe99adb96a0d1d74a8f4b09bb8e8ebf8
                                  • Instruction ID: 8224618ea38ccf30f9231be07106c9b3bf58ef00f01dae17e52433d2e4315b17
                                  • Opcode Fuzzy Hash: f0680a974a7396a9b3fbfaf5b82e8314fe99adb96a0d1d74a8f4b09bb8e8ebf8
                                  • Instruction Fuzzy Hash: AA4189B9D052589FCB10CFA9D984ADEFBB0BB4A310F24911AE814B7250D735A952CF68
                                  Function 00C6583C Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 477 c6583c-c67147 480 c6715e-c671bd WriteProcessMemory 477->480 481 c67149-c6715b 477->481 482 c671c6-c67210 480->482 483 c671bf-c671c5 480->483 481->480 483->482
                                  APIs
                                  • WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 00C671AD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2143298601.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c60000_x.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: 9479b373e0a58ab2c17056756ad4f44ade7548efd6e04119bd5df4cbc1c71ff2
                                  • Instruction ID: dc1733b320ede728a3363c6228481791b50bb1d75dd3f32a21e6e5a434099784
                                  • Opcode Fuzzy Hash: 9479b373e0a58ab2c17056756ad4f44ade7548efd6e04119bd5df4cbc1c71ff2
                                  • Instruction Fuzzy Hash: 014199B5D042589FDF10CFA9D984AEEFBF1BB49314F24942AE818BB210D375A944CF64
                                  Function 00C670D2 Relevance: 1.6, APIs: 1, Instructions: 117injectionCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 487 c670d2-c67147 489 c6715e-c671bd WriteProcessMemory 487->489 490 c67149-c6715b 487->490 491 c671c6-c67210 489->491 492 c671bf-c671c5 489->492 490->489 492->491
                                  APIs
                                  • WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 00C671AD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2143298601.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c60000_x.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: 816114c39b0407c9ff082824602d48dce4369fb8b86c46e85c5dd624582c5d42
                                  • Instruction ID: 0a675649d43610011c0be92ae0a93fdf8f742d04198760ee5e243961488585ec
                                  • Opcode Fuzzy Hash: 816114c39b0407c9ff082824602d48dce4369fb8b86c46e85c5dd624582c5d42
                                  • Instruction Fuzzy Hash: 1C4197B5D042589FDF10CFA9D880AEEFBF1BB49310F24902AE818BB210D374AA45CF54
                                  Function 00C6580C Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 496 c6580c-c66bec ReadProcessMemory 500 c66bf5-c66c3f 496->500 501 c66bee-c66bf4 496->501 501->500
                                  APIs
                                  • ReadProcessMemory.KERNELBASE(00000004,?,00C66AFB,?,?), ref: 00C66BDC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2143298601.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c60000_x.jbxd
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: 865142aabf02b6ef2c890d7691ea9c8c63fc2ab36ea721d599cb051de7e03138
                                  • Instruction ID: f3256a749bb548882debff037ed69bead2e3150287c0d842fb7da4e4af7ffab8
                                  • Opcode Fuzzy Hash: 865142aabf02b6ef2c890d7691ea9c8c63fc2ab36ea721d599cb051de7e03138
                                  • Instruction Fuzzy Hash: D84187B9D04258DFCB10CFA9D984ADEFBF0BB49310F20906AE818B7210D375A945CF68
                                  Function 00C66B20 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 505 c66b20-c66b24 506 c66b26-c66b99 505->506 507 c66b9c-c66bec ReadProcessMemory 505->507 506->507 508 c66bf5-c66c3f 507->508 509 c66bee-c66bf4 507->509 509->508
                                  APIs
                                  • ReadProcessMemory.KERNELBASE(00000004,?,00C66AFB,?,?), ref: 00C66BDC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2143298601.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c60000_x.jbxd
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: fa7a16afe31419089f4d65da3945c6fae04e6072b107121f8e7da5a0fb289a11
                                  • Instruction ID: 6c746ca112df43dd09d6d0bdf5ad6b0e66f0d21405c420cdd2650b07d2603566
                                  • Opcode Fuzzy Hash: fa7a16afe31419089f4d65da3945c6fae04e6072b107121f8e7da5a0fb289a11
                                  • Instruction Fuzzy Hash: 4841A7B9D04258DFCF10CFA9D984ADEFBB0BB49310F20902AE818B7210C375AA45CF64
                                  Function 00C65824 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 514 c65824-c66dec VirtualAllocEx 517 c66df5-c66e37 514->517 518 c66dee-c66df4 514->518 518->517
                                  APIs
                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00C66DDC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2143298601.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c60000_x.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 0827af54d8e512d6ce77731fd49463dcab0400494fe11f5852418e33b6242439
                                  • Instruction ID: c0e6ed636fa1ee8d2c318f4912dc5945cd65f8e59c2216a18bd2652cb7ccfb74
                                  • Opcode Fuzzy Hash: 0827af54d8e512d6ce77731fd49463dcab0400494fe11f5852418e33b6242439
                                  • Instruction Fuzzy Hash: DF4168B9D052589FCF10CFA9D984A9EFBF5AB09310F20902AE918B7310D375A941CB54
                                  Function 00C65854 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 538 c65854-c669fc 541 c66a13-c66a59 Wow64SetThreadContext 538->541 542 c669fe-c66a10 538->542 543 c66a62-c66aa6 541->543 544 c66a5b-c66a61 541->544 542->541 544->543
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,?), ref: 00C66A49
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2143298601.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c60000_x.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: f477aa816a9ec850477f8ee76a2c345d9bcc1e7ed57ffd21c35bea43ab0a1ede
                                  • Instruction ID: fadf4c488b9c54e14c8d017e58de5b426c6a680927a3dc1fbb9f29938d49ec8f
                                  • Opcode Fuzzy Hash: f477aa816a9ec850477f8ee76a2c345d9bcc1e7ed57ffd21c35bea43ab0a1ede
                                  • Instruction Fuzzy Hash: 3C4199B5D01258DFDB10CFAAD984ADEFBF0BB49310F24802AE419B7211D378AA45CF94
                                  Function 00C61BD1 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 522 c61bd1-c61c8f VirtualProtect 524 c61c91-c61c97 522->524 525 c61c98-c61cd4 522->525 524->525
                                  APIs
                                  • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00C61C7F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2143298601.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c60000_x.jbxd
                                  Similarity
                                  • API ID: ProtectVirtual
                                  • String ID:
                                  • API String ID: 544645111-0
                                  • Opcode ID: 54edf722137cee93b8ec1e7a1aebddb6739eed4963af406defcb27a45111d205
                                  • Instruction ID: e669dbd7f3b831fdb6cef51011725950d1184a0cea8ca3acb66e3b333dd611fd
                                  • Opcode Fuzzy Hash: 54edf722137cee93b8ec1e7a1aebddb6739eed4963af406defcb27a45111d205
                                  • Instruction Fuzzy Hash: 7831AAB9D042589FCF10CFA9D580ADEFBF0AB59310F24906AE815B7210D375A945CF64
                                  Function 00C657E4 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 528 c657e4-c669fc 531 c66a13-c66a59 Wow64SetThreadContext 528->531 532 c669fe-c66a10 528->532 533 c66a62-c66aa6 531->533 534 c66a5b-c66a61 531->534 532->531 534->533
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,?), ref: 00C66A49
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2143298601.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c60000_x.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: a86226c6e69d78f91625100534b8b18fa2462606446e9b94946b504bcc7df174
                                  • Instruction ID: 35235d855ba64ebb2998d1ce1911388c5316dbf487730658891ba3352db76301
                                  • Opcode Fuzzy Hash: a86226c6e69d78f91625100534b8b18fa2462606446e9b94946b504bcc7df174
                                  • Instruction Fuzzy Hash: B84199B5D052589FDB10CFAAD984ADEFBF0BB49310F24802AE419B7211D378AA45CF54
                                  Function 00C66990 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 548 c66990-c669fc 550 c66a13-c66a59 Wow64SetThreadContext 548->550 551 c669fe-c66a10 548->551 552 c66a62-c66aa6 550->552 553 c66a5b-c66a61 550->553 551->550 553->552
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,?), ref: 00C66A49
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2143298601.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c60000_x.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: bb275d48b7ee43214760c925398d518944aed9a754cd8d78bf52b27ee51a18ff
                                  • Instruction ID: f4da2e0dd409cce6fd571ed185b2b397357665b03531a85c154660f383b9f354
                                  • Opcode Fuzzy Hash: bb275d48b7ee43214760c925398d518944aed9a754cd8d78bf52b27ee51a18ff
                                  • Instruction Fuzzy Hash: BE4199B5D012599FDB10CFAAD984ADEFBF0BB49310F24802AE419B7351D378A949CF54
                                  Function 00C61BD8 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 557 c61bd8-c61c8f VirtualProtect 559 c61c91-c61c97 557->559 560 c61c98-c61cd4 557->560 559->560
                                  APIs
                                  • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00C61C7F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2143298601.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c60000_x.jbxd
                                  Similarity
                                  • API ID: ProtectVirtual
                                  • String ID:
                                  • API String ID: 544645111-0
                                  • Opcode ID: 37a442fb39f47952710ca2873469f5b700170e19f691fd138de9913b014b7067
                                  • Instruction ID: efac97fb9015294179361661f1c69eccd8634ae7f08afb16ee74d78a352cc217
                                  • Opcode Fuzzy Hash: 37a442fb39f47952710ca2873469f5b700170e19f691fd138de9913b014b7067
                                  • Instruction Fuzzy Hash: A43197B9D04258AFCB10CFA9D580ADEFBF0AB19310F24902AE818B7210D375A945CFA4
                                  Function 00C6586C Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 563 c6586c-c67505 ResumeThread 566 c67507-c6750d 563->566 567 c6750e-c67548 563->567 566->567
                                  APIs
                                  • ResumeThread.KERNELBASE(00000000), ref: 00C674F5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2143298601.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c60000_x.jbxd
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: f2cb5f13a9c2781e590e174462cc3abe5202770f0bb09e7b5802bb42acf5d783
                                  • Instruction ID: 47012d175f58be6c6577d4cf9bfba820ce0ed0cd83aa1c48b4d01c8c0f03e138
                                  • Opcode Fuzzy Hash: f2cb5f13a9c2781e590e174462cc3abe5202770f0bb09e7b5802bb42acf5d783
                                  • Instruction Fuzzy Hash: BE31CBB4D052189FDB10CFA9D584A9EFBF4EB49314F20946AE815B7310D774A940CFA4
                                  Function 00C67470 Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ResumeThread.KERNELBASE(00000000), ref: 00C674F5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2143298601.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_c60000_x.jbxd
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: f8339d44a43fc465efb76ef432f85e58ff5ae8b944f449a5f9d5dad467dfa1b7
                                  • Instruction ID: a68d0b6903faa0253f4fb3faa830ba5ca607f505176b2c2e491de52ecb4a1202
                                  • Opcode Fuzzy Hash: f8339d44a43fc465efb76ef432f85e58ff5ae8b944f449a5f9d5dad467dfa1b7
                                  • Instruction Fuzzy Hash: 4731DAB4D052589FDB10CFA9E984ADEFBF0AB49310F20905AE815B7310C338A905CF94
                                  Function 00AAD3D8 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2142591062.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_aad000_x.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 787573edd39addc598f340f837bd6fb1c5cfb98c333ef29a38e8a63554b5e4a6
                                  • Instruction ID: 38054838279be6f5f58aa82083a506e298ff58c2978981401f7d14dbfb6a4eec
                                  • Opcode Fuzzy Hash: 787573edd39addc598f340f837bd6fb1c5cfb98c333ef29a38e8a63554b5e4a6
                                  • Instruction Fuzzy Hash: F9210375500204EFDB04DF14D9C0B26BB65FB99324F20C56DE94A0F696C33AE856DAA2
                                  Function 00AAD3D3 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2142591062.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_aad000_x.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                  • Instruction ID: 2d6d5a00c7c59b08aae19cdb5e007e3056cab7b85d838320d649ded9bb8bda2a
                                  • Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                  • Instruction Fuzzy Hash: 4611D376504240DFDB15CF10D5C4B16BF71FB99324F24C6A9D84A0B656C33AE856CBA1

                                  Execution Graph

                                  Execution Coverage:10.7%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:12%
                                  Total number of Nodes:25
                                  Total number of Limit Nodes:4
                                  execution_graph 40346 2a47070 40347 2a470b4 CheckRemoteDebuggerPresent 40346->40347 40348 2a470f6 40347->40348 40349 566e110 40350 566e178 CreateWindowExW 40349->40350 40352 566e234 40350->40352 40352->40352 40323 2a40848 40324 2a4084e 40323->40324 40325 2a4091b 40324->40325 40327 2a41342 40324->40327 40329 2a41346 40327->40329 40328 2a4146e 40328->40324 40329->40328 40331 2a48229 40329->40331 40333 2a48233 40331->40333 40332 2a482e9 40332->40329 40333->40332 40336 63df630 40333->40336 40341 63df622 40333->40341 40337 63df645 40336->40337 40338 63df85a 40337->40338 40339 63dfc78 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 40337->40339 40340 63dfc88 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 40337->40340 40338->40332 40339->40337 40340->40337 40343 63df62a 40341->40343 40342 63df85a 40342->40332 40343->40342 40344 63dfc88 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 40343->40344 40345 63dfc78 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 40343->40345 40344->40343 40345->40343

                                  Executed Functions

                                  Function 063D5270 Relevance: 1.8, Strings: 1, Instructions: 594COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 456 63d5270-63d528d 457 63d528f-63d5292 456->457 458 63d5294-63d52a1 457->458 459 63d52a6-63d52a9 457->459 458->459 460 63d52af-63d52b2 459->460 461 63d53c9-63d53cf 459->461 463 63d52b4-63d52b8 460->463 464 63d52c3-63d52c6 460->464 465 63d530a-63d5310 461->465 466 63d53d5 461->466 469 63d543e-63d544b 463->469 470 63d52be 463->470 471 63d52c8-63d52dd 464->471 472 63d52e2-63d52e5 464->472 467 63d544c-63d5460 465->467 468 63d5316-63d531e 465->468 473 63d53da-63d53dd 466->473 492 63d548a-63d549b 467->492 493 63d5462-63d547b 467->493 468->467 474 63d5324-63d5331 468->474 470->464 471->472 475 63d52f8-63d52fb 472->475 476 63d52e7-63d52ed 472->476 477 63d53df-63d53e6 473->477 478 63d53eb-63d53ee 473->478 474->467 479 63d5337-63d533b 474->479 484 63d52fd-63d5300 475->484 485 63d5305-63d5308 475->485 481 63d5386-63d5389 476->481 482 63d52f3 476->482 477->478 486 63d5408-63d540b 478->486 487 63d53f0-63d53fa 478->487 489 63d5340-63d5343 479->489 488 63d538e-63d5391 481->488 482->475 484->485 485->465 485->489 490 63d540d-63d541c 486->490 491 63d5421-63d5424 486->491 494 63d5401-63d5403 487->494 495 63d53b5-63d53b8 488->495 496 63d5393-63d53b0 488->496 497 63d5345-63d5348 489->497 498 63d5374-63d537a 489->498 490->491 499 63d542c-63d542e 491->499 500 63d5426-63d5427 491->500 511 63d54a0-63d54a3 492->511 501 63d5485-63d5488 493->501 494->486 506 63d53ba-63d53c3 495->506 507 63d53c4-63d53c7 495->507 496->495 504 63d534f-63d5352 497->504 505 63d534a-63d534c 497->505 498->487 510 63d537c 498->510 508 63d5435-63d5438 499->508 509 63d5430 499->509 500->499 501->492 501->511 513 63d536f-63d5372 504->513 514 63d5354-63d536a 504->514 505->504 507->461 507->473 508->457 508->469 509->508 515 63d5381-63d5384 510->515 516 63d54ad-63d54b0 511->516 517 63d54a5-63d54ac 511->517 513->498 513->515 514->513 515->481 515->488 519 63d54c4-63d54c7 516->519 520 63d54b2-63d54b9 516->520 524 63d54e9-63d54ec 519->524 525 63d54c9-63d54cd 519->525 522 63d54bf 520->522 523 63d5566-63d556d 520->523 522->519 528 63d54fd-63d5500 524->528 529 63d54ee-63d54f8 524->529 526 63d556e-63d55ac 525->526 527 63d54d3-63d54db 525->527 538 63d55ae-63d55b1 526->538 527->526 532 63d54e1-63d54e4 527->532 530 63d551a-63d551d 528->530 531 63d5502-63d5506 528->531 529->528 536 63d551f-63d5523 530->536 537 63d5537-63d553a 530->537 531->526 535 63d5508-63d5510 531->535 532->524 535->526 539 63d5512-63d5515 535->539 536->526 540 63d5525-63d552d 536->540 541 63d553c-63d5540 537->541 542 63d5554-63d5556 537->542 543 63d589a-63d589d 538->543 544 63d55b7-63d574b 538->544 539->530 540->526 545 63d552f-63d5532 540->545 541->526 546 63d5542-63d554a 541->546 547 63d555d-63d5560 542->547 548 63d5558 542->548 549 63d589f-63d58b2 543->549 550 63d58b5-63d58b8 543->550 606 63d5884-63d5897 544->606 607 63d5751-63d5758 544->607 545->537 546->526 551 63d554c-63d554f 546->551 547->501 547->523 548->547 552 63d58ba-63d58bf 550->552 553 63d58c2-63d58c5 550->553 551->542 552->553 556 63d58df-63d58e2 553->556 557 63d58c7-63d58d8 553->557 559 63d58fc-63d58ff 556->559 560 63d58e4-63d58f5 556->560 567 63d592f-63d5940 557->567 568 63d58da 557->568 561 63d5919-63d591c 559->561 562 63d5901-63d5912 559->562 565 63d591e-63d5925 560->565 570 63d58f7 560->570 561->565 566 63d592a-63d592d 561->566 562->549 573 63d5914 562->573 565->566 566->567 572 63d5947-63d594a 566->572 567->565 580 63d5942 567->580 568->556 570->559 576 63d594c-63d595d 572->576 577 63d5964-63d5967 572->577 573->561 576->565 584 63d595f 576->584 578 63d5969-63d5970 577->578 579 63d5975-63d5978 577->579 578->579 579->544 583 63d597e-63d5981 579->583 580->572 583->544 585 63d5987-63d5989 583->585 584->577 587 63d598b 585->587 588 63d5990-63d5993 585->588 587->588 588->538 589 63d5999-63d59a2 588->589 608 63d580c-63d5813 607->608 609 63d575e-63d5781 607->609 608->606 611 63d5815-63d5848 608->611 618 63d5789-63d5791 609->618 622 63d584d-63d587a 611->622 623 63d584a 611->623 620 63d5796-63d57d7 618->620 621 63d5793 618->621 631 63d57ef-63d5800 620->631 632 63d57d9-63d57ea 620->632 621->620 622->589 623->622 631->589 632->589
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $
                                  • API String ID: 0-3993045852
                                  • Opcode ID: b9203ec7d1f698331cf2daddaecc9e204daa9a5f9199ec929cac9ea5f45d5422
                                  • Instruction ID: 1c73a29b727d2a1947e56a87b5b349fe6523a5e74df34367147b9896e5649e46
                                  • Opcode Fuzzy Hash: b9203ec7d1f698331cf2daddaecc9e204daa9a5f9199ec929cac9ea5f45d5422
                                  • Instruction Fuzzy Hash: 6E22D072F012558FDF61DBA4D8806AEBBB2EF85320F24846AD446EB345DA31DD49CB90
                                  Function 02A47070 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 757 2a47070-2a470f4 CheckRemoteDebuggerPresent 759 2a470f6-2a470fc 757->759 760 2a470fd-2a47138 757->760 759->760
                                  APIs
                                  • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 02A470E7
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4588286900.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_2a40000_RegAsm.jbxd
                                  Similarity
                                  • API ID: CheckDebuggerPresentRemote
                                  • String ID:
                                  • API String ID: 3662101638-0
                                  • Opcode ID: 8fb5963dd3d8516904e19b3cd7544fb334b646655e46c65838fa1d809e666da4
                                  • Instruction ID: 26e73d4c87eb0f800f1bedf0452cae080b86c303c130804cf6bc362aef059657
                                  • Opcode Fuzzy Hash: 8fb5963dd3d8516904e19b3cd7544fb334b646655e46c65838fa1d809e666da4
                                  • Instruction Fuzzy Hash: 122159B2801259CFDB10CF9AD884BEEFBF4AF88324F14845AE455A3250C778A944CF61
                                  Function 063D2440 Relevance: 1.5, Instructions: 1492COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: af1e31e1a220a8a19d1b08522bbb684de2db6f965b3eb4ef4a6006c589896c65
                                  • Instruction ID: 7cc5e0f8eea1258520cefe679d23d60a6df3690159b56f47dcc651ff597e5bc5
                                  • Opcode Fuzzy Hash: af1e31e1a220a8a19d1b08522bbb684de2db6f965b3eb4ef4a6006c589896c65
                                  • Instruction Fuzzy Hash: E8D24931E10209CFDB64DB68D584A9EB7B2FF89300F5485AAD449AB255DB31ED86CF80
                                  Function 063D66C0 Relevance: .8, Instructions: 815COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3a136d7281ef51cc03dadd3ee4bbbbbf20dfc3ec6c82cb35c48f71722c5f893e
                                  • Instruction ID: 05e6e1d46edc132d5e85744fbc67462b4a5003bc09ac231324f81bda5d1735d3
                                  • Opcode Fuzzy Hash: 3a136d7281ef51cc03dadd3ee4bbbbbf20dfc3ec6c82cb35c48f71722c5f893e
                                  • Instruction Fuzzy Hash: 7962BC32F002058FDB54EB68E995AADB7F2EF89310F148469E416DB391DB31ED46CB90
                                  Function 063DB318 Relevance: .8, Instructions: 775COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 37189b06a3da4dda7cebc0cfa8f4babf98ea4b2da61c25b0f4d728f820f07436
                                  • Instruction ID: 71c3ff9ab8618388702cc5f8df78a0bb18808c1a164889f2c96abf57a913566c
                                  • Opcode Fuzzy Hash: 37189b06a3da4dda7cebc0cfa8f4babf98ea4b2da61c25b0f4d728f820f07436
                                  • Instruction Fuzzy Hash: D95260B1E102098FEF64DB68E4807ADF7B6FB85310F11852AE406EB355DA35DC89CB91
                                  Function 063DC270 Relevance: .6, Instructions: 633COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 59dc4c7a4aeb943be76fd30e58627a15a3b6698a5ae5c6952b825ab2eb324c02
                                  • Instruction ID: ffdaec4bd1d6bc041e456bb3da8c5ab9e07b37714cd5b2b6a4a37b760358768c
                                  • Opcode Fuzzy Hash: 59dc4c7a4aeb943be76fd30e58627a15a3b6698a5ae5c6952b825ab2eb324c02
                                  • Instruction Fuzzy Hash: FE32A031B202098FDF54DB68E890BAEB7B6FB88310F109529E505EB355DB35EC46CB91
                                  Function 063D7E50 Relevance: .5, Instructions: 473COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5ff710f5d7430e40e43babd1fc47b6eca93a3e048915a0a75797457d6cd5ed3f
                                  • Instruction ID: 0dbbd681f0c84274dde153c894dd63feeb5f1832008669b7206621f7f25f7cfb
                                  • Opcode Fuzzy Hash: 5ff710f5d7430e40e43babd1fc47b6eca93a3e048915a0a75797457d6cd5ed3f
                                  • Instruction Fuzzy Hash: 73029D31B012069FDB54DB68E890AAEB7F6FF84310F148569D4169B385DB31ED8ACBD0
                                  Function 0566BF18 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 635 566bf18-566bf37 637 566bf63-566bf67 635->637 638 566bf39-566bf46 call 566ae8c 635->638 640 566bf7b-566bfbc 637->640 641 566bf69-566bf73 637->641 644 566bf5c 638->644 645 566bf48 638->645 647 566bfbe-566bfc6 640->647 648 566bfc9-566bfd7 640->648 641->640 644->637 692 566bf4e call 566c1b2 645->692 693 566bf4e call 566c1c0 645->693 647->648 649 566bffb-566bffd 648->649 650 566bfd9-566bfde 648->650 655 566c000-566c007 649->655 652 566bfe0-566bfe7 call 566ae98 650->652 653 566bfe9 650->653 651 566bf54-566bf56 651->644 654 566c098-566c158 651->654 657 566bfeb-566bff9 652->657 653->657 687 566c160-566c18b GetModuleHandleW 654->687 688 566c15a-566c15d 654->688 658 566c014-566c01b 655->658 659 566c009-566c011 655->659 657->655 662 566c01d-566c025 658->662 663 566c028-566c031 call 566456c 658->663 659->658 662->663 667 566c033-566c03b 663->667 668 566c03e-566c043 663->668 667->668 669 566c045-566c04c 668->669 670 566c061-566c06e 668->670 669->670 672 566c04e-566c05e call 5668e04 call 566aea8 669->672 677 566c070-566c08e 670->677 678 566c091-566c097 670->678 672->670 677->678 689 566c194-566c1a8 687->689 690 566c18d-566c193 687->690 688->687 690->689 692->651 693->651
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0566C17E
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4590949928.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_5660000_RegAsm.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: dd8e074996353e4510db2354d8eb699964d82cb1680d523cd5d6f0749d87d921
                                  • Instruction ID: 029a4a38632358f87c8d6535db755a49e6663152ed25771dbe9533e3020934a9
                                  • Opcode Fuzzy Hash: dd8e074996353e4510db2354d8eb699964d82cb1680d523cd5d6f0749d87d921
                                  • Instruction Fuzzy Hash: 80813570A00B459FEB24DF6AD44475ABBF1FF88604F008A2ED48AD7B50DB75E845CB90
                                  Function 02A4F170 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 694 2a4f170-2a4f17b 695 2a4f1a5-2a4f1a8 694->695 696 2a4f17d-2a4f1a4 694->696 697 2a4f1a9-2a4f1bb 695->697 700 2a4f1bd 697->700 718 2a4f1bd call 2a4f200 700->718 719 2a4f1bd call 2a4f240 700->719 720 2a4f1bd call 2a4f160 700->720 721 2a4f1bd call 2a4f170 700->721 701 2a4f1c2-2a4f1c4 702 2a4f1c6-2a4f1c9 701->702 703 2a4f1ca-2a4f20c 701->703 703->700 708 2a4f20e-2a4f21c 703->708 708->697 709 2a4f21e-2a4f229 708->709 710 2a4f22f-2a4f2bc GlobalMemoryStatusEx 709->710 711 2a4f22b-2a4f22e 709->711 714 2a4f2c5-2a4f2ed 710->714 715 2a4f2be-2a4f2c4 710->715 715->714 718->701 719->701 720->701 721->701
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4588286900.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_2a40000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f99612114c336958f3c0e6fc1b821730f8806359164b345ed5f128b68c8d203b
                                  • Instruction ID: 302859d4ff3d08c047adf0e97f1e2c9407bf7c41825148b6cba267ae950678db
                                  • Opcode Fuzzy Hash: f99612114c336958f3c0e6fc1b821730f8806359164b345ed5f128b68c8d203b
                                  • Instruction Fuzzy Hash: 1D414572D0478A9FDB10CFB9D8446DEFBB0AFC9220F14866AD854E7241DB349885CBE1
                                  Function 0566E104 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 722 566e104-566e176 724 566e181-566e188 722->724 725 566e178-566e17e 722->725 726 566e193-566e1cb 724->726 727 566e18a-566e190 724->727 725->724 728 566e1d3-566e232 CreateWindowExW 726->728 727->726 729 566e234-566e23a 728->729 730 566e23b-566e273 728->730 729->730 734 566e275-566e278 730->734 735 566e280 730->735 734->735 736 566e281 735->736 736->736
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0566E222
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4590949928.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_5660000_RegAsm.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 3e3e704c75e3050b68ad93cb5fd7586643652e97ceec933da446e90f70ef6fa7
                                  • Instruction ID: 57715acd13a7836530d689a06da12bb8f2fefcf5d109edba4e43028f0852227a
                                  • Opcode Fuzzy Hash: 3e3e704c75e3050b68ad93cb5fd7586643652e97ceec933da446e90f70ef6fa7
                                  • Instruction Fuzzy Hash: 5451C2B5D04349EFDB14CF9AC884ADEFBB6BF48714F24852AE819AB210D7719845CF90
                                  Function 0566E110 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 737 566e110-566e176 738 566e181-566e188 737->738 739 566e178-566e17e 737->739 740 566e193-566e232 CreateWindowExW 738->740 741 566e18a-566e190 738->741 739->738 743 566e234-566e23a 740->743 744 566e23b-566e273 740->744 741->740 743->744 748 566e275-566e278 744->748 749 566e280 744->749 748->749 750 566e281 749->750 750->750
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0566E222
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4590949928.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_5660000_RegAsm.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: e9dd3069e3601ff0ebe1e339701e158ea06845d69069fad1be3a0dc745b7ea78
                                  • Instruction ID: e04edd994f89339e265f8178bf3bc60c0dc59b99424a533735f40231cad274d8
                                  • Opcode Fuzzy Hash: e9dd3069e3601ff0ebe1e339701e158ea06845d69069fad1be3a0dc745b7ea78
                                  • Instruction Fuzzy Hash: 7A41B0B5D10349DFDB14CF9AC984ADEFBB6BF48310F24852AE819AB210D7759845CF90
                                  Function 02A4706A Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 751 2a4706a-2a470f4 CheckRemoteDebuggerPresent 753 2a470f6-2a470fc 751->753 754 2a470fd-2a47138 751->754 753->754
                                  APIs
                                  • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 02A470E7
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4588286900.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_2a40000_RegAsm.jbxd
                                  Similarity
                                  • API ID: CheckDebuggerPresentRemote
                                  • String ID:
                                  • API String ID: 3662101638-0
                                  • Opcode ID: 5008ad96f5142d2a575faac098cc1bce857b6f4a45be172bf4a14daadfc2ddff
                                  • Instruction ID: a45bc41dc14079d06984899edcb70a3939cfc3f6cd14054939a8bc5c7413c699
                                  • Opcode Fuzzy Hash: 5008ad96f5142d2a575faac098cc1bce857b6f4a45be172bf4a14daadfc2ddff
                                  • Instruction Fuzzy Hash: 052159B2801259CFDB10CF9AD885BEEFBF4EF88324F14845AE459A7250C778A945CF61
                                  Function 02A4F240 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 887 2a4f240-2a4f2bc GlobalMemoryStatusEx 889 2a4f2c5-2a4f2ed 887->889 890 2a4f2be-2a4f2c4 887->890 890->889
                                  APIs
                                  • GlobalMemoryStatusEx.KERNEL32 ref: 02A4F2AF
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4588286900.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_2a40000_RegAsm.jbxd
                                  Similarity
                                  • API ID: GlobalMemoryStatus
                                  • String ID:
                                  • API String ID: 1890195054-0
                                  • Opcode ID: eaf144607808ee1505c6835e8eefd036752fe8a7beab7bb2ec804aa82ee4cfef
                                  • Instruction ID: a5ff92b8bfc7a061d7b6d62c99b22f032e3a21daa7d34138cac590a33e5e7cdb
                                  • Opcode Fuzzy Hash: eaf144607808ee1505c6835e8eefd036752fe8a7beab7bb2ec804aa82ee4cfef
                                  • Instruction Fuzzy Hash: 8A1114B2C0065ADFDB10CFAAC544BDEFBB4AF48324F14815AD818B7240D778A944CFA5
                                  Function 0566C118 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 893 566c118-566c158 894 566c160-566c18b GetModuleHandleW 893->894 895 566c15a-566c15d 893->895 896 566c194-566c1a8 894->896 897 566c18d-566c193 894->897 895->894 897->896
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0566C17E
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4590949928.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_5660000_RegAsm.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 2219707def752dfe65b8215591fc88f40ec961e526c52d0fe5374d425dc21bfd
                                  • Instruction ID: ed7ca4d05ded19ebcc9e5b65e5c688f757748f3b11987c50f749f0623f98e424
                                  • Opcode Fuzzy Hash: 2219707def752dfe65b8215591fc88f40ec961e526c52d0fe5374d425dc21bfd
                                  • Instruction Fuzzy Hash: C41110B6C047498FDB10CF9AC844BDEFBF4EB88624F10841AD469A7610C378A545CFA5
                                  Function 063DFED8 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1344 63dfed8-63dff06 1345 63dff0f-63dff2e 1344->1345 1357 63dff09 call 2a4ecd8 1344->1357 1358 63dff09 call 2a4ecc9 1344->1358 1349 63dff36-63dff60 1345->1349 1352 63dff81 1349->1352 1353 63dff62-63dff7f 1349->1353 1354 63dff93-63dff9a 1352->1354 1353->1354 1357->1345 1358->1345
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: |
                                  • API String ID: 0-2343686810
                                  • Opcode ID: f66b14b929745a5c76a623944190e4286993100ea1d7e7fef24f4aab7b4b585d
                                  • Instruction ID: 307e3c76088c1ff524256957cd48693f8fdf7267c7ccb3493858c800203065f1
                                  • Opcode Fuzzy Hash: f66b14b929745a5c76a623944190e4286993100ea1d7e7fef24f4aab7b4b585d
                                  • Instruction Fuzzy Hash: 0A117C75F002249FDB54DF789904B6EBBF5AF4C600F10446AEA0AE73A0DA3599018B84
                                  Function 063DFEE8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1359 63dfee8-63dff06 1372 63dff09 call 2a4ecd8 1359->1372 1373 63dff09 call 2a4ecc9 1359->1373 1360 63dff0f-63dff2e 1364 63dff36-63dff60 1360->1364 1367 63dff81 1364->1367 1368 63dff62-63dff7f 1364->1368 1369 63dff93-63dff9a 1367->1369 1368->1369 1372->1360 1373->1360
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: |
                                  • API String ID: 0-2343686810
                                  • Opcode ID: 64ede8f6cc40396292764a8319425ac30e55fbb0788315e2343d33944f17ceb0
                                  • Instruction ID: ee712f8be9092b28172781b3bab81c9d0746141a06410dc372040426bad54596
                                  • Opcode Fuzzy Hash: 64ede8f6cc40396292764a8319425ac30e55fbb0788315e2343d33944f17ceb0
                                  • Instruction Fuzzy Hash: F9114975B042149FDB44EF789804B6EBBF5AF8C600F108469E60AE73A0EA35A900CB80
                                  Function 063DD018 Relevance: .8, Instructions: 802COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1646 63dd018-63dd033 1648 63dd035-63dd038 1646->1648 1649 63dd03a-63dd07c 1648->1649 1650 63dd081-63dd084 1648->1650 1649->1650 1651 63dd0cd-63dd0d0 1650->1651 1652 63dd086-63dd0c8 1650->1652 1653 63dd0da-63dd0dd 1651->1653 1654 63dd0d2-63dd0d7 1651->1654 1652->1651 1656 63dd0df-63dd0fb 1653->1656 1657 63dd100-63dd103 1653->1657 1654->1653 1656->1657 1660 63dd14c-63dd14f 1657->1660 1661 63dd105-63dd147 1657->1661 1663 63dd198-63dd19b 1660->1663 1664 63dd151-63dd193 1660->1664 1661->1660 1667 63dd19d-63dd19f 1663->1667 1668 63dd1aa-63dd1ad 1663->1668 1664->1663 1670 63dd3bf-63dd3c8 1667->1670 1671 63dd1a5 1667->1671 1672 63dd1af-63dd1f1 1668->1672 1673 63dd1f6-63dd1f9 1668->1673 1681 63dd3ca-63dd3cf 1670->1681 1682 63dd3d7-63dd3e3 1670->1682 1671->1668 1672->1673 1678 63dd208-63dd20b 1673->1678 1679 63dd1fb-63dd1fd 1673->1679 1686 63dd20d-63dd24f 1678->1686 1687 63dd254-63dd257 1678->1687 1684 63dd501 1679->1684 1685 63dd203 1679->1685 1681->1682 1688 63dd3e9-63dd3fd 1682->1688 1689 63dd4f4-63dd4f9 1682->1689 1696 63dd504-63dd510 1684->1696 1685->1678 1686->1687 1693 63dd259-63dd268 1687->1693 1694 63dd2a0-63dd2a3 1687->1694 1688->1684 1712 63dd403-63dd415 1688->1712 1689->1684 1698 63dd26a-63dd26f 1693->1698 1699 63dd277-63dd283 1693->1699 1701 63dd2a5-63dd2b4 1694->1701 1705 63dd2ec-63dd2ef 1694->1705 1696->1701 1702 63dd516-63dd803 1696->1702 1698->1699 1710 63dd289-63dd29b 1699->1710 1711 63dda35-63dda4c 1699->1711 1713 63dd2b6-63dd2bb 1701->1713 1714 63dd2c3-63dd2cf 1701->1714 1861 63dd809-63dd80f 1702->1861 1862 63dda2a-63dda34 1702->1862 1705->1696 1708 63dd2f5-63dd2f8 1705->1708 1715 63dd2fa-63dd33c 1708->1715 1716 63dd341-63dd344 1708->1716 1710->1694 1735 63dda4e 1711->1735 1736 63dda51-63dda6e 1711->1736 1732 63dd439-63dd43b 1712->1732 1733 63dd417-63dd41d 1712->1733 1713->1714 1714->1711 1721 63dd2d5-63dd2e7 1714->1721 1715->1716 1722 63dd38d-63dd390 1716->1722 1723 63dd346-63dd388 1716->1723 1721->1705 1737 63dd3ad-63dd3af 1722->1737 1738 63dd392-63dd3a8 1722->1738 1723->1722 1750 63dd445-63dd451 1732->1750 1742 63dd41f 1733->1742 1743 63dd421-63dd42d 1733->1743 1735->1736 1745 63dda70-63dda73 1736->1745 1740 63dd3b6-63dd3b9 1737->1740 1741 63dd3b1 1737->1741 1738->1737 1740->1648 1740->1670 1741->1740 1749 63dd42f-63dd437 1742->1749 1743->1749 1751 63dda75-63dda91 1745->1751 1752 63dda96-63dda99 1745->1752 1749->1750 1772 63dd45f 1750->1772 1773 63dd453-63dd45d 1750->1773 1751->1752 1755 63ddaa8-63ddaab 1752->1755 1756 63dda9b 1752->1756 1761 63ddaad-63ddad9 1755->1761 1762 63ddade-63ddae0 1755->1762 1908 63dda9b call 63ddb8d 1756->1908 1909 63dda9b call 63ddba0 1756->1909 1761->1762 1769 63ddae7-63ddaea 1762->1769 1770 63ddae2 1762->1770 1768 63ddaa1-63ddaa3 1768->1755 1769->1745 1776 63ddaec-63ddafb 1769->1776 1770->1769 1778 63dd464-63dd466 1772->1778 1773->1778 1785 63ddafd-63ddb60 call 63d6670 1776->1785 1786 63ddb62-63ddb77 1776->1786 1778->1684 1780 63dd46c-63dd488 call 63d6670 1778->1780 1793 63dd48a-63dd48f 1780->1793 1794 63dd497-63dd4a3 1780->1794 1785->1786 1793->1794 1794->1689 1797 63dd4a5-63dd4f2 1794->1797 1797->1684 1863 63dd81e-63dd827 1861->1863 1864 63dd811-63dd816 1861->1864 1863->1711 1865 63dd82d-63dd840 1863->1865 1864->1863 1867 63dda1a-63dda24 1865->1867 1868 63dd846-63dd84c 1865->1868 1867->1861 1867->1862 1869 63dd84e-63dd853 1868->1869 1870 63dd85b-63dd864 1868->1870 1869->1870 1870->1711 1871 63dd86a-63dd88b 1870->1871 1874 63dd88d-63dd892 1871->1874 1875 63dd89a-63dd8a3 1871->1875 1874->1875 1875->1711 1876 63dd8a9-63dd8c6 1875->1876 1876->1867 1879 63dd8cc-63dd8d2 1876->1879 1879->1711 1880 63dd8d8-63dd8f1 1879->1880 1882 63dda0d-63dda14 1880->1882 1883 63dd8f7-63dd91e 1880->1883 1882->1867 1882->1879 1883->1711 1886 63dd924-63dd92e 1883->1886 1886->1711 1887 63dd934-63dd94b 1886->1887 1889 63dd94d-63dd958 1887->1889 1890 63dd95a-63dd975 1887->1890 1889->1890 1890->1882 1895 63dd97b-63dd994 call 63d6670 1890->1895 1899 63dd996-63dd99b 1895->1899 1900 63dd9a3-63dd9ac 1895->1900 1899->1900 1900->1711 1901 63dd9b2-63dda06 1900->1901 1901->1882 1908->1768 1909->1768
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5e83276db38c23d5d4a65f685661d7a149d38ee7509c17dfdfd91c00811f9b55
                                  • Instruction ID: e31d06a24bb81a5744f2a1e01c54003bd42b5878cfe25a759231c0cc04b55a0a
                                  • Opcode Fuzzy Hash: 5e83276db38c23d5d4a65f685661d7a149d38ee7509c17dfdfd91c00811f9b55
                                  • Instruction Fuzzy Hash: C5621C31A0020ACFDB55EB68E590A5EB7B2FF84304F208A69D4059F359DB75ED4ACBD0
                                  Function 063DADB0 Relevance: .4, Instructions: 395COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c741faad0b8cd5d06d989ef62b55d239e77ffdbd96e58dd62940d4ad3cd44c35
                                  • Instruction ID: fc8791f8264d0b8abda833636962ba41285ef99c8870ad7b96f22cf15dea5823
                                  • Opcode Fuzzy Hash: c741faad0b8cd5d06d989ef62b55d239e77ffdbd96e58dd62940d4ad3cd44c35
                                  • Instruction Fuzzy Hash: 88E17F71E1020A8FDB65DF69E9846AEB7B6EF89304F208529D4169B344DF31DC4ACBD0
                                  Function 063DB30B Relevance: .3, Instructions: 295COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aa33aa28090326459aba1c1852c2576ffbd5397ad57e37e098fb586fd19246ae
                                  • Instruction ID: e0b007096a4613739b0715e6f15186d641d24e36c417a351c880b7eff39cde39
                                  • Opcode Fuzzy Hash: aa33aa28090326459aba1c1852c2576ffbd5397ad57e37e098fb586fd19246ae
                                  • Instruction Fuzzy Hash: A1A1A6B5F101099FEF64DA6CD8907AEF7B6FB49300F218425E406E7385DA35DC858BA1
                                  Function 063D9220 Relevance: .2, Instructions: 231COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aceed6223e847e94b5367b5d29618e253f76d67cc8b027f4f0faf008616b9797
                                  • Instruction ID: 708797b2448df1ddbc67ed249809e0f4290ce5f6f266a89f44596a5addbe62f5
                                  • Opcode Fuzzy Hash: aceed6223e847e94b5367b5d29618e253f76d67cc8b027f4f0faf008616b9797
                                  • Instruction Fuzzy Hash: ED915031F1011A8FDB54EB65D8507AEB3F6EF88300F108569C81AEB385EA71DD468B91
                                  Function 063D5EB8 Relevance: .2, Instructions: 229COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 680709284339b3fb1d9b243feb4e1f9a29e3911b167c2ee0c36f0d49349f1729
                                  • Instruction ID: 4f0addc4ff1267fcad9839a79590ec41a5fb3e07fef6b3359c559f0408dd26dc
                                  • Opcode Fuzzy Hash: 680709284339b3fb1d9b243feb4e1f9a29e3911b167c2ee0c36f0d49349f1729
                                  • Instruction Fuzzy Hash: 1D61B272F000114BDF509A6DD884A6FBADBEFC4620B15443AE80ADB3A0DE75DD0287D5
                                  Function 063D3F70 Relevance: .2, Instructions: 225COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f40c0514c5de5aaf1324dee1cc06bfaf1f88daf5dc96bfe731f91793c7a1f19b
                                  • Instruction ID: 306708aea873024a12f0a1024dfed708745565ccb71f7f0f10a4d79cdb894ccb
                                  • Opcode Fuzzy Hash: f40c0514c5de5aaf1324dee1cc06bfaf1f88daf5dc96bfe731f91793c7a1f19b
                                  • Instruction Fuzzy Hash: 76814C31B112498FDB54DFA8D45476EB7F6EF89300F108429E40ADB385EE35EC468B91
                                  Function 063D4290 Relevance: .2, Instructions: 219COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2acddeb37db2b0d2aa3937cc8b739521df47a9b0f8a3ff223a24bc25c00032bf
                                  • Instruction ID: eaa50c375083dc0371a47804537665cae252fb2a14918a14aaad8e1f13c90fdc
                                  • Opcode Fuzzy Hash: 2acddeb37db2b0d2aa3937cc8b739521df47a9b0f8a3ff223a24bc25c00032bf
                                  • Instruction Fuzzy Hash: 95915E31E1061A8FDF60DF68C850B9DB7B1FF89310F208599D549EB255DB70AA85CF90
                                  Function 063D3F80 Relevance: .2, Instructions: 218COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f999ed6389e54f7896200a4ea0e32a75459dc617bea9deb48901ffd2a5e64fec
                                  • Instruction ID: a028a069afe9df2e0bf94f605f3b784eda1de6daf604b1c6d60ed66b1ed45937
                                  • Opcode Fuzzy Hash: f999ed6389e54f7896200a4ea0e32a75459dc617bea9deb48901ffd2a5e64fec
                                  • Instruction Fuzzy Hash: 39813B31B1124A8FDB54DFA9D45466EB7F6EF89300F108529E40AEB385EE31EC468B91
                                  Function 063D42A8 Relevance: .2, Instructions: 210COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ed47ff4761e4c1aa6126bfa1e5e95349e9a18d2177df0e1a4eec17747c0923da
                                  • Instruction ID: 555e482c2b866a9da0b2e420cf7d9c893626cfd981805f02f251de92e4d8e949
                                  • Opcode Fuzzy Hash: ed47ff4761e4c1aa6126bfa1e5e95349e9a18d2177df0e1a4eec17747c0923da
                                  • Instruction Fuzzy Hash: B2912C31E1061A8BDF60DF68C880B9DB7B1FF89310F208599D549BB355EB71AA85CF90
                                  Function 063DEBE0 Relevance: .2, Instructions: 207COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 87d33f535bc751f74f28eb1c81c61f9cc0bc94a793db137ebd5c2575002ee284
                                  • Instruction ID: bd365838ff98e8b7580fd557f356edbffe99f724f117628d29dc3becdacc4b62
                                  • Opcode Fuzzy Hash: 87d33f535bc751f74f28eb1c81c61f9cc0bc94a793db137ebd5c2575002ee284
                                  • Instruction Fuzzy Hash: BA710E71E002099FDB54EFA9D990A9DBBF6FF88300F148529D419EB355DB30E946CB90
                                  Function 063DEBF0 Relevance: .2, Instructions: 201COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a97ddb6610984b8b3daf0783455b9ba9dbd17ae53a073ffa4061be5fd6312072
                                  • Instruction ID: 4de60ac1e24c168eae51f0fa9118174f15d33a195f64ebb80437cb9579880d83
                                  • Opcode Fuzzy Hash: a97ddb6610984b8b3daf0783455b9ba9dbd17ae53a073ffa4061be5fd6312072
                                  • Instruction Fuzzy Hash: C671F971E002099FDB54EFA9D990A9DBBF6FF88300F248529D419EB355DB30E946CB90
                                  Function 063D4840 Relevance: .2, Instructions: 186COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb8cb429f9bbf147dd114ee789b71148f4c6896c2936ae1d2698dbbdf6c6bcb2
                                  • Instruction ID: e464fc8f721d87d7515f1fce309470ba67f0873119e02e925ef56b1299ed0284
                                  • Opcode Fuzzy Hash: fb8cb429f9bbf147dd114ee789b71148f4c6896c2936ae1d2698dbbdf6c6bcb2
                                  • Instruction Fuzzy Hash: 5E619E31F102189FEB549FA5D8147AEBBF6FB88700F20842AE106AB395DE758C058B94
                                  Function 063DF622 Relevance: .2, Instructions: 175COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1c5d3f1847da07bef8160d409cb2621a59f99396b83dcfca6b202b826450ceb8
                                  • Instruction ID: 64016f226fbef1c517b4d79979edb892b96c6214d840493a34b869af5649150f
                                  • Opcode Fuzzy Hash: 1c5d3f1847da07bef8160d409cb2621a59f99396b83dcfca6b202b826450ceb8
                                  • Instruction Fuzzy Hash: 88510639B202159FEF606668E89476F365ADB89740F20442EE50BD73E5CE78CC4687E2
                                  Function 063DFC88 Relevance: .2, Instructions: 171COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2943dc477d2bb698640387207864a6c7135879740e38763d25271a64542ddf3f
                                  • Instruction ID: ae11c51f592a8d1e0d8b8c30cc0da4a83740e01910cba7a6d0ac1fd68a3665aa
                                  • Opcode Fuzzy Hash: 2943dc477d2bb698640387207864a6c7135879740e38763d25271a64542ddf3f
                                  • Instruction Fuzzy Hash: DE51DF72E01109CFDB14ABB8F8946ADBBB2EF84311F10886DE106DB251DF318959CBD0
                                  Function 063D9213 Relevance: .2, Instructions: 170COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 105003de4b339ae7c8c4a21ef9fec21e47d4bccdea635f3056d8a388d5463912
                                  • Instruction ID: 982c22d74b1097e3996ed5908298266eaade4e5138bbbc85d821f53732b065d5
                                  • Opcode Fuzzy Hash: 105003de4b339ae7c8c4a21ef9fec21e47d4bccdea635f3056d8a388d5463912
                                  • Instruction Fuzzy Hash: 82515631B111468FDB54EB74D950B6E73F6EF88300F10856AC81ADB385EA31DC468F95
                                  Function 063DF630 Relevance: .2, Instructions: 163COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2ce99b40a0c0381c9af0dc3a36c012729dc34fb952b8775b796774b13e074248
                                  • Instruction ID: 9095573c6093c0a441dbcecfa5bfee0f811e4c613074c7f9a40d40520e0d9d3c
                                  • Opcode Fuzzy Hash: 2ce99b40a0c0381c9af0dc3a36c012729dc34fb952b8775b796774b13e074248
                                  • Instruction Fuzzy Hash: 4451E439B202059FEF606A6CE89476F365AD789740F20442EE10BD7395CE78CC4687E2
                                  Function 063D4831 Relevance: .1, Instructions: 138COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dc38db228d80e969a293dc821477c057c1d897af9551b9a213b5e3fbc11e6967
                                  • Instruction ID: 7be759c011218f2da770c8d21d7ea4dbf0446eb3fdb142c4ca4790c459b060ae
                                  • Opcode Fuzzy Hash: dc38db228d80e969a293dc821477c057c1d897af9551b9a213b5e3fbc11e6967
                                  • Instruction Fuzzy Hash: E0519D30F102489FDB559FA8C8547AEBBF6EF88700F20842AE105EB395DA718C059BA0
                                  Function 063D50F8 Relevance: .1, Instructions: 126COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dc1ee1a79047d09f5924b59352614e392c6fcaab92129ce963bb69240bd8e4b9
                                  • Instruction ID: 4ce8e984a5737b8aa094182092e7f746191ca5111200efb8b8ecaad272f69597
                                  • Opcode Fuzzy Hash: dc1ee1a79047d09f5924b59352614e392c6fcaab92129ce963bb69240bd8e4b9
                                  • Instruction Fuzzy Hash: 1D414272E006099FDF70CEA9E881BAFF7F1FB95224F10492AE156D7650D730A9498BD0
                                  Function 063DDB8D Relevance: .1, Instructions: 118COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 75b2f9ea34021f71fd7a2a413e235aaf19a89b33ef8f3bb282eae1d027d9b90f
                                  • Instruction ID: a84c536e33d2ba85e2347d6d9205611b3cb2907dc337f64b61bf79da6d34a935
                                  • Opcode Fuzzy Hash: 75b2f9ea34021f71fd7a2a413e235aaf19a89b33ef8f3bb282eae1d027d9b90f
                                  • Instruction Fuzzy Hash: 7E41A271E103499FDF25DF65E84469EBBB2FF86300F104529E406D7280EBB1D94ACB91
                                  Function 063DDBA0 Relevance: .1, Instructions: 117COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 768b8f6a9af474b192f82ffa60bb22c1cac17bb05768c9076a2f872c17c7901a
                                  • Instruction ID: de04acbe94bc55b3851441d8debc0f316c6f1e044d870fdec2fb9c9e21f44a16
                                  • Opcode Fuzzy Hash: 768b8f6a9af474b192f82ffa60bb22c1cac17bb05768c9076a2f872c17c7901a
                                  • Instruction Fuzzy Hash: 04419171E1020ADFDB64DFA5E8446AEBBB2FF85300F108429D406EB240DB70D94ACBC1
                                  Function 063D22A5 Relevance: .1, Instructions: 114COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3e7c0f336fc26695e34b710f8147fc82cb09b14d4890a9ab866954892f77f3b1
                                  • Instruction ID: ef6b4e96d69dde2fe8ec5ede49a5f9fd3b778c26ae39dd952143743744d088dc
                                  • Opcode Fuzzy Hash: 3e7c0f336fc26695e34b710f8147fc82cb09b14d4890a9ab866954892f77f3b1
                                  • Instruction Fuzzy Hash: 62310131B102058FDB55AB34E8546AFBBA6EB89600F108468D506DB381EE35CE4ACBE0
                                  Function 063D22B8 Relevance: .1, Instructions: 105COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1976a796a26fcf7f7ba7e4bfcdede09c1cd71550450e274bc8c3757f5af4d952
                                  • Instruction ID: 60a9c8c8abdf9ab0e509891fed1c5b82c5f0963b0280463a0f984ab3ef6a05f4
                                  • Opcode Fuzzy Hash: 1976a796a26fcf7f7ba7e4bfcdede09c1cd71550450e274bc8c3757f5af4d952
                                  • Instruction Fuzzy Hash: 6631E531B002058FDB55AB74E91466FB7E7EF89600F108428D506DB381EE35DD46CBE0
                                  Function 063D2168 Relevance: .1, Instructions: 99COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e443a319e1aba8e69ee722f55ccb03e49cabbc334159120b4c51702fafff4850
                                  • Instruction ID: 4fbc7e51ff8a5909a88a5cfc6f094c18d49ab9b4d51f022f7b0df88a72c34cbc
                                  • Opcode Fuzzy Hash: e443a319e1aba8e69ee722f55ccb03e49cabbc334159120b4c51702fafff4850
                                  • Instruction Fuzzy Hash: 1231AF31E102099BDB55CFA4D89569EB7B2FF89300F10C929E916E7340DB71ED46CB90
                                  Function 063D2178 Relevance: .1, Instructions: 91COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e8cb30d2bf26921840b30e7c62377286f9795eefe67246eb5d338c96ebcf5420
                                  • Instruction ID: 37b4cb7608e5e688579b0c2eaba2e2d4cf9a230040ede5512645511e757f1067
                                  • Opcode Fuzzy Hash: e8cb30d2bf26921840b30e7c62377286f9795eefe67246eb5d338c96ebcf5420
                                  • Instruction Fuzzy Hash: 73317A31E106099BDB58DFA4D89469EB7B2FF89300F10C929E916EB350DB71ED46CB90
                                  Function 063D3B79 Relevance: .1, Instructions: 83COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6de505ce2520bb600dc12fadf8f7b96e82941e7438d406312af55b4e170f6afa
                                  • Instruction ID: 9659d3cf8d6d1132a3e3e72296636dc11d6ea8f5a3452a8a4402826e3e66be18
                                  • Opcode Fuzzy Hash: 6de505ce2520bb600dc12fadf8f7b96e82941e7438d406312af55b4e170f6afa
                                  • Instruction Fuzzy Hash: 0B31EF72E112559FEB00DF79D840AAEBBF1EB88710F10842AE945E7381E731DD42CB91
                                  Function 063D3B88 Relevance: .1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c39eb243f4b1237d0ccecd4618f836da9f9a6efe793049d40294fd06c1c9934c
                                  • Instruction ID: b45c0b6041604fa8d72ab42f4f2dc3b69057fc8f8502753ed94e99cfdab358ed
                                  • Opcode Fuzzy Hash: c39eb243f4b1237d0ccecd4618f836da9f9a6efe793049d40294fd06c1c9934c
                                  • Instruction Fuzzy Hash: F3217C76E116199FEB40DF69E980AAEBBF5FB88710F108425E905E7380E732DD018B91
                                  Function 063D6DD8 Relevance: .1, Instructions: 74COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 069c736d2445634800e546ed9f0ea63f4007e305ea5f89cabb54a1c274ac4c3e
                                  • Instruction ID: 9949d290fa3bf5db7b774551dc26efe6a0422cfc781237acde5e8a415202f631
                                  • Opcode Fuzzy Hash: 069c736d2445634800e546ed9f0ea63f4007e305ea5f89cabb54a1c274ac4c3e
                                  • Instruction Fuzzy Hash: 00210132F110059FDF54DA78E95179DB7F6EF89310F14882AD405EB340D6309D828BC0
                                  Function 00F9D01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4587961002.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f9d000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1ed19136f9add78a44c25abd0930554ede0789c0760475bc15337d5c343b2b86
                                  • Instruction ID: bec15d25171282a0781969dc453219288a7783b1c937b23100b9ea706e15059f
                                  • Opcode Fuzzy Hash: 1ed19136f9add78a44c25abd0930554ede0789c0760475bc15337d5c343b2b86
                                  • Instruction Fuzzy Hash: 2821F272A04244DFEF14DF24D984B16BB61EB84324F34C56DD90A4B26AC33AD847EA61
                                  Function 063D6DE8 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: acf588fb6209b402553e4ef769d0a6d17b1415735e8c2bf0555001a0534de2a5
                                  • Instruction ID: 5923570aff17f9976ea76d55f1ca45c431fb8969051647f1518a634087a2e045
                                  • Opcode Fuzzy Hash: acf588fb6209b402553e4ef769d0a6d17b1415735e8c2bf0555001a0534de2a5
                                  • Instruction Fuzzy Hash: 4E21E132B110098FDF84DA68F95179EB7B6EF89310F108529E409EB380DB31ED428BC0
                                  Function 00F9D005 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4587961002.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f9d000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 41bf9210158cf6096d2ad70b755ed4386c4f8fe294e5316b65a2e220f10959fa
                                  • Instruction ID: 69aeff0c1d76e0c03706e6ae35caabef7eccc3efb5204120710a3e0831dff0a8
                                  • Opcode Fuzzy Hash: 41bf9210158cf6096d2ad70b755ed4386c4f8fe294e5316b65a2e220f10959fa
                                  • Instruction Fuzzy Hash: 54219F755093C08FDB02CF24D990715BF71EB46324F28C5EAD8498F6A7C33A980ACB62
                                  Function 063D3C98 Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: afc9a085a8f95b60738bf5969e0238d83b4fb01cb5bf6b1cc9bd56fe65fd41e2
                                  • Instruction ID: 435a4de734bb3e3e1ac441122ac58c342a018f36a250d00d22e9680cb69901ab
                                  • Opcode Fuzzy Hash: afc9a085a8f95b60738bf5969e0238d83b4fb01cb5bf6b1cc9bd56fe65fd41e2
                                  • Instruction Fuzzy Hash: B4115E32B105298FDB949669D814AAEB7AAEBC9710F044539D40AEB344EE35DC068BD2
                                  Function 063D3ED0 Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ad46457e82d554620e242ca9b91f6e2a65e094ac903dcddf03853b0e646267d7
                                  • Instruction ID: 52743dbf1560e6f16459889f141952fc18bf40ef27cb2949375973c798630b73
                                  • Opcode Fuzzy Hash: ad46457e82d554620e242ca9b91f6e2a65e094ac903dcddf03853b0e646267d7
                                  • Instruction Fuzzy Hash: 6501D231B152461BEB659A7CA41031ABBEACBCB610F14846AE14ACB342DD65CC8683D6
                                  Function 063DEE5F Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b66c320622cf65b19745a9a2f6ac06222e3877086d65c0ea33defde8d4b7b3dd
                                  • Instruction ID: 1994a6533e52c62add8494abd16226a23cc662d1a286e1fcee8e0947730893eb
                                  • Opcode Fuzzy Hash: b66c320622cf65b19745a9a2f6ac06222e3877086d65c0ea33defde8d4b7b3dd
                                  • Instruction Fuzzy Hash: 41018F32B101115BDB75AA7CB49072E7BD6DBCAA14F248839F50ACF381D925DC0783E1
                                  Function 063DA3E0 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 229472c654bc297abcc66b9d5ceafe99279462471ea99ed12ec495a86c36e739
                                  • Instruction ID: e819081e8cdf2f80c35ba1b0ffdae1b8d0517b12ea57fda74593c2acbe2ed551
                                  • Opcode Fuzzy Hash: 229472c654bc297abcc66b9d5ceafe99279462471ea99ed12ec495a86c36e739
                                  • Instruction Fuzzy Hash: 0C01F2B3F102404FD7A1E67CE96472A77E5DB8A700F118839E04ACB355EE21DC0687E1
                                  Function 063D6500 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 93ced183acb9788fde47fb9133825c350bc00b99701242ce52890cd89ae7a6c8
                                  • Instruction ID: cc25cc3c2708c72f59f6aa44c89b55d001b325ceed9b2c411f486cd537cd32b5
                                  • Opcode Fuzzy Hash: 93ced183acb9788fde47fb9133825c350bc00b99701242ce52890cd89ae7a6c8
                                  • Instruction Fuzzy Hash: B301B1639092A19EE752AE78D86638A3F71CF43204F1904DFC0C4CF293E525C58AD3A6
                                  Function 063D3958 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c0391c7563db75acdbba0232ede530bee44c90516e3bebba7479353ca9e6f5cb
                                  • Instruction ID: 9e134d711330d0c4d382376d56ca3cb31b26540fde68a65381c2d05c2aef5493
                                  • Opcode Fuzzy Hash: c0391c7563db75acdbba0232ede530bee44c90516e3bebba7479353ca9e6f5cb
                                  • Instruction Fuzzy Hash: F211D3B5D012599FDB00CF9AD885BDEFBB4FB49714F10812AE518B7200C374A954CBA5
                                  Function 063D3950 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c0e9282b05cda7a4215a7b4887ed8fc791a65d9c6f0df1e81549f90742bf2c64
                                  • Instruction ID: 4b1fb6085a3e213f7c6fbed60bb1d3c49b52f6a3a884ec1ac50f6edbea9b6732
                                  • Opcode Fuzzy Hash: c0e9282b05cda7a4215a7b4887ed8fc791a65d9c6f0df1e81549f90742bf2c64
                                  • Instruction Fuzzy Hash: 6C21D3B6D012199FDB40CF9AD985BDEFBB4BF48315F10852AE518B7200C374A954CFA5
                                  Function 063D3EE0 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8dba8625762c34bc6cc0baf76ff7ecb00390a728ad7dfe12da4f2ec14deb76b1
                                  • Instruction ID: 79f34906c20690b2d7b33a0c43993f2ef8ceddb064cec258c6b5e6b8d9d7166a
                                  • Opcode Fuzzy Hash: 8dba8625762c34bc6cc0baf76ff7ecb00390a728ad7dfe12da4f2ec14deb76b1
                                  • Instruction Fuzzy Hash: 50014B32B101160BEB649A6DA45072AA2DACBCAB24F108429F50ECB384ED65DC4643D6
                                  Function 063D3C8B Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7fba4d61cd70a7493827d268ddb957dd0960c8cca7f25b52234ea29fcd89bf40
                                  • Instruction ID: cf11d9587b87b680ea20c671dcdad176f5b081a937ea98b842774e4629813cfe
                                  • Opcode Fuzzy Hash: 7fba4d61cd70a7493827d268ddb957dd0960c8cca7f25b52234ea29fcd89bf40
                                  • Instruction Fuzzy Hash: 0801A232F254254FEF959678D814BEEB7AADFC8610F04413AD50AEB284EE35CC464BD2
                                  Function 063DEE70 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6adbb6be20a7b2c2edc96e8d1ae1803d1e1c95afa4467e63893c5462ce6fafbe
                                  • Instruction ID: 29dec830031bd016a70906098f31ed3b73daa31795550f47a6570685077ce92f
                                  • Opcode Fuzzy Hash: 6adbb6be20a7b2c2edc96e8d1ae1803d1e1c95afa4467e63893c5462ce6fafbe
                                  • Instruction Fuzzy Hash: A0018C32B100114BDBB4AA6CA45072EB7DADBCAB24F108829E50ACF380EE25DC0743E5
                                  Function 063DA3F0 Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f3ea14a4ef55b809bb9bfb475012fe80b7fc6fe394d8ba9f889ba63ca82c9de2
                                  • Instruction ID: 287c3500168751763234429192f86847ae055dabb548fb2b0161c263872a94e2
                                  • Opcode Fuzzy Hash: f3ea14a4ef55b809bb9bfb475012fe80b7fc6fe394d8ba9f889ba63ca82c9de2
                                  • Instruction Fuzzy Hash: 7501A432B201154FDBA0E67CE95471AB3E5D789714F108438E50ACB344EE21EC0687D5
                                  Function 063DC8B0 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d3994e54f9f8d71c200364b1628027d2a306812e79607c34f20fac10213d6865
                                  • Instruction ID: 7be81a1c0fb2061f45410ec46fb8554b7ccd0877ced8409e6d87e248f793d6d6
                                  • Opcode Fuzzy Hash: d3994e54f9f8d71c200364b1628027d2a306812e79607c34f20fac10213d6865
                                  • Instruction Fuzzy Hash: 4A01A432F202249BDB54AA69F940A9EB77AE789314F004529E905EB345DB31AD0ACBD0
                                  Function 063D4729 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 47f817f45c038bc961b9ba30bbc2b8c904f776f0577de8ca49abe2941e44b385
                                  • Instruction ID: 590c6fcbda837ce56de12d2ced0f1a8bfd6432db9c20aded6e47582e38cd792c
                                  • Opcode Fuzzy Hash: 47f817f45c038bc961b9ba30bbc2b8c904f776f0577de8ca49abe2941e44b385
                                  • Instruction Fuzzy Hash: 13F0F871A20219EFDB14DF94E859BAEBBB6FF89701F200119E012A7295CBB41D46DBC0
                                  Function 063D6550 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4591578865.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_63d0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b84372c5675e9e2ad0d48ef59261142a4f61175df5c468163b217fc4eaddae97
                                  • Instruction ID: 1b8e67e23291c4cfc902adf10c736a128da38129e3fd8c1db15596caeba9a5e5
                                  • Opcode Fuzzy Hash: b84372c5675e9e2ad0d48ef59261142a4f61175df5c468163b217fc4eaddae97
                                  • Instruction Fuzzy Hash: 18E01272E1010CABDF50DEB4D94A75A77AED703214F2088A5D819C7206E677DA4687C0

                                  Non-executed Functions

                                  Function 05663A12 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 05663A96
                                  • GetCurrentThread.KERNEL32 ref: 05663AD3
                                  • GetCurrentProcess.KERNEL32 ref: 05663B10
                                  • GetCurrentThreadId.KERNEL32 ref: 05663B69
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4590949928.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_5660000_RegAsm.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 3e99c403562fff37f42fced5ca6f5e160483877959b7ebe7377ff5902ce400e9
                                  • Instruction ID: 3aa4d156e73765b9c99f353fe6ec7c36005e2a6b72508e3be49eb98ecb2f79d8
                                  • Opcode Fuzzy Hash: 3e99c403562fff37f42fced5ca6f5e160483877959b7ebe7377ff5902ce400e9
                                  • Instruction Fuzzy Hash: 4A5167B490024A8FDB54CFA9D948BDEBBF1EF88304F208519E419A73A0DB349944CB65
                                  Function 05663A18 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 05663A96
                                  • GetCurrentThread.KERNEL32 ref: 05663AD3
                                  • GetCurrentProcess.KERNEL32 ref: 05663B10
                                  • GetCurrentThreadId.KERNEL32 ref: 05663B69
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.4590949928.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_5660000_RegAsm.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: ec89995faf047d19090d9abc4471443b790d2f4d25ab63375296cc4479e5f214
                                  • Instruction ID: ddcf30e91a933a93f94e75e0b851e9f6239f77452dbc5a7e8dcf4b37fc3192fb
                                  • Opcode Fuzzy Hash: ec89995faf047d19090d9abc4471443b790d2f4d25ab63375296cc4479e5f214
                                  • Instruction Fuzzy Hash: 2B5178B490034A8FDB54CFA9D948BDEBBF1FF88304F208419E419A73A0DB349944CB65