Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Wru9ycO2MJ.exe

Overview

General Information

Sample name:Wru9ycO2MJ.exe
renamed because original name is a hash value
Original sample name:851cadfb7b72af94db5c9db85e0d52dfcbf3fa948c7498627e4b67162cff6e7d.exe
Analysis ID:1588700
MD5:e984689ddc606e421d3cf8746ac0783e
SHA1:209d2263e1baff1943533effa0f3e1964d98b8cd
SHA256:851cadfb7b72af94db5c9db85e0d52dfcbf3fa948c7498627e4b67162cff6e7d
Tags:AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Wru9ycO2MJ.exe (PID: 4120 cmdline: "C:\Users\user\Desktop\Wru9ycO2MJ.exe" MD5: E984689DDC606E421D3CF8746AC0783E)
    • Wru9ycO2MJ.exe (PID: 4668 cmdline: "C:\Users\user\Desktop\Wru9ycO2MJ.exe" MD5: E984689DDC606E421D3CF8746AC0783E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.showpiece.trillennium.biz", "Username": "build@showpiece.trillennium.biz", "Password": "3KJ[T.3]fsSW"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4504072782.0000000002B1C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.4502142983.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.4502142983.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.4504072782.0000000002AF1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000002.4504072782.0000000002AF1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Wru9ycO2MJ.exe.4330708.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.Wru9ycO2MJ.exe.4330708.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.Wru9ycO2MJ.exe.4330708.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x31763:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x3187f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3195b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a81:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                3.2.Wru9ycO2MJ.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  3.2.Wru9ycO2MJ.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 67.23.226.139, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Wru9ycO2MJ.exe, Initiated: true, ProcessId: 4668, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49708

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.Wru9ycO2MJ.exe.436b128.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.showpiece.trillennium.biz", "Username": "build@showpiece.trillennium.biz", "Password": "3KJ[T.3]fsSW"}
                    Multi AV Scanner detection for submitted file
                    Source: Wru9ycO2MJ.exeReversingLabs: Detection: 63%
                    Source: Wru9ycO2MJ.exeVirustotal: Detection: 55%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: Wru9ycO2MJ.exeJoe Sandbox ML: detected
                    Source: Wru9ycO2MJ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49706 version: TLS 1.2
                    Source: Wru9ycO2MJ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: global trafficTCP traffic: 192.168.2.5:49708 -> 67.23.226.139:587
                    Source: Joe Sandbox ViewIP Address: 67.23.226.139 67.23.226.139
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.5:49708 -> 67.23.226.139:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: mail.showpiece.trillennium.biz
                    Source: Wru9ycO2MJ.exe, 00000000.00000002.2070019337.0000000002789000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://localhost/arkanoid_server/requests.php
                    Source: Wru9ycO2MJ.exe, 00000003.00000002.4504072782.0000000002B1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.showpiece.trillennium.biz
                    Source: Wru9ycO2MJ.exe, 00000003.00000002.4503031346.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, Wru9ycO2MJ.exe, 00000003.00000002.4504072782.0000000002B24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r11.i.lencr.org/0
                    Source: Wru9ycO2MJ.exe, 00000003.00000002.4503031346.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, Wru9ycO2MJ.exe, 00000003.00000002.4504072782.0000000002B24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r11.o.lencr.org0#
                    Source: Wru9ycO2MJ.exe, 00000003.00000002.4504072782.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Wru9ycO2MJ.exe, 00000003.00000002.4504072782.0000000002B1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://showpiece.trillennium.biz
                    Source: Wru9ycO2MJ.exe, 00000003.00000002.4503031346.0000000000EBF000.00000004.00000020.00020000.00000000.sdmp, Wru9ycO2MJ.exe, 00000003.00000002.4508226189.0000000006395000.00000004.00000020.00020000.00000000.sdmp, Wru9ycO2MJ.exe, 00000003.00000002.4503031346.0000000000E86000.00000004.00000020.00020000.00000000.sdmp, Wru9ycO2MJ.exe, 00000003.00000002.4504072782.0000000002B24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: Wru9ycO2MJ.exe, 00000003.00000002.4508226189.0000000006395000.00000004.00000020.00020000.00000000.sdmp, Wru9ycO2MJ.exe, 00000003.00000002.4503031346.0000000000E86000.00000004.00000020.00020000.00000000.sdmp, Wru9ycO2MJ.exe, 00000003.00000002.4504072782.0000000002B24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: Wru9ycO2MJ.exe, 00000000.00000002.2070865518.0000000004330000.00000004.00000800.00020000.00000000.sdmp, Wru9ycO2MJ.exe, 00000003.00000002.4502142983.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: Wru9ycO2MJ.exe, 00000000.00000002.2070865518.0000000004330000.00000004.00000800.00020000.00000000.sdmp, Wru9ycO2MJ.exe, 00000003.00000002.4502142983.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Wru9ycO2MJ.exe, 00000003.00000002.4504072782.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: Wru9ycO2MJ.exe, 00000003.00000002.4504072782.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: Wru9ycO2MJ.exe, 00000003.00000002.4504072782.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49706 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Wru9ycO2MJ.exeJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.Wru9ycO2MJ.exe.4330708.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 3.2.Wru9ycO2MJ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Wru9ycO2MJ.exe.436b128.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Wru9ycO2MJ.exe.436b128.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Wru9ycO2MJ.exe.4330708.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 0_2_025D23680_2_025D2368
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 0_2_025D0F080_2_025D0F08
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 0_2_025D73700_2_025D7370
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 0_2_025D22760_2_025D2276
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 0_2_025DA4F00_2_025DA4F0
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 0_2_025D2BF80_2_025D2BF8
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 0_2_025D08F00_2_025D08F0
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 0_2_025D0EA70_2_025D0EA7
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 0_2_025D2C080_2_025D2C08
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_00E0E2893_2_00E0E289
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_00E0A9603_2_00E0A960
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_00E04A983_2_00E04A98
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_00E03E803_2_00E03E80
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_00E041C83_2_00E041C8
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_068966983_2_06896698
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_06897E203_2_06897E20
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_068956483_2_06895648
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_0689B2C83_2_0689B2C8
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_0689C2203_2_0689C220
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_068923483_2_06892348
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_068977403_2_06897740
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_0689E4403_2_0689E440
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_06895D983_2_06895D98
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_068900403_2_06890040
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_069819883_2_06981988
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_069819833_2_06981983
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_068900073_2_06890007
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_068900373_2_06890037
                    Source: Wru9ycO2MJ.exe, 00000000.00000002.2070865518.0000000003FC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Wru9ycO2MJ.exe
                    Source: Wru9ycO2MJ.exe, 00000000.00000000.2036258233.00000000004CC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePJYe.exe0 vs Wru9ycO2MJ.exe
                    Source: Wru9ycO2MJ.exe, 00000000.00000002.2074272607.0000000007440000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Wru9ycO2MJ.exe
                    Source: Wru9ycO2MJ.exe, 00000000.00000002.2070019337.0000000002789000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Wru9ycO2MJ.exe
                    Source: Wru9ycO2MJ.exe, 00000000.00000002.2070865518.0000000003F89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Wru9ycO2MJ.exe
                    Source: Wru9ycO2MJ.exe, 00000000.00000002.2068622769.0000000000A1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Wru9ycO2MJ.exe
                    Source: Wru9ycO2MJ.exe, 00000000.00000002.2076900911.0000000009200000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Wru9ycO2MJ.exe
                    Source: Wru9ycO2MJ.exe, 00000000.00000002.2070865518.0000000004330000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename00b93cc8-4625-4c9d-a44d-5996e806c5f9.exe4 vs Wru9ycO2MJ.exe
                    Source: Wru9ycO2MJ.exe, 00000000.00000002.2070019337.0000000002B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename00b93cc8-4625-4c9d-a44d-5996e806c5f9.exe4 vs Wru9ycO2MJ.exe
                    Source: Wru9ycO2MJ.exe, 00000003.00000002.4502409068.0000000000CF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Wru9ycO2MJ.exe
                    Source: Wru9ycO2MJ.exe, 00000003.00000002.4502142983.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename00b93cc8-4625-4c9d-a44d-5996e806c5f9.exe4 vs Wru9ycO2MJ.exe
                    Source: Wru9ycO2MJ.exe, 00000003.00000002.4503031346.0000000000E18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dll vs Wru9ycO2MJ.exe
                    Source: Wru9ycO2MJ.exeBinary or memory string: OriginalFilenamePJYe.exe0 vs Wru9ycO2MJ.exe
                    Source: Wru9ycO2MJ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.Wru9ycO2MJ.exe.4330708.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 3.2.Wru9ycO2MJ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Wru9ycO2MJ.exe.436b128.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Wru9ycO2MJ.exe.436b128.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Wru9ycO2MJ.exe.4330708.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: Wru9ycO2MJ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wru9ycO2MJ.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeMutant created: \Sessions\1\BaseNamedObjects\QcatWQLiga
                    Source: Wru9ycO2MJ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Wru9ycO2MJ.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Wru9ycO2MJ.exeReversingLabs: Detection: 63%
                    Source: Wru9ycO2MJ.exeVirustotal: Detection: 55%
                    Source: unknownProcess created: C:\Users\user\Desktop\Wru9ycO2MJ.exe "C:\Users\user\Desktop\Wru9ycO2MJ.exe"
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess created: C:\Users\user\Desktop\Wru9ycO2MJ.exe "C:\Users\user\Desktop\Wru9ycO2MJ.exe"
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess created: C:\Users\user\Desktop\Wru9ycO2MJ.exe "C:\Users\user\Desktop\Wru9ycO2MJ.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Wru9ycO2MJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Wru9ycO2MJ.exeStatic file information: File size 1120256 > 1048576
                    Source: Wru9ycO2MJ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_00E086D8 push 8329E905h; retf 0071h3_2_00E0869F
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_00E07832 push 9191E905h; retf 0071h3_2_00E07837
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_06982301 push 0C418B05h; ret 3_2_06982313
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_069880D0 push ds; iretd 3_2_069880D2
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_069880D3 push ds; iretd 3_2_069880DA
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_069880F1 push ds; iretd 3_2_069880F2
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_069880F3 push ds; iretd 3_2_069880FA
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_06980CD1 push 10418B05h; ret 3_2_06980CE3
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_06980D80 push 04418B05h; ret 3_2_06980DE3
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_0698ADCB push es; ret 3_2_0698ADD0
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_06980DF0 push 18418B05h; ret 3_2_06980E03
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_06989687 pushad ; iretd 3_2_06989689
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_069876B0 push esp; iretd 3_2_069876B9
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_0698F2FE push 18418B05h; ret 3_2_0698F303
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_06987331 push ss; iretd 3_2_06987332
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_06987CA4 push esp; iretd 3_2_06987CAD
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_0698BCD0 push eax; iretd 3_2_0698BCD2
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_0698BCD3 push eax; iretd 3_2_0698BCD6
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_0698BD83 push eax; iretd 3_2_0698BD8A
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_0698BD78 push eax; iretd 3_2_0698BD82
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_069818AB push 08418B05h; ret 3_2_069818B3
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_069818CE push 14418B05h; ret 3_2_069818D3
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_069818EE push 1C418B05h; ret 3_2_069818F3
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_06981900 push 20418B05h; ret 3_2_06981913
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_0698194E push 28418B05h; ret 3_2_06981953
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeCode function: 3_2_0698196E push 2C418B05h; ret 3_2_06981973
                    Source: Wru9ycO2MJ.exeStatic PE information: section name: .text entropy: 7.749018200049437
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: Wru9ycO2MJ.exe PID: 4120, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeMemory allocated: 25D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeMemory allocated: 2780000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeMemory allocated: 4780000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeMemory allocated: 4E20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeMemory allocated: 5E20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeMemory allocated: 5F50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeMemory allocated: 6F50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeMemory allocated: 9EB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeMemory allocated: AEB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeMemory allocated: B340000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeMemory allocated: C340000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeMemory allocated: E00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeMemory allocated: 2AA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeMemory allocated: 4AA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeWindow / User API: threadDelayed 1708Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeWindow / User API: threadDelayed 8137Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4144Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep count: 32 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 2848Thread sleep count: 1708 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -99875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 2848Thread sleep count: 8137 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -99766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -99547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -99438s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -99328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -99219s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -99094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -98984s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -98875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -98766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -98656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -98547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -98434s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -98328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -98206s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -98078s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -97938s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -97774s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -97672s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -97563s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -97438s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -97313s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -97203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -97094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -96969s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -96859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -96750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -96641s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -96531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -96422s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -96313s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -96188s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -96078s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -95969s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -95844s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -95734s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -95625s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -95516s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -95371s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -95263s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -95155s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -95045s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -94930s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -94828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -94719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -94610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -94500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -94391s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exe TID: 4164Thread sleep time: -94266s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 99766Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 99547Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 99438Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 99328Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 99219Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 99094Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 98984Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 98875Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 98766Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 98656Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 98547Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 98434Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 98328Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 98206Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 98078Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 97938Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 97774Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 97672Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 97563Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 97438Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 97313Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 97203Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 97094Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 96969Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 96859Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 96750Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 96641Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 96531Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 96422Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 96313Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 96188Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 96078Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 95969Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 95844Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 95734Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 95625Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 95516Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 95371Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 95263Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 95155Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 95045Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 94930Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 94828Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 94719Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 94610Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 94500Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 94391Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeThread delayed: delay time: 94266Jump to behavior
                    Source: Wru9ycO2MJ.exe, 00000003.00000002.4503031346.0000000000EBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeProcess created: C:\Users\user\Desktop\Wru9ycO2MJ.exe "C:\Users\user\Desktop\Wru9ycO2MJ.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeQueries volume information: C:\Users\user\Desktop\Wru9ycO2MJ.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeQueries volume information: C:\Users\user\Desktop\Wru9ycO2MJ.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.Wru9ycO2MJ.exe.4330708.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.Wru9ycO2MJ.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Wru9ycO2MJ.exe.436b128.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Wru9ycO2MJ.exe.436b128.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Wru9ycO2MJ.exe.4330708.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.4504072782.0000000002B1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4502142983.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4504072782.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2070865518.0000000004330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Wru9ycO2MJ.exe PID: 4120, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Wru9ycO2MJ.exe PID: 4668, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\Wru9ycO2MJ.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.Wru9ycO2MJ.exe.4330708.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.Wru9ycO2MJ.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Wru9ycO2MJ.exe.436b128.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Wru9ycO2MJ.exe.436b128.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Wru9ycO2MJ.exe.4330708.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.4502142983.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4504072782.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2070865518.0000000004330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Wru9ycO2MJ.exe PID: 4120, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Wru9ycO2MJ.exe PID: 4668, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.Wru9ycO2MJ.exe.4330708.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.Wru9ycO2MJ.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Wru9ycO2MJ.exe.436b128.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Wru9ycO2MJ.exe.436b128.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Wru9ycO2MJ.exe.4330708.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.4504072782.0000000002B1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4502142983.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4504072782.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2070865518.0000000004330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Wru9ycO2MJ.exe PID: 4120, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Wru9ycO2MJ.exe PID: 4668, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
                    Process Injection                    		2
                    Obfuscated Files or Information                    		11
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                    Software Packing                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    DLL Side-Loading                    		NTDS111
                    Security Software Discovery                    		Distributed Component Object Model11
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Masquerading                    		LSA Secrets1
                    Process Discovery                    		SSH1
                    Clipboard Data                    		23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts141
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                    Process Injection                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Wru9ycO2MJ.exe63%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    Wru9ycO2MJ.exe56%VirustotalBrowse
                    Wru9ycO2MJ.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ipify.org
                    		104.26.13.205
                    		truefalse
                      		high
                      showpiece.trillennium.biz
                      		67.23.226.139
                      		truefalse
                        		high
                        mail.showpiece.trillennium.biz
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://showpiece.trillennium.bizWru9ycO2MJ.exe, 00000003.00000002.4504072782.0000000002B1C000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://api.ipify.orgWru9ycO2MJ.exe, 00000000.00000002.2070865518.0000000004330000.00000004.00000800.00020000.00000000.sdmp, Wru9ycO2MJ.exe, 00000003.00000002.4502142983.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Wru9ycO2MJ.exe, 00000003.00000002.4504072782.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://localhost/arkanoid_server/requests.phpWru9ycO2MJ.exe, 00000000.00000002.2070019337.0000000002789000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://account.dyn.com/Wru9ycO2MJ.exe, 00000000.00000002.2070865518.0000000004330000.00000004.00000800.00020000.00000000.sdmp, Wru9ycO2MJ.exe, 00000003.00000002.4502142983.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                    		high
                                    http://r11.o.lencr.org0#Wru9ycO2MJ.exe, 00000003.00000002.4503031346.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, Wru9ycO2MJ.exe, 00000003.00000002.4504072782.0000000002B24000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.ipify.org/tWru9ycO2MJ.exe, 00000003.00000002.4504072782.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://mail.showpiece.trillennium.bizWru9ycO2MJ.exe, 00000003.00000002.4504072782.0000000002B1C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameWru9ycO2MJ.exe, 00000003.00000002.4504072782.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://x1.c.lencr.org/0Wru9ycO2MJ.exe, 00000003.00000002.4503031346.0000000000EBF000.00000004.00000020.00020000.00000000.sdmp, Wru9ycO2MJ.exe, 00000003.00000002.4508226189.0000000006395000.00000004.00000020.00020000.00000000.sdmp, Wru9ycO2MJ.exe, 00000003.00000002.4503031346.0000000000E86000.00000004.00000020.00020000.00000000.sdmp, Wru9ycO2MJ.exe, 00000003.00000002.4504072782.0000000002B24000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://x1.i.lencr.org/0Wru9ycO2MJ.exe, 00000003.00000002.4508226189.0000000006395000.00000004.00000020.00020000.00000000.sdmp, Wru9ycO2MJ.exe, 00000003.00000002.4503031346.0000000000E86000.00000004.00000020.00020000.00000000.sdmp, Wru9ycO2MJ.exe, 00000003.00000002.4504072782.0000000002B24000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://r11.i.lencr.org/0Wru9ycO2MJ.exe, 00000003.00000002.4503031346.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, Wru9ycO2MJ.exe, 00000003.00000002.4504072782.0000000002B24000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  67.23.226.139
                                                  		showpiece.trillennium.bizUnited States
                                                  		33182DIMENOCUSfalse
                                                  104.26.13.205
                                                  		api.ipify.orgUnited States
                                                  		13335CLOUDFLARENETUSfalse

                                                  General Information

                                                  Joe Sandbox version:42.0.0 Malachite
                                                  Analysis ID:1588700
                                                  Start date and time:2025-01-11 04:21:54 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 7m 11s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:6
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:Wru9ycO2MJ.exe
                                                  renamed because original name is a hash value
                                                  Original Sample Name:851cadfb7b72af94db5c9db85e0d52dfcbf3fa948c7498627e4b67162cff6e7d.exe
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@3/1@2/2
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HCA Information:
                                                  • Successful, ratio: 97%
                                                  • Number of executed functions: 68
                                                  • Number of non-executed functions: 9
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe
                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 2.23.242.162, 13.107.246.45, 172.202.163.200
                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  22:22:45API Interceptor10563651x Sleep call for process: Wru9ycO2MJ.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  67.23.226.139lUy4SKlE6A.exeGet hashmaliciousAgentTeslaBrowse
                                                    PO#86637.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                      Quotation.exeGet hashmaliciousAgentTeslaBrowse
                                                        Quotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          3Pd480eWHA.exeGet hashmaliciousAgentTeslaBrowse
                                                            Quotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                              COTIZACION.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                Quotation.exeGet hashmaliciousAgentTeslaBrowse
                                                                  Quotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    Quotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                      104.26.13.205Yoranis Setup.exeGet hashmaliciousUnknownBrowse
                                                                      • api.ipify.org/
                                                                      BiXS3FRoLe.exeGet hashmaliciousTrojanRansomBrowse
                                                                      • api.ipify.org/
                                                                      lEUy79aLAW.exeGet hashmaliciousTrojanRansomBrowse
                                                                      • api.ipify.org/
                                                                      Simple1.exeGet hashmaliciousUnknownBrowse
                                                                      • api.ipify.org/
                                                                      2b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                                      • api.ipify.org/
                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                      • api.ipify.org/
                                                                      file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                      • api.ipify.org/
                                                                      file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                      • api.ipify.org/
                                                                      file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                      • api.ipify.org/
                                                                      Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                                                      • api.ipify.org/

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      api.ipify.orgiNFGd6bDZX.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.12.205
                                                                      MyzWeEOlqb.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.12.205
                                                                      5hD3Yjf7xD.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 172.67.74.152
                                                                      ukBQ4ch2nE.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.13.205
                                                                      ru52XOQ1p7.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 172.67.74.152
                                                                      xJZHVgxQul.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.12.205
                                                                      jG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.13.205
                                                                      HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.13.205
                                                                      https://glfbanks.com/Get hashmaliciousHTMLPhisherBrowse
                                                                      • 104.26.12.205
                                                                      s2Jg1MAahY.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.12.205

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      CLOUDFLARENETUSiNFGd6bDZX.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.12.205
                                                                      n2pGr8w21V.exeGet hashmaliciousFormBookBrowse
                                                                      • 104.18.73.116
                                                                      tNXl4XhgmV.exeGet hashmaliciousMassLogger RATBrowse
                                                                      • 104.21.48.1
                                                                      MyzWeEOlqb.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.12.205
                                                                      02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 172.67.167.146
                                                                      5hD3Yjf7xD.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 172.67.74.152
                                                                      MBOaS3GRtF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • 104.21.64.1
                                                                      https://freesourcecodes70738.emlnk.com/lt.php?x=3DZy~GDLVnab5KCs-Nu4WOae1qEoiN9xvxk1XaPMVXahD5B9-Uy.xuW-242imNXGet hashmaliciousUnknownBrowse
                                                                      • 104.17.205.31
                                                                      https://youtube.com0x360x380x370x340x370x340x370x300x370x330x330x610x320x660x320x660x360x310x360x640x360x360x370x320x320x650x370x320x370x350x320x660x370x320x360x620x320x650x370x300x360x380x370x300x330x660x360x390x360x340x330x640x330x320x330x300x330x300x320x360x370x330x360x390x370x340x360x350x350x660x360x390x360x340x330x640x370x330x330x310x320x360x360x350x370x360x360x350x360x650x370x340x330x320x330x640x360x320x360x310x360x650x360x650x360x350x370x320x320x360x360x350x370x360x360x350x360x650x370x340x330x320x330x640x360x330x360x630x360x390x360x330x360x620x320x360x360x350x370x360x360x350x360x650x370x340x330x330x330x640x330x310x320x620x320x350x330x320x340x360x320x620x320x350x330x350x340x320x330x320x330x350x330x300x320x350x330x350x340x340x320x620x320x350x330x350x340x320x360x390x360x650x360x340x360x350x370x380x350x660x360x320x350x660x360x330x320x350x330x350x340x340x320x620x320x350x340x340x330x300x320x350x330x390x330x330x320x350x340x340x330x300x320x350x340x320x340x320x320x350x340x340x330x300x320x350x340x320x330x300x320x350x340x340x330x300x320x350x340x320x330x320x320x350x340x340x330x300x320x350x340x320x340x340x320x350x340x340x330x300x320x350x340x320x330x300x320x350x340x340x330x310x320x350x330x380x340x360x320x620x320x350x340x340x330x310x320x350x330x380x330x310x320x350x340x340x330x310x320x350x330x380x330x320x320x350x340x340x330x340x370x380x360x340x390x320x390x330x370x320x330x300x390x340x370x330x340x300x330x340x2d0x380x380x340x330x340x370x330x340x300x340x390x300x350x370x330x370x340x330x300x340x300x330x340x380x320x2d0x340x300x390x340x380x2d0x320x2d0x340x380x380x320x2d0x330x320x380x380x340x370x370x320x390x390x320x380x380x380x340x370x340x370x320x390x300x340x390x340x370x320x340x300x380x320x340x370x340x370x320x620x320x640x320x620x320x350x340x340x330x300x320x350x330x390x330x340x320x350x340x340x330x300x320x350x340x320x330x350x320x350x340x340x330x300x320x350x340x320x340x330x320x350x340x340x330x300x320x350x340x320x330x380x320x350x340x340x330x300x320x350x340x320x340x310x320x350x340x340x330Get hashmaliciousUnknownBrowse
                                                                      • 172.64.41.3
                                                                      fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • 104.21.48.1
                                                                      DIMENOCUSloligang.arm7.elfGet hashmaliciousMiraiBrowse
                                                                      • 198.136.58.118
                                                                      lUy4SKlE6A.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 67.23.226.139
                                                                      ky.ps1Get hashmaliciousUnknownBrowse
                                                                      • 184.171.244.231
                                                                      script.vbsGet hashmaliciousUnknownBrowse
                                                                      • 184.171.244.231
                                                                      mg.vbsGet hashmaliciousUnknownBrowse
                                                                      • 184.171.244.231
                                                                      mj.ps1Get hashmaliciousUnknownBrowse
                                                                      • 184.171.244.231
                                                                      ap.ps1Get hashmaliciousUnknownBrowse
                                                                      • 184.171.244.231
                                                                      cu.ps1Get hashmaliciousUnknownBrowse
                                                                      • 184.171.244.231
                                                                      Scripts_Obfusque.vbsGet hashmaliciousUnknownBrowse
                                                                      • 184.171.244.231
                                                                      ni.ps1Get hashmaliciousUnknownBrowse
                                                                      • 184.171.244.231

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      3b5074b1b5d032e5620f69f9f700ff0eiNFGd6bDZX.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.13.205
                                                                      MyzWeEOlqb.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.13.205
                                                                      5hD3Yjf7xD.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.13.205
                                                                      AJ5zYYsisA.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.26.13.205
                                                                      AJ5zYYsisA.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.26.13.205
                                                                      4NG0guPiKA.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                      • 104.26.13.205
                                                                      n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                      • 104.26.13.205
                                                                      njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                      • 104.26.13.205
                                                                      KtPCqWWnqM.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.26.13.205
                                                                      YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 104.26.13.205

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wru9ycO2MJ.exe.log

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\Wru9ycO2MJ.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1216
                                                                      Entropy (8bit):5.34331486778365
                                                                      Encrypted:false
                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                      Malicious:true
                                                                      Reputation:high, very likely benign file
                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Entropy (8bit):7.107147348894105
                                                                      TrID:
                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                      File name:Wru9ycO2MJ.exe
                                                                      File size:1'120'256 bytes
                                                                      MD5:e984689ddc606e421d3cf8746ac0783e
                                                                      SHA1:209d2263e1baff1943533effa0f3e1964d98b8cd
                                                                      SHA256:851cadfb7b72af94db5c9db85e0d52dfcbf3fa948c7498627e4b67162cff6e7d
                                                                      SHA512:0141f05b526f817955e1efaf71b277e8dd96a0dc1bd624b58cdb0012e357b7d287da08395d5ecf879fccc20ce4c2154b0b6638a97330e527493294e2ab5b52d9
                                                                      SSDEEP:24576:CPIeeUQE6/PCxEF3IKBteMUvV5554HvPtht:2Bey63uERxBghV2PX
                                                                      TLSH:8035BF583A95E80FC35289354DF1FE7996384EA96E0A93039AD33DDFBA3CF895D40181
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K.Og..............0..f............... ........@.. ....................................@................................

                                                                      File Icon

                                                                      Icon Hash:41c0c45471554d45

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x4b859e
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x674F164B [Tue Dec 3 14:31:39 2024 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      jmp dword ptr [00402000h]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb854c0x4f.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xba0000x5ac58.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1160000xc.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x20000xb65a40xb660015a6c0ebc5418b823a9ba80f28e5a3c7False0.9026007753598355data7.749018200049437IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rsrc0xba0000x5ac580x5ae00dd8805746db615b4ffcf31ace4f84736False0.38009908012379645data5.091346723217829IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0x1160000xc0x20020da4a97599fd48f3e258de7f01602acFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_ICON0xba2500x42028Device independent bitmap graphic, 256 x 512 x 32, image size 2621440.3619626002307897
                                                                      RT_ICON0xfc2780x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.40127765290429435
                                                                      RT_ICON0x10caa00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.4653991497401984
                                                                      RT_ICON0x110cc80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.5120331950207468
                                                                      RT_ICON0x1132700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.5834896810506567
                                                                      RT_ICON0x1143180x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.6356382978723404
                                                                      RT_GROUP_ICON0x1147800x5adata0.7222222222222222
                                                                      RT_GROUP_ICON0x1147dc0x14data1.05
                                                                      RT_VERSION0x1147f00x278data0.46835443037974683
                                                                      RT_MANIFEST0x114a680x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                      Imports

                                                                      DLLImport
                                                                      mscoree.dll_CorExeMain

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jan 11, 2025 04:22:46.730545044 CET49706443192.168.2.5104.26.13.205
                                                                      Jan 11, 2025 04:22:46.730632067 CET44349706104.26.13.205192.168.2.5
                                                                      Jan 11, 2025 04:22:46.730719090 CET49706443192.168.2.5104.26.13.205
                                                                      Jan 11, 2025 04:22:46.735546112 CET49706443192.168.2.5104.26.13.205
                                                                      Jan 11, 2025 04:22:46.735582113 CET44349706104.26.13.205192.168.2.5
                                                                      Jan 11, 2025 04:22:47.219085932 CET44349706104.26.13.205192.168.2.5
                                                                      Jan 11, 2025 04:22:47.220084906 CET49706443192.168.2.5104.26.13.205
                                                                      Jan 11, 2025 04:22:47.297911882 CET49706443192.168.2.5104.26.13.205
                                                                      Jan 11, 2025 04:22:47.297933102 CET44349706104.26.13.205192.168.2.5
                                                                      Jan 11, 2025 04:22:47.298322916 CET44349706104.26.13.205192.168.2.5
                                                                      Jan 11, 2025 04:22:47.340091944 CET49706443192.168.2.5104.26.13.205
                                                                      Jan 11, 2025 04:22:47.567719936 CET49706443192.168.2.5104.26.13.205
                                                                      Jan 11, 2025 04:22:47.615331888 CET44349706104.26.13.205192.168.2.5
                                                                      Jan 11, 2025 04:22:47.679023027 CET44349706104.26.13.205192.168.2.5
                                                                      Jan 11, 2025 04:22:47.679193974 CET44349706104.26.13.205192.168.2.5
                                                                      Jan 11, 2025 04:22:47.679250956 CET49706443192.168.2.5104.26.13.205
                                                                      Jan 11, 2025 04:22:47.701114893 CET49706443192.168.2.5104.26.13.205
                                                                      Jan 11, 2025 04:22:48.702569008 CET49708587192.168.2.567.23.226.139
                                                                      Jan 11, 2025 04:22:48.707505941 CET5874970867.23.226.139192.168.2.5
                                                                      Jan 11, 2025 04:22:48.707592010 CET49708587192.168.2.567.23.226.139
                                                                      Jan 11, 2025 04:22:52.250037909 CET5874970867.23.226.139192.168.2.5
                                                                      Jan 11, 2025 04:22:52.250976086 CET49708587192.168.2.567.23.226.139
                                                                      Jan 11, 2025 04:22:52.255734921 CET5874970867.23.226.139192.168.2.5
                                                                      Jan 11, 2025 04:22:52.368916988 CET5874970867.23.226.139192.168.2.5
                                                                      Jan 11, 2025 04:22:52.371634007 CET49708587192.168.2.567.23.226.139
                                                                      Jan 11, 2025 04:22:52.376442909 CET5874970867.23.226.139192.168.2.5
                                                                      Jan 11, 2025 04:22:52.491426945 CET5874970867.23.226.139192.168.2.5
                                                                      Jan 11, 2025 04:22:52.491884947 CET49708587192.168.2.567.23.226.139
                                                                      Jan 11, 2025 04:22:52.496762037 CET5874970867.23.226.139192.168.2.5
                                                                      Jan 11, 2025 04:22:52.629302979 CET5874970867.23.226.139192.168.2.5
                                                                      Jan 11, 2025 04:22:52.629384995 CET5874970867.23.226.139192.168.2.5
                                                                      Jan 11, 2025 04:22:52.630281925 CET49708587192.168.2.567.23.226.139
                                                                      Jan 11, 2025 04:22:52.630542040 CET5874970867.23.226.139192.168.2.5
                                                                      Jan 11, 2025 04:22:52.630552053 CET5874970867.23.226.139192.168.2.5
                                                                      Jan 11, 2025 04:22:52.630603075 CET49708587192.168.2.567.23.226.139
                                                                      Jan 11, 2025 04:22:52.715276003 CET5874970867.23.226.139192.168.2.5
                                                                      Jan 11, 2025 04:22:52.753947973 CET49708587192.168.2.567.23.226.139
                                                                      Jan 11, 2025 04:22:52.758981943 CET5874970867.23.226.139192.168.2.5
                                                                      Jan 11, 2025 04:22:52.872461081 CET5874970867.23.226.139192.168.2.5
                                                                      Jan 11, 2025 04:22:52.875611067 CET49708587192.168.2.567.23.226.139
                                                                      Jan 11, 2025 04:22:52.880440950 CET5874970867.23.226.139192.168.2.5
                                                                      Jan 11, 2025 04:22:53.005471945 CET5874970867.23.226.139192.168.2.5
                                                                      Jan 11, 2025 04:22:53.006767988 CET49708587192.168.2.567.23.226.139
                                                                      Jan 11, 2025 04:22:53.011610985 CET5874970867.23.226.139192.168.2.5
                                                                      Jan 11, 2025 04:22:53.125613928 CET5874970867.23.226.139192.168.2.5
                                                                      Jan 11, 2025 04:22:53.133029938 CET49708587192.168.2.567.23.226.139
                                                                      Jan 11, 2025 04:22:53.137790918 CET5874970867.23.226.139192.168.2.5
                                                                      Jan 11, 2025 04:22:54.766092062 CET5874970867.23.226.139192.168.2.5
                                                                      Jan 11, 2025 04:22:54.766892910 CET49708587192.168.2.567.23.226.139
                                                                      Jan 11, 2025 04:22:54.771837950 CET5874970867.23.226.139192.168.2.5
                                                                      Jan 11, 2025 04:22:55.072632074 CET5874970867.23.226.139192.168.2.5
                                                                      Jan 11, 2025 04:22:55.076916933 CET5874970867.23.226.139192.168.2.5
                                                                      Jan 11, 2025 04:22:55.080265045 CET49708587192.168.2.567.23.226.139
                                                                      Jan 11, 2025 04:22:55.082165956 CET49708587192.168.2.567.23.226.139
                                                                      Jan 11, 2025 04:22:55.087009907 CET5874970867.23.226.139192.168.2.5

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jan 11, 2025 04:22:46.717921972 CET5174253192.168.2.51.1.1.1
                                                                      Jan 11, 2025 04:22:46.725310087 CET53517421.1.1.1192.168.2.5
                                                                      Jan 11, 2025 04:22:48.370675087 CET6118253192.168.2.51.1.1.1
                                                                      Jan 11, 2025 04:22:48.701291084 CET53611821.1.1.1192.168.2.5

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Jan 11, 2025 04:22:46.717921972 CET192.168.2.51.1.1.10x35d8Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                      Jan 11, 2025 04:22:48.370675087 CET192.168.2.51.1.1.10x4e44Standard query (0)mail.showpiece.trillennium.bizA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Jan 11, 2025 04:22:46.725310087 CET1.1.1.1192.168.2.50x35d8No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                      Jan 11, 2025 04:22:46.725310087 CET1.1.1.1192.168.2.50x35d8No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                      Jan 11, 2025 04:22:46.725310087 CET1.1.1.1192.168.2.50x35d8No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                      Jan 11, 2025 04:22:48.701291084 CET1.1.1.1192.168.2.50x4e44No error (0)mail.showpiece.trillennium.bizshowpiece.trillennium.bizCNAME (Canonical name)IN (0x0001)false
                                                                      Jan 11, 2025 04:22:48.701291084 CET1.1.1.1192.168.2.50x4e44No error (0)showpiece.trillennium.biz67.23.226.139A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • api.ipify.org

                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.549706104.26.13.2054434668C:\Users\user\Desktop\Wru9ycO2MJ.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2025-01-11 03:22:47 UTC155OUTGET / HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                      Host: api.ipify.org
                                                                      Connection: Keep-Alive
                                                                      2025-01-11 03:22:47 UTC424INHTTP/1.1 200 OK
                                                                      Date: Sat, 11 Jan 2025 03:22:47 GMT
                                                                      Content-Type: text/plain
                                                                      Content-Length: 12
                                                                      Connection: close
                                                                      Vary: Origin
                                                                      CF-Cache-Status: DYNAMIC
                                                                      Server: cloudflare
                                                                      CF-RAY: 9001c8cf9eae4315-EWR
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1580&rtt_var=598&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1821584&cwnd=218&unsent_bytes=0&cid=eb1e6f65f9e3daa7&ts=471&x=0"
                                                                      2025-01-11 03:22:47 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                                      Data Ascii: 8.46.123.189


                                                                      SMTP Packets

                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                      Jan 11, 2025 04:22:52.250037909 CET5874970867.23.226.139192.168.2.5220-super.nseasy.com ESMTP Exim 4.96.2 #2 Fri, 10 Jan 2025 22:22:52 -0500
                                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                                      220 and/or bulk e-mail.
                                                                      Jan 11, 2025 04:22:52.250976086 CET49708587192.168.2.567.23.226.139EHLO 783875
                                                                      Jan 11, 2025 04:22:52.368916988 CET5874970867.23.226.139192.168.2.5250-super.nseasy.com Hello 783875 [8.46.123.189]
                                                                      250-SIZE 52428800
                                                                      250-8BITMIME
                                                                      250-PIPELINING
                                                                      250-PIPECONNECT
                                                                      250-STARTTLS
                                                                      250 HELP
                                                                      Jan 11, 2025 04:22:52.371634007 CET49708587192.168.2.567.23.226.139STARTTLS
                                                                      Jan 11, 2025 04:22:52.491426945 CET5874970867.23.226.139192.168.2.5220 TLS go ahead

                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:22:22:44
                                                                      Start date:10/01/2025
                                                                      Path:C:\Users\user\Desktop\Wru9ycO2MJ.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\Wru9ycO2MJ.exe"
                                                                      Imagebase:0x3c0000
                                                                      File size:1'120'256 bytes
                                                                      MD5 hash:E984689DDC606E421D3CF8746AC0783E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2070865518.0000000004330000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2070865518.0000000004330000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:22:22:45
                                                                      Start date:10/01/2025
                                                                      Path:C:\Users\user\Desktop\Wru9ycO2MJ.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\Wru9ycO2MJ.exe"
                                                                      Imagebase:0x790000
                                                                      File size:1'120'256 bytes
                                                                      MD5 hash:E984689DDC606E421D3CF8746AC0783E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4504072782.0000000002B1C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4502142983.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4502142983.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4504072782.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4504072782.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:low
                                                                      Has exited:false

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:10.2%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:18
                                                                        Total number of Limit Nodes:2
                                                                        execution_graph 8981 25de6f8 8982 25de73a 8981->8982 8983 25de740 GetModuleHandleW 8981->8983 8982->8983 8984 25de76d 8983->8984 8985 25d7798 8986 25d77a2 8985->8986 8988 25d7cd0 8985->8988 8989 25d7cf5 8988->8989 8993 25d7de0 8989->8993 8997 25d7dd0 8989->8997 8995 25d7e07 8993->8995 8994 25d7ee4 8994->8994 8995->8994 9001 25d79f4 8995->9001 8998 25d7dda 8997->8998 8999 25d7ee4 8998->8999 9000 25d79f4 CreateActCtxA 8998->9000 9000->8999 9002 25d8e70 CreateActCtxA 9001->9002 9004 25d8f33 9002->9004

                                                                        Executed Functions

                                                                        Function 025D08F0 Relevance: 2.7, Strings: 2, Instructions: 238COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 286 25d08f0-25d0902 287 25d0908-25d091e 286->287 288 25d0e5a-25d0e9c 286->288 287->288 289 25d0924-25d0934 287->289 292 25d0e9e-25d0ea1 288->292 293 25d0eaa-25d0eb0 288->293 294 25d0e3e 289->294 295 25d08aa 289->295 292->293 296 25d0ebc-25d0f35 call 25d00e4 293->296 297 25d0eb2-25d0eb9 293->297 334 25d0e41 call 25d0f08 294->334 335 25d0e41 call 25d0ea7 294->335 336 25d0e41 call 25d08f0 294->336 295->294 303 25d0f3a 296->303 297->296 298 25d0e47-25d0e59 304 25d0f3f-25d0f54 303->304 305 25d0f5a 304->305 306 25d1090-25d10d9 call 25d00f4 304->306 305->303 305->306 307 25d101a-25d102a 305->307 308 25d0fb5-25d0fc7 305->308 309 25d0ff6-25d1002 305->309 310 25d1051-25d106d 305->310 311 25d1072-25d108b 305->311 312 25d0fcc-25d0fd0 305->312 313 25d102f-25d104c 305->313 314 25d0f6e-25d0f86 305->314 315 25d0f88-25d0fb3 305->315 316 25d0f61-25d0f6c 305->316 317 25d0fe3-25d0ff1 305->317 337 25d10db call 25d1a49 306->337 338 25d10db call 25d2218 306->338 339 25d10db call 25d2140 306->339 307->304 308->304 329 25d100a-25d1015 309->329 310->304 311->304 318 25d0fd9 312->318 319 25d0fd2-25d0fd7 312->319 313->304 314->304 315->304 316->304 317->304 326 25d0fde 318->326 319->326 326->304 329->304 333 25d10e1-25d10ea 334->298 335->298 336->298 337->333 338->333 339->333
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2069908373.00000000025D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25d0000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Te]q$Te]q
                                                                        • API String ID: 0-3320153681
                                                                        • Opcode ID: f4a11fc95bfd845b505b6f2891a21d99a335d7317c22b7ab5ef4cf92fcdc85a4
                                                                        • Instruction ID: 3d79e23d2093eda504dbff39bb5eb894b80b20f43328a6acc830993045e57f53
                                                                        • Opcode Fuzzy Hash: f4a11fc95bfd845b505b6f2891a21d99a335d7317c22b7ab5ef4cf92fcdc85a4
                                                                        • Instruction Fuzzy Hash: 03812B31A141498FCB19CF68C8956FEBBB2FF85310F24845BD446AB291C635DE0ACB59
                                                                        Function 025D2368 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 340 25d2368-25d2395 call 25d2780 342 25d239b 340->342 343 25d23a0-25d23b5 342->343 344 25d2638-25d263f 343->344 345 25d23bb 343->345 345->342 345->344 346 25d245f-25d2465 345->346 347 25d259e-25d25a4 345->347 348 25d2419-25d2423 345->348 349 25d249a-25d24a7 345->349 350 25d25d1-25d25de 345->350 351 25d24d2-25d24d5 345->351 352 25d23cf-25d23d8 345->352 353 25d250e-25d2517 345->353 354 25d2609-25d260f 345->354 355 25d2549-25d255d 345->355 356 25d24c1-25d24cd 345->356 357 25d23c2-25d23cd 345->357 358 25d247f-25d2495 345->358 359 25d25be-25d25cc 345->359 360 25d2439-25d243f 345->360 361 25d23f5-25d23fb 345->361 362 25d2537-25d2544 345->362 363 25d25f3-25d25f6 345->363 364 25d24ac-25d24bc 345->364 365 25d2428-25d2434 345->365 366 25d24e8-25d2509 345->366 367 25d25e3-25d25ee 345->367 368 25d2622-25d2625 345->368 369 25d2562-25d2568 345->369 370 25d246b-25d247a 346->370 371 25d2642-25d2647 346->371 347->371 384 25d25aa-25d25b9 347->384 348->343 349->343 350->343 378 25d24de 351->378 379 25d24d7-25d24dc 351->379 352->371 381 25d23de-25d23f3 352->381 353->371 380 25d251d-25d2532 353->380 374 25d2618 354->374 375 25d2611-25d2616 354->375 355->343 356->343 357->343 358->343 359->343 360->371 385 25d2445-25d245a 360->385 361->371 383 25d2401-25d2417 361->383 362->343 372 25d25ff 363->372 373 25d25f8-25d25fd 363->373 364->343 365->343 366->343 367->343 376 25d262e 368->376 377 25d2627-25d262c 368->377 369->371 382 25d256e-25d257e 369->382 370->343 386 25d2604 372->386 373->386 387 25d261d 374->387 375->387 389 25d2633 376->389 377->389 390 25d24e3 378->390 379->390 380->343 381->343 382->371 393 25d2584-25d2599 382->393 383->343 384->343 385->343 386->343 387->343 389->343 390->343 393->343
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2069908373.00000000025D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25d0000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Qom$o^I
                                                                        • API String ID: 0-1946801590
                                                                        • Opcode ID: 7462ee48950db40e2e7033da8121d55eb1c1df7e1df55c17445067a8158d4272
                                                                        • Instruction ID: 57141e0c95019350db2371d37360703a3260fca324900cb4103db69f6b73d581
                                                                        • Opcode Fuzzy Hash: 7462ee48950db40e2e7033da8121d55eb1c1df7e1df55c17445067a8158d4272
                                                                        • Instruction Fuzzy Hash: 0E718275625211CFC728CF6CC98062A7BA5BB94300F929867DD47EF266CB30ED41CB99
                                                                        Function 025D0EA7 Relevance: 2.7, Strings: 2, Instructions: 181COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 398 25d0ea7-25d0f35 call 25d00e4 403 25d0f3a 398->403 404 25d0f3f-25d0f54 403->404 405 25d0f5a 404->405 406 25d1090-25d10d9 call 25d00f4 404->406 405->403 405->406 407 25d101a-25d102a 405->407 408 25d0fb5-25d0fc7 405->408 409 25d0ff6-25d1002 405->409 410 25d1051-25d106d 405->410 411 25d1072-25d108b 405->411 412 25d0fcc-25d0fd0 405->412 413 25d102f-25d104c 405->413 414 25d0f6e-25d0f86 405->414 415 25d0f88-25d0fb3 405->415 416 25d0f61-25d0f6c 405->416 417 25d0fe3-25d0ff1 405->417 434 25d10db call 25d1a49 406->434 435 25d10db call 25d2218 406->435 436 25d10db call 25d2140 406->436 407->404 408->404 429 25d100a-25d1015 409->429 410->404 411->404 418 25d0fd9 412->418 419 25d0fd2-25d0fd7 412->419 413->404 414->404 415->404 416->404 417->404 426 25d0fde 418->426 419->426 426->404 429->404 433 25d10e1-25d10ea 434->433 435->433 436->433
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2069908373.00000000025D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25d0000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Te]q$Te]q
                                                                        • API String ID: 0-3320153681
                                                                        • Opcode ID: 1ac48f5736e37eb6a41499d9a6c9b83c66941e45d17ec6bcd9881d19af2a3ec3
                                                                        • Instruction ID: 32b6adf90bf08c5c9b64ed07279db4cb5d1898ef2d1be8b836165613100a392f
                                                                        • Opcode Fuzzy Hash: 1ac48f5736e37eb6a41499d9a6c9b83c66941e45d17ec6bcd9881d19af2a3ec3
                                                                        • Instruction Fuzzy Hash: CE512731B141498FCB198F69CC516FEBBB2FF85310F25845BE446EB291CA349E0ACB55
                                                                        Function 025D0F08 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 437 25d0f08-25d0f35 call 25d00e4 440 25d0f3a 437->440 441 25d0f3f-25d0f54 440->441 442 25d0f5a 441->442 443 25d1090-25d10d9 call 25d00f4 441->443 442->440 442->443 444 25d101a-25d102a 442->444 445 25d0fb5-25d0fc7 442->445 446 25d0ff6-25d1002 442->446 447 25d1051-25d106d 442->447 448 25d1072-25d108b 442->448 449 25d0fcc-25d0fd0 442->449 450 25d102f-25d104c 442->450 451 25d0f6e-25d0f86 442->451 452 25d0f88-25d0fb3 442->452 453 25d0f61-25d0f6c 442->453 454 25d0fe3-25d0ff1 442->454 471 25d10db call 25d1a49 443->471 472 25d10db call 25d2218 443->472 473 25d10db call 25d2140 443->473 444->441 445->441 466 25d100a-25d1015 446->466 447->441 448->441 455 25d0fd9 449->455 456 25d0fd2-25d0fd7 449->456 450->441 451->441 452->441 453->441 454->441 463 25d0fde 455->463 456->463 463->441 466->441 470 25d10e1-25d10ea 471->470 472->470 473->470
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2069908373.00000000025D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25d0000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Te]q$Te]q
                                                                        • API String ID: 0-3320153681
                                                                        • Opcode ID: 9848b311dec64ac5bd36e60c925ec06a074f60cb4670737b38e63f7bfb246e2f
                                                                        • Instruction ID: 32b45ed0b53a3def6f0184d91dc76147df152f597a9239da46b950f095b58f69
                                                                        • Opcode Fuzzy Hash: 9848b311dec64ac5bd36e60c925ec06a074f60cb4670737b38e63f7bfb246e2f
                                                                        • Instruction Fuzzy Hash: 9E51D631B10016CFCB189FADC9416BEB6F6FB88710F61842AE502EB394CA34CD05CB95
                                                                        Function 025D2276 Relevance: 1.5, Strings: 1, Instructions: 279COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 514 25d2276-25d2395 call 25d2780 517 25d239b 514->517 518 25d23a0-25d23b5 517->518 519 25d2638-25d263f 518->519 520 25d23bb 518->520 520->517 520->519 521 25d245f-25d2465 520->521 522 25d259e-25d25a4 520->522 523 25d2419-25d2423 520->523 524 25d249a-25d24a7 520->524 525 25d25d1-25d25de 520->525 526 25d24d2-25d24d5 520->526 527 25d23cf-25d23d8 520->527 528 25d250e-25d2517 520->528 529 25d2609-25d260f 520->529 530 25d2549-25d255d 520->530 531 25d24c1-25d24cd 520->531 532 25d23c2-25d23cd 520->532 533 25d247f-25d2495 520->533 534 25d25be-25d25cc 520->534 535 25d2439-25d243f 520->535 536 25d23f5-25d23fb 520->536 537 25d2537-25d2544 520->537 538 25d25f3-25d25f6 520->538 539 25d24ac-25d24bc 520->539 540 25d2428-25d2434 520->540 541 25d24e8-25d2509 520->541 542 25d25e3-25d25ee 520->542 543 25d2622-25d2625 520->543 544 25d2562-25d2568 520->544 545 25d246b-25d247a 521->545 546 25d2642-25d2647 521->546 522->546 559 25d25aa-25d25b9 522->559 523->518 524->518 525->518 553 25d24de 526->553 554 25d24d7-25d24dc 526->554 527->546 556 25d23de-25d23f3 527->556 528->546 555 25d251d-25d2532 528->555 549 25d2618 529->549 550 25d2611-25d2616 529->550 530->518 531->518 532->518 533->518 534->518 535->546 560 25d2445-25d245a 535->560 536->546 558 25d2401-25d2417 536->558 537->518 547 25d25ff 538->547 548 25d25f8-25d25fd 538->548 539->518 540->518 541->518 542->518 551 25d262e 543->551 552 25d2627-25d262c 543->552 544->546 557 25d256e-25d257e 544->557 545->518 561 25d2604 547->561 548->561 562 25d261d 549->562 550->562 564 25d2633 551->564 552->564 565 25d24e3 553->565 554->565 555->518 556->518 557->546 568 25d2584-25d2599 557->568 558->518 559->518 560->518 561->518 562->518 564->518 565->518 568->518
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2069908373.00000000025D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25d0000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: o^I
                                                                        • API String ID: 0-1726515752
                                                                        • Opcode ID: 0fb8317b0b5d34fba9dd77fc3d72841fd8e0d8cfe00d3e1024f5cf72fd47760f
                                                                        • Instruction ID: 9f4399796071172d777e42e7598ecddd18ccd470a2e82933ddb456d02f1182f1
                                                                        • Opcode Fuzzy Hash: 0fb8317b0b5d34fba9dd77fc3d72841fd8e0d8cfe00d3e1024f5cf72fd47760f
                                                                        • Instruction Fuzzy Hash: 2BB1F2322292848BC7568F28D8956FA7FB1FF82210B4648A7DC86DF163C631E946C75D
                                                                        Function 025DA4F0 Relevance: .2, Instructions: 182COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 652 25da4f0-25da4ff 653 25da500-25da50d call 25d9440 652->653 655 25da512 653->655 656 25da517-25da52c 655->656 657 25da780-25da787 656->657 658 25da532 656->658 658->655 658->657 659 25da54e-25da560 call 25d9450 658->659 660 25da539-25da54c 658->660 661 25da6b9-25da6ee call 25d9480 call 25d9490 call 25d94a0 658->661 662 25da6a1-25da6b4 658->662 663 25da580-25da5dd call 25d9460 * 3 658->663 664 25da562-25da57e 658->664 665 25da5e2-25da5e4 call 25d9470 658->665 659->656 660->656 692 25da6f8-25da726 call 25d94b0 661->692 693 25da6f0 661->693 662->656 663->656 664->656 671 25da5e9-25da626 call 25d01e0 665->671 695 25da62d-25da632 671->695 705 25da72f-25da743 692->705 706 25da728 692->706 693->692 698 25da63d-25da67d call 25d01e0 * 2 695->698 718 25da687-25da68a 698->718 709 25da75f-25da77b 705->709 710 25da745-25da757 705->710 706->705 709->656 710->709 719 25da691-25da69c 718->719 719->656
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2069908373.00000000025D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25d0000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e205c99d29be080b25179ff3d794f82a37d97ca5edd3159689e52c880d7a0b4a
                                                                        • Instruction ID: ca0dadc148e8990cfb6bce8a690055a05e1e9ed01a0ec9067353ef977b51524d
                                                                        • Opcode Fuzzy Hash: e205c99d29be080b25179ff3d794f82a37d97ca5edd3159689e52c880d7a0b4a
                                                                        • Instruction Fuzzy Hash: 545181707002064BCB19ABBCD555B6F7BABBFC4304B10882DD40A9B796EF34ED058B95
                                                                        Function 025D7370 Relevance: .2, Instructions: 178COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2069908373.00000000025D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25d0000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e924a0bc3c62c6318d9c73c07910e325ac8718a6bd628899f198a34339a82459
                                                                        • Instruction ID: e2ca09f1695e6962f7a394369cf0e052d293784db729a9cd954e23df64870b6e
                                                                        • Opcode Fuzzy Hash: e924a0bc3c62c6318d9c73c07910e325ac8718a6bd628899f198a34339a82459
                                                                        • Instruction Fuzzy Hash: C85180707002068BCB19ABBCD955B6F7BABBFC4304F10882DD40A9B799DE34ED058B95
                                                                        Function 025D8E64 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 474 25d8e64-25d8e6e 475 25d8e70-25d8f31 CreateActCtxA 474->475 477 25d8f3a-25d8f94 475->477 478 25d8f33-25d8f39 475->478 485 25d8f96-25d8f99 477->485 486 25d8fa3-25d8fa7 477->486 478->477 485->486 487 25d8fa9-25d8fb5 486->487 488 25d8fb8 486->488 487->488 490 25d8fb9 488->490 490->490
                                                                        APIs
                                                                        • CreateActCtxA.KERNEL32(?), ref: 025D8F21
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2069908373.00000000025D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25d0000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID: Create
                                                                        • String ID:
                                                                        • API String ID: 2289755597-0
                                                                        • Opcode ID: 1c108bef9e120010acef21ba82037b65669af26b0f5989015b0cd3a67b771334
                                                                        • Instruction ID: 290ade3dada586ff573bd2c8ef9eb3a0b00b4dbd77d067e70ec7b89cf361b750
                                                                        • Opcode Fuzzy Hash: 1c108bef9e120010acef21ba82037b65669af26b0f5989015b0cd3a67b771334
                                                                        • Instruction Fuzzy Hash: 714104B0C00619CFDB24DFA9C948B9DFBF6BF48704F24805AD408AB254DB766946CF91
                                                                        Function 025D79F4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 491 25d79f4-25d8f31 CreateActCtxA 494 25d8f3a-25d8f94 491->494 495 25d8f33-25d8f39 491->495 502 25d8f96-25d8f99 494->502 503 25d8fa3-25d8fa7 494->503 495->494 502->503 504 25d8fa9-25d8fb5 503->504 505 25d8fb8 503->505 504->505 507 25d8fb9 505->507 507->507
                                                                        APIs
                                                                        • CreateActCtxA.KERNEL32(?), ref: 025D8F21
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2069908373.00000000025D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25d0000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID: Create
                                                                        • String ID:
                                                                        • API String ID: 2289755597-0
                                                                        • Opcode ID: a2718dbf4403320fe51b9b3914b88a8ab589bc88353a2b16a6011ca9c23472ca
                                                                        • Instruction ID: ed3b81f9c5e75402e99df410d6da8da2140eae3961c7d2b92bc6d810a0558728
                                                                        • Opcode Fuzzy Hash: a2718dbf4403320fe51b9b3914b88a8ab589bc88353a2b16a6011ca9c23472ca
                                                                        • Instruction Fuzzy Hash: 924102B0C00719CFDB24DFA9C848B9DBBF6BF48704F24806AD408AB254DBB56946CF90
                                                                        Function 025DE6F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 508 25de6f8-25de738 509 25de73a-25de73d 508->509 510 25de740-25de76b GetModuleHandleW 508->510 509->510 511 25de76d-25de773 510->511 512 25de774-25de788 510->512 511->512
                                                                        APIs
                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 025DE75E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2069908373.00000000025D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25d0000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID:
                                                                        • API String ID: 4139908857-0
                                                                        • Opcode ID: 8458fb5b122ad1bf1ae689d17609bcfc90b050c5da81425125df5bbf9a7b3a1d
                                                                        • Instruction ID: 7e56a04ea32cf82cf2de4ba48f15f327c629293bbd9af2469927836135ad4530
                                                                        • Opcode Fuzzy Hash: 8458fb5b122ad1bf1ae689d17609bcfc90b050c5da81425125df5bbf9a7b3a1d
                                                                        • Instruction Fuzzy Hash: A2110FB5C003898FCB20DF9AC444ADEFBF5EB88224F14841AD518A7200D379A545CFA5
                                                                        Function 00CCD4C4 Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2069683515.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_ccd000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 30b336ca6f2b6adf5227e6854c9b2eeb267997641454e101a3dc7dad4b4e5955
                                                                        • Instruction ID: ae6e92a9fb1fb82d6f7f2f99e73776adf91a97551f741372630839d85bf70a56
                                                                        • Opcode Fuzzy Hash: 30b336ca6f2b6adf5227e6854c9b2eeb267997641454e101a3dc7dad4b4e5955
                                                                        • Instruction Fuzzy Hash: 1021FFB2500240DFCB05DF14D9C0F26BF65FB98318F20C5BDE90A0A256C33AD956DAA2
                                                                        Function 00CDD01C Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2069721392.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_cdd000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 400fb2ad8c854a75a6a1bd9ca03c1bccbca959d09f5e877b76499866d05e3f19
                                                                        • Instruction ID: 6fae04aa985d7bd9ac7d9ab37f9e720632e946f2cc76210a0a400a2870a93b70
                                                                        • Opcode Fuzzy Hash: 400fb2ad8c854a75a6a1bd9ca03c1bccbca959d09f5e877b76499866d05e3f19
                                                                        • Instruction Fuzzy Hash: F821D371904204DFCB14DF24D9C4B26BB65EB88314F24C56ADA0A4B356C33AE806CA61
                                                                        Function 00CDD005 Relevance: .1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2069721392.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_cdd000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9d38ed897a1ce7a44691d797e6d72c9d1f84f5b59609ceb9a71422c8b48c9a41
                                                                        • Instruction ID: f1aad0934e21a45c9f6427932d414dda2006848364be6f826535a1cee32cc251
                                                                        • Opcode Fuzzy Hash: 9d38ed897a1ce7a44691d797e6d72c9d1f84f5b59609ceb9a71422c8b48c9a41
                                                                        • Instruction Fuzzy Hash: 6A218E755093808FCB12CF24D994715BF71EB86314F28C5EBD9498B6A7C33A980ACB62
                                                                        Function 00CCD4BF Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2069683515.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_ccd000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                        • Instruction ID: 9433fea157a487db97569865b233066c13c25a65ac534c259108d9d999c2610f
                                                                        • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                        • Instruction Fuzzy Hash: 2011D3B6504280CFCB16CF14D9C4B16BF71FB98314F24C6ADD94A0B656C336D95ACBA2
                                                                        Function 00CCD731 Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2069683515.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_ccd000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bc655f422edd832fd78f151da5fe3a26f6ec8c070221e7f64ccca184587b7057
                                                                        • Instruction ID: 33cdb459cf6c021cb93648e7dc028e0c93519b4c50b9a2c86fa7c7324f305d1b
                                                                        • Opcode Fuzzy Hash: bc655f422edd832fd78f151da5fe3a26f6ec8c070221e7f64ccca184587b7057
                                                                        • Instruction Fuzzy Hash: 9001DB710043449AE7109A2ACD84F67FFDCEF45324F28C47EED1A5A29AD2799C40C771
                                                                        Function 00CCD730 Relevance: .0, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2069683515.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_ccd000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: caeff0ba5a1f5ccda9d7f0e808119dae43fd861021dc1ce6e150f27153fbe177
                                                                        • Instruction ID: fccf4dbe01b444c102addfcc7437bf0570f4b96face9e2600c6d852bd55ff4e3
                                                                        • Opcode Fuzzy Hash: caeff0ba5a1f5ccda9d7f0e808119dae43fd861021dc1ce6e150f27153fbe177
                                                                        • Instruction Fuzzy Hash: B8F0F6710043449EE7108A1ACC84B62FFD8EF91734F18C46EED194F286C2799C40CB71

                                                                        Non-executed Functions

                                                                        Function 025D2BF8 Relevance: .1, Instructions: 110COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2069908373.00000000025D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25d0000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c2711e57a97448a96a26d07b82ab4a531e689adec1bdf839fdcbd98904ea0069
                                                                        • Instruction ID: b75957d0bb547a03abae66de309b3980e6151822598195e55a34174b0737e919
                                                                        • Opcode Fuzzy Hash: c2711e57a97448a96a26d07b82ab4a531e689adec1bdf839fdcbd98904ea0069
                                                                        • Instruction Fuzzy Hash: 7941CE71B146028FC725CB2DD885A5ABBF2FF85210F24CC2AE45ACB662D230E941CF55
                                                                        Function 025D2C08 Relevance: .1, Instructions: 110COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2069908373.00000000025D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25d0000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9adac49bfc60ae3575e44d8b7cdd2527717a3655cd3dccf90b32949b857507d1
                                                                        • Instruction ID: 9d752ac3737c474f71b776f52da84c2bfd603c1fc1e0516dadfac676c9f17b71
                                                                        • Opcode Fuzzy Hash: 9adac49bfc60ae3575e44d8b7cdd2527717a3655cd3dccf90b32949b857507d1
                                                                        • Instruction Fuzzy Hash: CC41BE71B106068FC724CB2DD885A5AB7E2FF84210F24DC2AE46ADBA65D230ED41CF55

                                                                        Execution Graph

                                                                        Execution Coverage:8.4%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:17
                                                                        Total number of Limit Nodes:4
                                                                        execution_graph 41741 e00848 41743 e0084e 41741->41743 41742 e0091b 41743->41742 41745 e01383 41743->41745 41746 e01396 41745->41746 41747 e01480 41746->41747 41749 e07eb0 41746->41749 41747->41743 41750 e07eba 41749->41750 41751 e07ed4 41750->41751 41754 689fad8 41750->41754 41758 689fae8 41750->41758 41751->41746 41756 689fafd 41754->41756 41755 689fd12 41755->41751 41756->41755 41757 689fd29 GlobalMemoryStatusEx 41756->41757 41757->41756 41759 689fafd 41758->41759 41760 689fd12 41759->41760 41761 689fd29 GlobalMemoryStatusEx 41759->41761 41760->41751 41761->41759

                                                                        Executed Functions

                                                                        Function 06892348 Relevance: 9.0, Strings: 6, Instructions: 1516COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                                        • API String ID: 0-3723351465
                                                                        • Opcode ID: 994823fdca4c2d84531799811b4efd6e32f1925b02b62cafc6397a368408e2f1
                                                                        • Instruction ID: fa65d92d2842d161cbea46b8f8a4e21854d617bb7e26f2da1a39795cd8436629
                                                                        • Opcode Fuzzy Hash: 994823fdca4c2d84531799811b4efd6e32f1925b02b62cafc6397a368408e2f1
                                                                        • Instruction Fuzzy Hash: CEE25734E102098FDB64DF68C594A9DB7F2FF89304F5885A9D409EB265EB30ED85CB90
                                                                        Function 0689B2C8 Relevance: 8.3, Strings: 6, Instructions: 762COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                                        • API String ID: 0-3723351465
                                                                        • Opcode ID: b35a9dcf329f9a4b8c584354f9be45c3ce348115af1ae8d5131a12987d545744
                                                                        • Instruction ID: 7a2f179582d4ccf864984c361419ed79f4df8587aa513b15287154cf8638f51f
                                                                        • Opcode Fuzzy Hash: b35a9dcf329f9a4b8c584354f9be45c3ce348115af1ae8d5131a12987d545744
                                                                        • Instruction Fuzzy Hash: D5528E30E002098FDF64DF68E5907AEB7B6EB85314F188929E509EB395DB34DD41CBA1
                                                                        Function 06897E20 Relevance: 3.0, Strings: 2, Instructions: 470COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1761 6897e20-6897e3e 1762 6897e40-6897e43 1761->1762 1763 6897e45-6897e61 1762->1763 1764 6897e66-6897e69 1762->1764 1763->1764 1765 6897e6b-6897e85 1764->1765 1766 6897e8a-6897e8d 1764->1766 1765->1766 1768 6897e8f-6897e9d 1766->1768 1769 6897ea4-6897ea7 1766->1769 1778 6897ec6-6897edc 1768->1778 1779 6897e9f 1768->1779 1771 6897ea9-6897eb3 1769->1771 1772 6897eb4-6897eb6 1769->1772 1774 6897eb8 1772->1774 1775 6897ebd-6897ec0 1772->1775 1774->1775 1775->1762 1775->1778 1781 6897ee2-6897eeb 1778->1781 1782 68980f7-6898101 1778->1782 1779->1769 1783 6897ef1-6897f0e 1781->1783 1784 6898102-6898137 1781->1784 1793 68980e4-68980f1 1783->1793 1794 6897f14-6897f3c 1783->1794 1787 6898139-689813c 1784->1787 1789 68981ef-68981f2 1787->1789 1790 6898142-689814e 1787->1790 1791 68981f8-6898207 1789->1791 1792 689841e-6898421 1789->1792 1797 6898159-689815b 1790->1797 1807 6898209-6898224 1791->1807 1808 6898226-6898261 1791->1808 1795 6898423-689843f 1792->1795 1796 6898444-6898446 1792->1796 1793->1781 1793->1782 1794->1793 1818 6897f42-6897f4b 1794->1818 1795->1796 1798 6898448 1796->1798 1799 689844d-6898450 1796->1799 1802 689815d-6898163 1797->1802 1803 6898173-689817a 1797->1803 1798->1799 1799->1787 1806 6898456-689845f 1799->1806 1810 6898165 1802->1810 1811 6898167-6898169 1802->1811 1804 689818b 1803->1804 1805 689817c-6898189 1803->1805 1812 6898190-6898192 1804->1812 1805->1812 1807->1808 1820 68983f2-6898408 1808->1820 1821 6898267-6898278 1808->1821 1810->1803 1811->1803 1814 68981a9-68981e2 1812->1814 1815 6898194-6898197 1812->1815 1814->1791 1842 68981e4-68981ee 1814->1842 1815->1806 1818->1784 1822 6897f51-6897f6d 1818->1822 1820->1792 1830 68983dd-68983ec 1821->1830 1831 689827e-689829b 1821->1831 1832 6897f73-6897f9d 1822->1832 1833 68980d2-68980de 1822->1833 1830->1820 1830->1821 1831->1830 1841 68982a1-6898397 call 6896648 1831->1841 1845 68980c8-68980cd 1832->1845 1846 6897fa3-6897fcb 1832->1846 1833->1793 1833->1818 1894 6898399-68983a3 1841->1894 1895 68983a5 1841->1895 1845->1833 1846->1845 1852 6897fd1-6897fff 1846->1852 1852->1845 1857 6898005-689800e 1852->1857 1857->1845 1859 6898014-6898046 1857->1859 1867 6898048-689804c 1859->1867 1868 6898051-689806d 1859->1868 1867->1845 1869 689804e 1867->1869 1868->1833 1870 689806f-68980c6 call 6896648 1868->1870 1869->1868 1870->1833 1896 68983aa-68983ac 1894->1896 1895->1896 1896->1830 1897 68983ae-68983b3 1896->1897 1898 68983c1 1897->1898 1899 68983b5-68983bf 1897->1899 1900 68983c6-68983c8 1898->1900 1899->1900 1900->1830 1901 68983ca-68983d6 1900->1901 1901->1830
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q
                                                                        • API String ID: 0-127220927
                                                                        • Opcode ID: bf67e8ace2ce86030cdb25cf7379348f6278faecebdfbe7c39b1224baf647047
                                                                        • Instruction ID: 949122d1864a163bda854131901d4a01f3bd0823cf58f1a39f06ec833011a0ca
                                                                        • Opcode Fuzzy Hash: bf67e8ace2ce86030cdb25cf7379348f6278faecebdfbe7c39b1224baf647047
                                                                        • Instruction Fuzzy Hash: 3C029E30B002069FDF58DF68D990A6EB7A2FF85304F188929D509DB394DB35EC46CBA1
                                                                        Function 06895648 Relevance: 1.8, Strings: 1, Instructions: 587COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 2357 6895648-6895665 2358 6895667-689566a 2357->2358 2359 689566c-689567b 2358->2359 2360 6895680-6895683 2358->2360 2359->2360 2361 689568d-6895690 2360->2361 2362 6895685-6895688 2360->2362 2364 689569f-68956a2 2361->2364 2365 6895692-6895698 2361->2365 2362->2361 2368 68956b3-68956b6 2364->2368 2369 68956a4-68956a8 2364->2369 2366 68956b8-68956be 2365->2366 2367 689569a 2365->2367 2373 689581b-689584b 2366->2373 2374 68956c4-68956cc 2366->2374 2367->2364 2368->2366 2372 68956ee-68956f1 2368->2372 2370 689580d-689581a 2369->2370 2371 68956ae 2369->2371 2371->2368 2372->2365 2375 68956f3-68956f6 2372->2375 2385 6895855-6895858 2373->2385 2374->2373 2376 68956d2-68956df 2374->2376 2377 68956f8-68956fe 2375->2377 2378 6895705-6895708 2375->2378 2376->2373 2379 68956e5-68956e9 2376->2379 2381 689574a-689574d 2377->2381 2382 6895700 2377->2382 2383 689570a-6895717 2378->2383 2384 689571c-689571f 2378->2384 2379->2372 2388 6895752-6895755 2381->2388 2382->2378 2383->2384 2386 68957ca-68957d0 2384->2386 2387 6895725-6895728 2384->2387 2391 689587a-689587d 2385->2391 2392 689585a-689585e 2385->2392 2389 68957d2 2386->2389 2390 6895757-6895761 2386->2390 2394 689572a-6895740 2387->2394 2395 6895745-6895748 2387->2395 2388->2390 2396 689576f-6895772 2388->2396 2397 68957d7-68957da 2389->2397 2404 6895768-689576a 2390->2404 2402 689587f-6895886 2391->2402 2403 6895887-689588a 2391->2403 2398 689594a-6895984 2392->2398 2399 6895864-689586c 2392->2399 2394->2395 2395->2381 2395->2388 2400 6895780-6895783 2396->2400 2401 6895774-689577b 2396->2401 2405 68957dc-68957dd 2397->2405 2406 68957e2-68957e5 2397->2406 2423 6895986-6895989 2398->2423 2399->2398 2407 6895872-6895875 2399->2407 2408 689579c-689579f 2400->2408 2409 6895785-6895797 2400->2409 2401->2400 2410 68958ac-68958af 2403->2410 2411 689588c-6895890 2403->2411 2404->2396 2405->2406 2413 68957f1-68957f4 2406->2413 2414 68957e7-68957f0 2406->2414 2407->2391 2416 68957a1-68957c0 2408->2416 2417 68957c5-68957c8 2408->2417 2409->2408 2419 68958d1-68958d4 2410->2419 2420 68958b1-68958b5 2410->2420 2411->2398 2418 6895896-689589e 2411->2418 2425 68957fb-68957fd 2413->2425 2426 68957f6-68957f8 2413->2426 2416->2417 2417->2386 2417->2397 2418->2398 2427 68958a4-68958a7 2418->2427 2421 68958e4-68958e7 2419->2421 2422 68958d6-68958dd 2419->2422 2420->2398 2428 68958bb-68958c3 2420->2428 2431 68958e9-68958f3 2421->2431 2432 68958f8-68958fb 2421->2432 2429 68958df 2422->2429 2430 6895942-6895949 2422->2430 2433 6895a6f-6895c03 2423->2433 2434 689598f-6895992 2423->2434 2435 68957ff 2425->2435 2436 6895804-6895807 2425->2436 2426->2425 2427->2410 2428->2398 2438 68958c9-68958cc 2428->2438 2429->2421 2431->2432 2439 68958fd-689590e 2432->2439 2440 6895913-6895916 2432->2440 2506 6895d39-6895d4c 2433->2506 2507 6895c09-6895c10 2433->2507 2441 68959aa-68959ad 2434->2441 2442 6895994-68959a7 2434->2442 2435->2436 2436->2358 2436->2370 2438->2419 2439->2440 2444 6895918-689591c 2440->2444 2445 6895930-6895932 2440->2445 2446 68959af-68959c0 2441->2446 2447 68959c7-68959ca 2441->2447 2444->2398 2453 689591e-6895926 2444->2453 2454 6895939-689593c 2445->2454 2455 6895934 2445->2455 2463 6895a39-6895a40 2446->2463 2464 68959c2 2446->2464 2447->2433 2450 68959d0-68959d3 2447->2450 2456 68959dd-68959e0 2450->2456 2457 68959d5-68959da 2450->2457 2453->2398 2458 6895928-689592b 2453->2458 2454->2385 2454->2430 2455->2454 2461 68959fa-68959fd 2456->2461 2462 68959e2-68959f3 2456->2462 2457->2456 2458->2445 2466 68959ff-6895a10 2461->2466 2467 6895a17-6895a1a 2461->2467 2462->2463 2475 68959f5 2462->2475 2465 6895a45-6895a48 2463->2465 2464->2447 2469 6895a4a-6895a5b 2465->2469 2470 6895a66-6895a69 2465->2470 2466->2442 2481 6895a12 2466->2481 2472 6895a1c-6895a2d 2467->2472 2473 6895a34-6895a37 2467->2473 2469->2446 2485 6895a61 2469->2485 2470->2433 2476 6895d4f-6895d52 2470->2476 2472->2463 2483 6895a2f 2472->2483 2473->2463 2473->2465 2475->2461 2479 6895d60-6895d62 2476->2479 2480 6895d54-6895d5b 2476->2480 2486 6895d69-6895d6c 2479->2486 2487 6895d64 2479->2487 2480->2479 2481->2467 2483->2473 2485->2470 2486->2423 2488 6895d72-6895d7b 2486->2488 2487->2486 2508 6895cc4-6895ccb 2507->2508 2509 6895c16-6895c49 2507->2509 2508->2506 2510 6895ccd-6895d00 2508->2510 2519 6895c4b 2509->2519 2520 6895c4e-6895c8f 2509->2520 2522 6895d02 2510->2522 2523 6895d05-6895d32 2510->2523 2519->2520 2531 6895c91-6895ca2 2520->2531 2532 6895ca7-6895cae 2520->2532 2522->2523 2523->2488 2531->2488 2534 6895cb6-6895cb8 2532->2534 2534->2488
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $
                                                                        • API String ID: 0-3993045852
                                                                        • Opcode ID: e419941828951965a9b116229e1ef674e68115eb60a0f4c7dd589c3ffdfb82cb
                                                                        • Instruction ID: 22930d30099b4e3e09db5b2c56a477ae97d4025ba0d9fbf9aaebf00b332f2c4f
                                                                        • Opcode Fuzzy Hash: e419941828951965a9b116229e1ef674e68115eb60a0f4c7dd589c3ffdfb82cb
                                                                        • Instruction Fuzzy Hash: 0922E371F002159FDF65DFA4C4906AEB7B2EF84324F288469D649EB344DA31DD42CBA2
                                                                        Function 06896698 Relevance: .8, Instructions: 824COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9848aaf07072184496503245eca1e6892f6364e15ae596b77e5b751d572f1ddd
                                                                        • Instruction ID: e38a9dfca2dc13da529439baa5c4895150dd6bfb0e4e989a0d815c7038c6973f
                                                                        • Opcode Fuzzy Hash: 9848aaf07072184496503245eca1e6892f6364e15ae596b77e5b751d572f1ddd
                                                                        • Instruction Fuzzy Hash: F0629130B002049FEF54DB68D954AADB7F2EF84314F188569E505EB395EB35EC86CBA0
                                                                        Function 0689C220 Relevance: .6, Instructions: 637COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 03811921470ab86e65c9573616c8e6a2d0195a4eae447837d9d9379982881cea
                                                                        • Instruction ID: 064a1789d03b197a176a1fdeaedacda2c223dff4c1b37bba4091aeca2cb1cbd7
                                                                        • Opcode Fuzzy Hash: 03811921470ab86e65c9573616c8e6a2d0195a4eae447837d9d9379982881cea
                                                                        • Instruction Fuzzy Hash: C832DE30B002099FDF54DF68D990AAEB7B6FB88314F148529E505E7395DB36EC42CBA1
                                                                        Function 0689AD60 Relevance: 10.4, Strings: 8, Instructions: 390COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 689ad60-689ad7e 1 689ad80-689ad83 0->1 2 689ad8d-689ad90 1->2 3 689ad85-689ad8a 1->3 4 689adaa-689adad 2->4 5 689ad92-689ad9b 2->5 3->2 8 689adaf-689adb3 4->8 9 689adbe-689adc1 4->9 6 689ada1-689ada5 5->6 7 689af97-689afce 5->7 6->4 17 689afd0-689afd3 7->17 10 689adb9 8->10 11 689af8c-689af96 8->11 12 689add1-689add4 9->12 13 689adc3-689adcc 9->13 10->9 14 689adf7-689adfa 12->14 15 689add6-689adf2 12->15 13->12 18 689adfc-689ae0f 14->18 19 689ae14-689ae17 14->19 15->14 21 689afe2-689afe5 17->21 22 689afd5 17->22 18->19 23 689af7d-689af86 19->23 24 689ae1d-689ae20 19->24 25 689aff2-689aff5 21->25 26 689afe7-689afeb 21->26 123 689afd5 call 689b2c8 22->123 124 689afd5 call 689b2bb 22->124 23->5 23->11 28 689ae22-689ae2f 24->28 29 689ae34-689ae36 24->29 34 689b002-689b005 25->34 35 689aff7-689b001 25->35 32 689b00b-689b046 26->32 33 689afed 26->33 28->29 36 689ae38 29->36 37 689ae3d-689ae40 29->37 31 689afdb-689afdd 31->21 47 689b239-689b24c 32->47 48 689b04c-689b058 32->48 33->25 34->32 39 689b26e-689b271 34->39 36->37 37->1 38 689ae46-689ae6a 37->38 56 689af7a 38->56 57 689ae70-689ae7f 38->57 41 689b273-689b28f 39->41 42 689b294-689b296 39->42 41->42 45 689b298 42->45 46 689b29d-689b2a0 42->46 45->46 46->17 51 689b2a6-689b2b0 46->51 49 689b24e 47->49 54 689b078-689b0bc 48->54 55 689b05a-689b073 48->55 49->39 74 689b0d8-689b117 54->74 75 689b0be-689b0d0 54->75 55->49 56->23 61 689ae81-689ae87 57->61 62 689ae97-689aed2 call 6896648 57->62 64 689ae89 61->64 65 689ae8b-689ae8d 61->65 79 689aeea-689af01 62->79 80 689aed4-689aeda 62->80 64->62 65->62 81 689b11d-689b1f8 call 6896648 74->81 82 689b1fe-689b213 74->82 75->74 92 689af19-689af2a 79->92 93 689af03-689af09 79->93 84 689aedc 80->84 85 689aede-689aee0 80->85 81->82 82->47 84->79 85->79 98 689af2c-689af32 92->98 99 689af42-689af73 92->99 95 689af0b 93->95 96 689af0d-689af0f 93->96 95->92 96->92 101 689af34 98->101 102 689af36-689af38 98->102 99->56 101->99 102->99 123->31 124->31
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                        • API String ID: 0-1273862796
                                                                        • Opcode ID: 4c30f881d7b029955cd6a46953d5bbe40ec6e98a048ffdbf260b15001dfc82d5
                                                                        • Instruction ID: 8f3b1f6c907e8479cce9901e1d3fd01d11180e7c94cb2db03bcadabbe0987274
                                                                        • Opcode Fuzzy Hash: 4c30f881d7b029955cd6a46953d5bbe40ec6e98a048ffdbf260b15001dfc82d5
                                                                        • Instruction Fuzzy Hash: 60E19030E102098FDF69DFA8D5906AEB7B6EF85304F148629E405EB354DB74EC46CBA1
                                                                        Function 068991E8 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 854 68991e8-689920d 855 689920f-6899212 854->855 856 6899238-689923b 855->856 857 6899214-6899233 855->857 858 6899afb-6899afd 856->858 859 6899241-6899256 856->859 857->856 861 6899aff 858->861 862 6899b04-6899b07 858->862 866 6899258-689925e 859->866 867 689926e-6899284 859->867 861->862 862->855 863 6899b0d-6899b17 862->863 868 6899260 866->868 869 6899262-6899264 866->869 871 689928f-6899291 867->871 868->867 869->867 872 68992a9-689931a 871->872 873 6899293-6899299 871->873 884 689931c-689933f 872->884 885 6899346-6899362 872->885 874 689929b 873->874 875 689929d-689929f 873->875 874->872 875->872 884->885 890 689938e-68993a9 885->890 891 6899364-6899387 885->891 896 68993ab-68993cd 890->896 897 68993d4-68993ef 890->897 891->890 896->897 902 689941a-6899424 897->902 903 68993f1-6899413 897->903 904 6899434-68994ae 902->904 905 6899426-689942f 902->905 903->902 911 68994fb-6899510 904->911 912 68994b0-68994ce 904->912 905->863 911->858 916 68994ea-68994f9 912->916 917 68994d0-68994df 912->917 916->911 916->912 917->916
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q$$]q$$]q
                                                                        • API String ID: 0-858218434
                                                                        • Opcode ID: 90968a66a2224228e31b721b404f528c7efafb15c9b0c2dec117c7788bdeb4fa
                                                                        • Instruction ID: a172699144464eb76f4dda52c0ebc7bc42879350cd733d7c3c5e5bb1465381ff
                                                                        • Opcode Fuzzy Hash: 90968a66a2224228e31b721b404f528c7efafb15c9b0c2dec117c7788bdeb4fa
                                                                        • Instruction Fuzzy Hash: 4D915170B0020A9FDF55DF69D9507AEB3F6BF88204F148569C419EB388EF309D468BA1
                                                                        Function 0689CFE0 Relevance: 4.5, Strings: 3, Instructions: 799COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 920 689cfe0-689cffb 921 689cffd-689d000 920->921 922 689d023-689d026 921->922 923 689d002-689d01e 921->923 924 689d028-689d03e 922->924 925 689d043-689d046 922->925 923->922 924->925 926 689d048-689d08a 925->926 927 689d08f-689d092 925->927 926->927 930 689d0a1-689d0a4 927->930 931 689d094-689d096 927->931 935 689d0ed-689d0f0 930->935 936 689d0a6-689d0e8 930->936 933 689d09c 931->933 934 689d387-689d390 931->934 933->930 940 689d39f-689d3ab 934->940 941 689d392-689d397 934->941 938 689d4cc-689d4d8 935->938 939 689d0f6-689d0f9 935->939 936->935 949 689d32e-689d33d 938->949 950 689d4de-689d7cb 938->950 943 689d0fb-689d100 939->943 944 689d103-689d106 939->944 945 689d4bc-689d4c1 940->945 946 689d3b1-689d3c5 940->946 941->940 943->944 951 689d108-689d14a 944->951 952 689d14f-689d152 944->952 965 689d4c9 945->965 946->965 966 689d3cb-689d3dd 946->966 953 689d34c-689d358 949->953 954 689d33f-689d344 949->954 1133 689d7d1-689d7d7 950->1133 1134 689d9f2-689d9fc 950->1134 951->952 956 689d19b-689d19e 952->956 957 689d154-689d196 952->957 961 689d9fd-689da36 953->961 962 689d35e-689d370 953->962 954->953 967 689d1a0-689d1af 956->967 968 689d1e7-689d1ea 956->968 957->956 984 689da38-689da3b 961->984 979 689d375-689d377 962->979 965->938 998 689d3df-689d3e5 966->998 999 689d401-689d403 966->999 969 689d1be-689d1ca 967->969 970 689d1b1-689d1b6 967->970 975 689d1ec-689d22e 968->975 976 689d233-689d236 968->976 969->961 980 689d1d0-689d1e2 969->980 970->969 975->976 981 689d238-689d23a 976->981 982 689d245-689d248 976->982 995 689d379 979->995 996 689d37e-689d381 979->996 980->968 981->965 987 689d240 981->987 989 689d24a-689d28c 982->989 990 689d291-689d294 982->990 992 689da3d-689da69 984->992 993 689da6e-689da71 984->993 987->982 989->990 1003 689d2dd-689d2e0 990->1003 1004 689d296-689d2d8 990->1004 992->993 1000 689da73-689da8f 993->1000 1001 689da94-689da97 993->1001 995->996 996->921 996->934 1007 689d3e9-689d3f5 998->1007 1008 689d3e7 998->1008 1002 689d40d-689d419 999->1002 1000->1001 1014 689da99 1001->1014 1015 689daa6-689daa8 1001->1015 1028 689d41b-689d425 1002->1028 1029 689d427 1002->1029 1017 689d329-689d32c 1003->1017 1018 689d2e2-689d324 1003->1018 1004->1003 1009 689d3f7-689d3ff 1007->1009 1008->1009 1009->1002 1180 689da99 call 689db68 1014->1180 1181 689da99 call 689db55 1014->1181 1023 689daaa 1015->1023 1024 689daaf-689dab2 1015->1024 1017->949 1017->979 1018->1017 1023->1024 1024->984 1034 689dab4-689dac3 1024->1034 1037 689d42c-689d42e 1028->1037 1029->1037 1033 689da9f-689daa1 1033->1015 1048 689db2a-689db3f 1034->1048 1049 689dac5-689db28 call 6896648 1034->1049 1037->965 1041 689d434-689d450 call 6896648 1037->1041 1066 689d45f-689d46b 1041->1066 1067 689d452-689d457 1041->1067 1064 689db40 1048->1064 1049->1048 1064->1064 1066->945 1070 689d46d-689d4ba 1066->1070 1067->1066 1070->965 1135 689d7d9-689d7de 1133->1135 1136 689d7e6-689d7ef 1133->1136 1135->1136 1136->961 1137 689d7f5-689d808 1136->1137 1139 689d80e-689d814 1137->1139 1140 689d9e2-689d9ec 1137->1140 1141 689d823-689d82c 1139->1141 1142 689d816-689d81b 1139->1142 1140->1133 1140->1134 1141->961 1143 689d832-689d853 1141->1143 1142->1141 1146 689d862-689d86b 1143->1146 1147 689d855-689d85a 1143->1147 1146->961 1148 689d871-689d88e 1146->1148 1147->1146 1148->1140 1151 689d894-689d89a 1148->1151 1151->961 1152 689d8a0-689d8b9 1151->1152 1154 689d8bf-689d8e6 1152->1154 1155 689d9d5-689d9dc 1152->1155 1154->961 1158 689d8ec-689d8f6 1154->1158 1155->1140 1155->1151 1158->961 1159 689d8fc-689d913 1158->1159 1161 689d922-689d93d 1159->1161 1162 689d915-689d920 1159->1162 1161->1155 1167 689d943-689d95c call 6896648 1161->1167 1162->1161 1171 689d96b-689d974 1167->1171 1172 689d95e-689d963 1167->1172 1171->961 1173 689d97a-689d9ce 1171->1173 1172->1171 1173->1155 1180->1033 1181->1033
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q$$]q
                                                                        • API String ID: 0-182748909
                                                                        • Opcode ID: e2808038e277296953ef25da9817c618e17df507e5b631ff890e879c98c55c7b
                                                                        • Instruction ID: fd1a826631f33e91c8e1e74b8a7c87e15580b581fca5484447f2f90dfee69e9c
                                                                        • Opcode Fuzzy Hash: e2808038e277296953ef25da9817c618e17df507e5b631ff890e879c98c55c7b
                                                                        • Instruction Fuzzy Hash: 8C62703060060A8FCB59EF68D590A5EB7F6FF85304B248A28D009DF359DB75ED4ACB91
                                                                        Function 06894C10 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1182 6894c10-6894c34 1183 6894c36-6894c39 1182->1183 1184 6895318-689531b 1183->1184 1185 6894c3f-6894d37 1183->1185 1186 689531d-6895337 1184->1186 1187 689533c-689533e 1184->1187 1205 6894dba-6894dc1 1185->1205 1206 6894d3d-6894d85 1185->1206 1186->1187 1189 6895340 1187->1189 1190 6895345-6895348 1187->1190 1189->1190 1190->1183 1192 689534e-689535b 1190->1192 1207 6894e45-6894e4e 1205->1207 1208 6894dc7-6894e37 1205->1208 1228 6894d8a call 68954b8 1206->1228 1229 6894d8a call 68954c8 1206->1229 1207->1192 1225 6894e39 1208->1225 1226 6894e42 1208->1226 1219 6894d90-6894dac 1222 6894dae 1219->1222 1223 6894db7-6894db8 1219->1223 1222->1223 1223->1205 1225->1226 1226->1207 1228->1219 1229->1219
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: fbq$XPbq$\Obq
                                                                        • API String ID: 0-4057264190
                                                                        • Opcode ID: 7a0703b51ceb64532d4e9019e2020d428369f6e51122c6c4bbf31358456b5fc0
                                                                        • Instruction ID: 9eca5ae13a2e3bf55186c7b8a96d4bbb4195342ac8b82f71b3704c3427d7d41e
                                                                        • Opcode Fuzzy Hash: 7a0703b51ceb64532d4e9019e2020d428369f6e51122c6c4bbf31358456b5fc0
                                                                        • Instruction Fuzzy Hash: 3F616F30F002099FEF549FA8C8557AEBBF6EF88304F248529E105EB395DE754D468BA1
                                                                        Function 068991D8 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 2231 68991d8-689920d 2233 689920f-6899212 2231->2233 2234 6899238-689923b 2233->2234 2235 6899214-6899233 2233->2235 2236 6899afb-6899afd 2234->2236 2237 6899241-6899256 2234->2237 2235->2234 2239 6899aff 2236->2239 2240 6899b04-6899b07 2236->2240 2244 6899258-689925e 2237->2244 2245 689926e-6899284 2237->2245 2239->2240 2240->2233 2241 6899b0d-6899b17 2240->2241 2246 6899260 2244->2246 2247 6899262-6899264 2244->2247 2249 689928f-6899291 2245->2249 2246->2245 2247->2245 2250 68992a9-689931a 2249->2250 2251 6899293-6899299 2249->2251 2262 689931c-689933f 2250->2262 2263 6899346-6899362 2250->2263 2252 689929b 2251->2252 2253 689929d-689929f 2251->2253 2252->2250 2253->2250 2262->2263 2268 689938e-68993a9 2263->2268 2269 6899364-6899387 2263->2269 2274 68993ab-68993cd 2268->2274 2275 68993d4-68993ef 2268->2275 2269->2268 2274->2275 2280 689941a-6899424 2275->2280 2281 68993f1-6899413 2275->2281 2282 6899434-68994ae 2280->2282 2283 6899426-689942f 2280->2283 2281->2280 2289 68994fb-6899510 2282->2289 2290 68994b0-68994ce 2282->2290 2283->2241 2289->2236 2294 68994ea-68994f9 2290->2294 2295 68994d0-68994df 2290->2295 2294->2289 2294->2290 2295->2294
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q
                                                                        • API String ID: 0-127220927
                                                                        • Opcode ID: 1582e671ebdd3f5a90d0a05cf1c667fefd5bda29af753d75579fef6437f223c8
                                                                        • Instruction ID: 0faecaba860ccdb2222aff170f452e926a465aef0d7cdf11ac9c5dfe91e124f2
                                                                        • Opcode Fuzzy Hash: 1582e671ebdd3f5a90d0a05cf1c667fefd5bda29af753d75579fef6437f223c8
                                                                        • Instruction Fuzzy Hash: 23518070B002069FDF54DF78D951B6EB3F6EB88204F148929C419DB398EE30EC028BA1
                                                                        Function 00E0EB20 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 2535 e0eb20-e0eb3b 2536 e0eb65-e0eb84 call e0e720 2535->2536 2537 e0eb3d-e0eb64 2535->2537 2542 e0eb86-e0eb89 2536->2542 2543 e0eb8a-e0ebe9 2536->2543 2550 e0ebeb-e0ebee 2543->2550 2551 e0ebef-e0ec7c GlobalMemoryStatusEx 2543->2551 2554 e0ec85-e0ecad 2551->2554 2555 e0ec7e-e0ec84 2551->2555 2555->2554
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4502985029.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_e00000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 88364fc0c8ae3761b88b35483b6b26cc1570afe035f385ebcc57ea25d9073ff4
                                                                        • Instruction ID: 8cad5625c87d614e235ea27f6b43b76d997daa2be31a40d844ddf9e8a83a09fb
                                                                        • Opcode Fuzzy Hash: 88364fc0c8ae3761b88b35483b6b26cc1570afe035f385ebcc57ea25d9073ff4
                                                                        • Instruction Fuzzy Hash: FC413632D003498FCB14DFB9D8442EEBBB1AF99310F15866BD404B7391EB389885CBA0
                                                                        Function 00E0EC08 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GlobalMemoryStatusEx.KERNEL32 ref: 00E0EC6F
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4502985029.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_e00000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID: GlobalMemoryStatus
                                                                        • String ID:
                                                                        • API String ID: 1890195054-0
                                                                        • Opcode ID: 6dae30fed70a85812a0fed0e7518beb8f16da7b9232474e77441aced74bbf24e
                                                                        • Instruction ID: 125791899c4cadc5cb7b1d0302337ed391ea3cafc09b71d3bf7f1ba8ca215c68
                                                                        • Opcode Fuzzy Hash: 6dae30fed70a85812a0fed0e7518beb8f16da7b9232474e77441aced74bbf24e
                                                                        • Instruction Fuzzy Hash: 15111FB1C006599BCB10DFAAC544AAEFBF8AF48320F14852AD818B7240D378A940CFE5
                                                                        Function 06894BDC Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: XPbq
                                                                        • API String ID: 0-864591470
                                                                        • Opcode ID: 3a457c1e1274b2f3a6b86bb4ef58cd8765a3b1b67bb0def12a404e9b0621c632
                                                                        • Instruction ID: a69b5f3c8f6cfea14cb14333407a8e121f2a93151f3b0982fbb1ba1f267a198b
                                                                        • Opcode Fuzzy Hash: 3a457c1e1274b2f3a6b86bb4ef58cd8765a3b1b67bb0def12a404e9b0621c632
                                                                        • Instruction Fuzzy Hash: 77517334B002099FEF549FA9C8547AEBBF6EF88704F208529E105EB395DE758C058BA1
                                                                        Function 06894C01 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: XPbq
                                                                        • API String ID: 0-864591470
                                                                        • Opcode ID: a20e910099a0c5423fcc7cacf6f87c242a7b90fc9a5d752e6afe7229c301f3fc
                                                                        • Instruction ID: 1a4f4b79042e1754116002bf44a680daeb95b540c9722d9dab07bb29588a4707
                                                                        • Opcode Fuzzy Hash: a20e910099a0c5423fcc7cacf6f87c242a7b90fc9a5d752e6afe7229c301f3fc
                                                                        • Instruction Fuzzy Hash: BE416030F002099FDB549FA8C855BAEBAF6FF88704F208529E105AB395DE748D058BA1
                                                                        Function 0689DB68 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: PH]q
                                                                        • API String ID: 0-3168235125
                                                                        • Opcode ID: 40cad1a66fb8552e183b307525c4fde499e41f265bfca941e3a0ca7ee62f6f37
                                                                        • Instruction ID: 759194ca8549a50c1f2a1fe50452d10b6be7e59f40f6a6141bafd72e22397c08
                                                                        • Opcode Fuzzy Hash: 40cad1a66fb8552e183b307525c4fde499e41f265bfca941e3a0ca7ee62f6f37
                                                                        • Instruction Fuzzy Hash: CF41CF30E00B0A9FDF54DFA5C88469EBBB6EF85304F148929E505E7340DBB0D846CBA5
                                                                        Function 0689DB55 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: PH]q
                                                                        • API String ID: 0-3168235125
                                                                        • Opcode ID: 74c5a4689a5b0ff9d0c013440421d20e189809332c717dd32919e86c08a6c7e3
                                                                        • Instruction ID: f2b6f7d90174b1bf8d4b47fe1cb03aa8976681b5d01131a93caad4d941fa434f
                                                                        • Opcode Fuzzy Hash: 74c5a4689a5b0ff9d0c013440421d20e189809332c717dd32919e86c08a6c7e3
                                                                        • Instruction Fuzzy Hash: 30419130E00B4A9FDF55DF64C88469EBBB2EF85304F184929E505EB340DB719846CB61
                                                                        Function 068921AD Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: PH]q
                                                                        • API String ID: 0-3168235125
                                                                        • Opcode ID: fdda7be53f2abe7bf753e58b65b550a3c480d353f6de29e92cdc9c395a9679ca
                                                                        • Instruction ID: f554db9e14e8934e54c49228dfee0febd511fb800209a7b1d7a3cede4cd6fa94
                                                                        • Opcode Fuzzy Hash: fdda7be53f2abe7bf753e58b65b550a3c480d353f6de29e92cdc9c395a9679ca
                                                                        • Instruction Fuzzy Hash: E7312330B102059FDF599BB8D96076EBBA2AF89204F184568D406DB395DF35CD06C7B1
                                                                        Function 068921C0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: PH]q
                                                                        • API String ID: 0-3168235125
                                                                        • Opcode ID: 53a90fc501431e12a107ab8789d00e795120fee9a8b70ccc815ad036df7d5c01
                                                                        • Instruction ID: 8f0974c02e3f16b81202886020e453f6859e5f0ab017faf2dbce5d6c9eed5d73
                                                                        • Opcode Fuzzy Hash: 53a90fc501431e12a107ab8789d00e795120fee9a8b70ccc815ad036df7d5c01
                                                                        • Instruction Fuzzy Hash: A2310F30B202059FDB59ABB8D96076FBBA6AF89204F244538D406DB394DF35DD06CBB1
                                                                        Function 0689B2BB Relevance: .3, Instructions: 295COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 71693164cdbaf207a36ab407ff0004a13e6cb5ffd1258cc984ea136204e2f877
                                                                        • Instruction ID: 4b6c881c7eaf2b84aff6293628ebf5f6b0367cdba4ce9d5d0a3348f677d653a4
                                                                        • Opcode Fuzzy Hash: 71693164cdbaf207a36ab407ff0004a13e6cb5ffd1258cc984ea136204e2f877
                                                                        • Instruction Fuzzy Hash: 37A19570F002098FEF64DAADE9907AFB6B6EB89310F244825E509D7395CA34DC41DBB1
                                                                        Function 06896298 Relevance: .2, Instructions: 229COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 362f0419ef0f3628d65de57d34f7a4a7329b11ddec3d989ab5981d7de81adeec
                                                                        • Instruction ID: 643433d7501ee8477fb9cf775e2227d85fb2d3b6c659c4d4eee829bd3cbb65d6
                                                                        • Opcode Fuzzy Hash: 362f0419ef0f3628d65de57d34f7a4a7329b11ddec3d989ab5981d7de81adeec
                                                                        • Instruction Fuzzy Hash: 1361CF71F000214BDF14AA7EC88066EBADAAF94224B194479D90EDB364EE79DD0287E1
                                                                        Function 06894348 Relevance: .2, Instructions: 222COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b55df4b7b10c5619d503781b58807cbc3250b2e456a6ed634c03c6070f4a9f51
                                                                        • Instruction ID: 9356e4cee0cc7520574bdf61bd8e6d4eb175b0f38c41386bb636cb39911d1eb8
                                                                        • Opcode Fuzzy Hash: b55df4b7b10c5619d503781b58807cbc3250b2e456a6ed634c03c6070f4a9f51
                                                                        • Instruction Fuzzy Hash: A4815B30B0020A9FDF54DFA9C5546AEB7F2AB89308F148528D50ADB394EF75EC478B91
                                                                        Function 06894358 Relevance: .2, Instructions: 218COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2823929cb989249fea6fce9f2e0f3441e5cce87bd0be91ff52946f91e5c6eb59
                                                                        • Instruction ID: b6de8a699476261f8d38b904d0cbf853e0fceff12e385bc22f813263bb994eb6
                                                                        • Opcode Fuzzy Hash: 2823929cb989249fea6fce9f2e0f3441e5cce87bd0be91ff52946f91e5c6eb59
                                                                        • Instruction Fuzzy Hash: E2813B30B0020A9FDF54DFA9D55466EB7F2AB89308F148528D50ADB394DF71EC478BA1
                                                                        Function 06894664 Relevance: .2, Instructions: 216COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b017f1bd51966e922b7fe758e0a8164ccb0d17f66bd9926933927abce1cb460d
                                                                        • Instruction ID: 1521a552e82b565b2e629d4460d1762293344e62b76b48cca80d27eb67f0c017
                                                                        • Opcode Fuzzy Hash: b017f1bd51966e922b7fe758e0a8164ccb0d17f66bd9926933927abce1cb460d
                                                                        • Instruction Fuzzy Hash: EE913D30E102198BDF60DF68C890B9DB7B1FF89314F208599D549FB255EB70AA86CF91
                                                                        Function 06894678 Relevance: .2, Instructions: 210COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 08cecaed1bd83f5556bd27a5fd674756bf7a933026364783bc342e5ed19d462c
                                                                        • Instruction ID: 81e5a4b768f4a457127ef43643380e78e68b6f860848c90647d3cedf037ab380
                                                                        • Opcode Fuzzy Hash: 08cecaed1bd83f5556bd27a5fd674756bf7a933026364783bc342e5ed19d462c
                                                                        • Instruction Fuzzy Hash: 96913C30E102198BDF60DF68C890B9DB7B1FF89314F208599D549BB255EB70AA86CF91
                                                                        Function 0689EBC0 Relevance: .2, Instructions: 201COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a356b599dafcfb6778c863f35da206152e7ff36432885427578165c4c2ff6b9d
                                                                        • Instruction ID: c68f32ece31ea4861bdb2960b085cd341995f5b0caff88de380d160b59395ec4
                                                                        • Opcode Fuzzy Hash: a356b599dafcfb6778c863f35da206152e7ff36432885427578165c4c2ff6b9d
                                                                        • Instruction Fuzzy Hash: 56711D30A002099FDB54EFA8D994AADBBF6FF88304F148529E505EB355DB30ED46CB61
                                                                        Function 0689EBB3 Relevance: .2, Instructions: 200COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 80c142a4398520f62776eb8c47cf2c39aa23a08c4648c69d1aa04ef41ae6ecce
                                                                        • Instruction ID: f3f119b18f7cbb4a4e6f1d804290d412548250cd342ae4cd0d728b40bec29240
                                                                        • Opcode Fuzzy Hash: 80c142a4398520f62776eb8c47cf2c39aa23a08c4648c69d1aa04ef41ae6ecce
                                                                        • Instruction Fuzzy Hash: DA713D30A002099FDB54DFA8D984AADBBF6FF88304F188529E445EB355DB30ED46CB60
                                                                        Function 0689FD29 Relevance: .2, Instructions: 176COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 361a706a29465228fac9c9508929b5014e83639db180a8ce6f94d2d774d3a4be
                                                                        • Instruction ID: ca6fcef11b8bbbad18d9a4b4e0850383c77690a34fc0603a90acea3bc8151620
                                                                        • Opcode Fuzzy Hash: 361a706a29465228fac9c9508929b5014e83639db180a8ce6f94d2d774d3a4be
                                                                        • Instruction Fuzzy Hash: 7B51D531E00109DFDF18AF78E8546AEBBB2EF85315F148869E206DB354DF358945CBA1
                                                                        Function 0689FAD8 Relevance: .2, Instructions: 169COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ceefc6bcf93160c7152c7c66f9121cefea0f1bd5a5224dd770ab7408fa4d4e65
                                                                        • Instruction ID: 668220a09507e7b4e769f84ab2f922da3c255726e4b236156558c4779a7b8c46
                                                                        • Opcode Fuzzy Hash: ceefc6bcf93160c7152c7c66f9121cefea0f1bd5a5224dd770ab7408fa4d4e65
                                                                        • Instruction Fuzzy Hash: B251FA70B102195FEF68566CE95477F265EDB89310F24442AEB0AC73D6CA6DCC4683A2
                                                                        Function 0689FAE8 Relevance: .2, Instructions: 163COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 222cb50782736bf333ead6f6dce591581d36328bfc0aa25a12b34438371e7984
                                                                        • Instruction ID: ca535cf6d1fbddd6a9ffdf4354cd21147618e318d57e49befb54d83fbda9d771
                                                                        • Opcode Fuzzy Hash: 222cb50782736bf333ead6f6dce591581d36328bfc0aa25a12b34438371e7984
                                                                        • Instruction Fuzzy Hash: CA51BB70B102195FEF68566CE95473F365EDB89310F24442AEB0AC7399CB6DCC4687B2
                                                                        Function 06895637 Relevance: .1, Instructions: 146COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b6884ff5502d344fd4a682ecb318d407ec290a4b3de9a0a616cbab469c5e75e1
                                                                        • Instruction ID: b27a703950a3d3110ea318b3abc7b3c8e2ebf3e64de9a23af85076da1285e5b7
                                                                        • Opcode Fuzzy Hash: b6884ff5502d344fd4a682ecb318d407ec290a4b3de9a0a616cbab469c5e75e1
                                                                        • Instruction Fuzzy Hash: BF517874E102059FDF768F68C4D077EBBB2EB45310F28C929E65ADB281C635D942CB62
                                                                        Function 068954C8 Relevance: .1, Instructions: 126COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e61b5b44a19280181e4e96f4ea36db0d0a4800206cdedcc1d1dddb6f64dcf903
                                                                        • Instruction ID: 20c3112dc903e13bae6d307816fa00310b89c58312c65358737a9865f44ea51c
                                                                        • Opcode Fuzzy Hash: e61b5b44a19280181e4e96f4ea36db0d0a4800206cdedcc1d1dddb6f64dcf903
                                                                        • Instruction Fuzzy Hash: 75416071E006098FDF71CEA9D8C1AAFFBF2EB84310F14492AD216D3651D731E9458BA2
                                                                        Function 0689DA08 Relevance: .1, Instructions: 99COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 02d37ac03301414da4e77f08bd1b136c978a1950793cbd4536907350a3afef1d
                                                                        • Instruction ID: 24a69c1bad411b9f106ecb6d7e94516ce794fbd0ce9f1c9b59656d8eb5ab69a4
                                                                        • Opcode Fuzzy Hash: 02d37ac03301414da4e77f08bd1b136c978a1950793cbd4536907350a3afef1d
                                                                        • Instruction Fuzzy Hash: E331E831A1470A8FCF15DF68D98069EBBB6EF85310F148A29E441E7394EB70A946CB51
                                                                        Function 06892071 Relevance: .1, Instructions: 98COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 42cf4f7d4069536db2f7769c661e21a15eeb7ff1c78d87148b7390c53edcba95
                                                                        • Instruction ID: 2f98964afdadcabb8e3066e8d06b4048e9cd59c7ac5bf350f669d312551a4d22
                                                                        • Opcode Fuzzy Hash: 42cf4f7d4069536db2f7769c661e21a15eeb7ff1c78d87148b7390c53edcba95
                                                                        • Instruction Fuzzy Hash: ED319034E10609AFCF15CF64D8646AEBBB2FF89700F148529E906E7750DB71AD42CB50
                                                                        Function 00D5D005 Relevance: .1, Instructions: 93COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4502600566.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d5d000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 758957390156dc5f9b505758a14495002d4e1c438638cf783cd432aa6b8dbd46
                                                                        • Instruction ID: ede170b4216afdc72e7b70500ea53d4344dd857a591f28e00d4480a0aa143893
                                                                        • Opcode Fuzzy Hash: 758957390156dc5f9b505758a14495002d4e1c438638cf783cd432aa6b8dbd46
                                                                        • Instruction Fuzzy Hash: 97314E7150E7C48FCB178B24C9A4711BF75AB47214F1985DBD9858F2A7C22A980ECB72
                                                                        Function 06892080 Relevance: .1, Instructions: 91COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b97f6f8efa1e88e592c0c13526fd6e14a3b8f0d9ee65671a0f6dbd1b1bd50120
                                                                        • Instruction ID: 4981826b988e5b89811b03564af6cb2421a4c7689e22a0401a343fbfd7033227
                                                                        • Opcode Fuzzy Hash: b97f6f8efa1e88e592c0c13526fd6e14a3b8f0d9ee65671a0f6dbd1b1bd50120
                                                                        • Instruction Fuzzy Hash: C2318F31E10209ABCF14DF64D864A9EBBB2FF89700F148519E906E7350DB71AD42CB50
                                                                        Function 06893B48 Relevance: .1, Instructions: 84COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b2e5815c6cfe8dbd1a6dfd6132ca1d968f06e1fcf95acf2539b082ef9ec0831c
                                                                        • Instruction ID: e6e1b86f90e59bde25a1ed3b1237d99192b5d06e53659fe040574dea2852089c
                                                                        • Opcode Fuzzy Hash: b2e5815c6cfe8dbd1a6dfd6132ca1d968f06e1fcf95acf2539b082ef9ec0831c
                                                                        • Instruction Fuzzy Hash: AF21B075F006159FDF50DFA8D982AEEB7F5EB48318F144025E909E7740EB30D9428BA1
                                                                        Function 06893B58 Relevance: .1, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 00365b2cdbbd62f945ae40e428b89582b0e14358a320846ba9dc90248774225d
                                                                        • Instruction ID: 4fd78ae8d4ae8dac81e52ac3e6072af98b963d668ed81ab22edbb775b6e2bb36
                                                                        • Opcode Fuzzy Hash: 00365b2cdbbd62f945ae40e428b89582b0e14358a320846ba9dc90248774225d
                                                                        • Instruction Fuzzy Hash: 8121AE75F006159FDF50DFA8D981AAEBBF1EB48318F144029E909E7340EB30E941CBA1
                                                                        Function 068954B8 Relevance: .1, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2ce3a1261ff3c03863e898b3240bac80eeb193f5b70debe6b074353ecd217a23
                                                                        • Instruction ID: 93182e1eab5aa790c55d9015466f39fb9e9822bf01e8195f23f5ef734cd3930d
                                                                        • Opcode Fuzzy Hash: 2ce3a1261ff3c03863e898b3240bac80eeb193f5b70debe6b074353ecd217a23
                                                                        • Instruction Fuzzy Hash: FE218C31A006099FCF61CEA9D881AAFBBB6EB88310F144929E219D7651D731A845CB92
                                                                        Function 00D5D044 Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4502600566.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d5d000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5ff1f0901aa2048c3dff875167385d2a5c1fffe2dd6b74ff912d94121ce1d88e
                                                                        • Instruction ID: 9315f624c07d87cb64e2a8e5ca226325e17e928fc86d430774ac7b26f09780ca
                                                                        • Opcode Fuzzy Hash: 5ff1f0901aa2048c3dff875167385d2a5c1fffe2dd6b74ff912d94121ce1d88e
                                                                        • Instruction Fuzzy Hash: 7E21F271504204DFCF24DF28C9C4B26BB66FB84315F24C569ED494B392C73AD84ADA72
                                                                        Function 06893C68 Relevance: .1, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: eea48d93c3a65aa4a142708adbba47d3cb8ad441bd6daf80bd6a97d032976d7e
                                                                        • Instruction ID: ba266bcf9d29fc6c7db58fae7364dd175ffd21d65308afe5179e803cb433773d
                                                                        • Opcode Fuzzy Hash: eea48d93c3a65aa4a142708adbba47d3cb8ad441bd6daf80bd6a97d032976d7e
                                                                        • Instruction Fuzzy Hash: 8311C432B105285FDF55D679C8146AE73EAEBC8318F044579D50AE7344DE35DC068BE1
                                                                        Function 068942AB Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f695e0dfd51de75fdc05d48601599a5407859dbfce4f612e39f89eae99ae52c4
                                                                        • Instruction ID: 34db3c4ea677112dbbd3b8e46f5ca1f024ab5f3f911484fdf75abf3477e6aee0
                                                                        • Opcode Fuzzy Hash: f695e0dfd51de75fdc05d48601599a5407859dbfce4f612e39f89eae99ae52c4
                                                                        • Instruction Fuzzy Hash: 1501B531B041141FDF65A6BDD415B2FBBEADBCA620F14892AE10AC7351D965CC4383A1
                                                                        Function 0689EE31 Relevance: .1, Instructions: 54COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 84478f711c15cfa6c04033ab288bd9dec5606b106f67226041ae77baf543a1a6
                                                                        • Instruction ID: e52a175db7b5ccb9650bc1e615bd8e55c6e851dd0ffe253a783f0fc9575faac9
                                                                        • Opcode Fuzzy Hash: 84478f711c15cfa6c04033ab288bd9dec5606b106f67226041ae77baf543a1a6
                                                                        • Instruction Fuzzy Hash: 9001B135B104105FCF25DA6D9498B2E7BD6DFC9610F184939F20ACB381DA21DD0243D1
                                                                        Function 06893928 Relevance: .1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c7d9bb6ab8398e3386a51510bb7ec1477e3b074f748d4aed3c00148d77d246c5
                                                                        • Instruction ID: 332ba47075dfaee969b5f79b00798179b770a64dec9356de26ee131444bfa334
                                                                        • Opcode Fuzzy Hash: c7d9bb6ab8398e3386a51510bb7ec1477e3b074f748d4aed3c00148d77d246c5
                                                                        • Instruction Fuzzy Hash: 6811B3B5D01259AFCB00DF9AD984ADEFBB8FB49314F10812AE918A7240D374A554CFA5
                                                                        Function 068942B8 Relevance: .1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 34bab31b95c549d256d3772cb1eff18e4013b656b25785f373c90b5ba5110968
                                                                        • Instruction ID: b0895b5ac8f5027c3842104c4757cade0aef76e2216992ff05983dd70972b999
                                                                        • Opcode Fuzzy Hash: 34bab31b95c549d256d3772cb1eff18e4013b656b25785f373c90b5ba5110968
                                                                        • Instruction Fuzzy Hash: 0801D131B100140BDF64A6BED415B2FA6DBDBC9720F24893AE20EC7354DD61DC4383A1
                                                                        Function 0689A399 Relevance: .1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 22dd0d7dbcc8d924ae79b246d9b07641a2dd669d5377cfe8b646d0947079fbba
                                                                        • Instruction ID: 07f0a2bbd061bf18200c0a811ffa05967c16958c83098ee14052c6cc4ef032cf
                                                                        • Opcode Fuzzy Hash: 22dd0d7dbcc8d924ae79b246d9b07641a2dd669d5377cfe8b646d0947079fbba
                                                                        • Instruction Fuzzy Hash: 9801F231B100114FDB68EA3CE565B3EB7E2EB85324F148928E20EC7750DF21EC0287A1
                                                                        Function 06893921 Relevance: .1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 117a7c8544fc5900039a030114ecbcafa4cee043f437a7667ab34f79e0649a2f
                                                                        • Instruction ID: 5c9af15f98b21fd56b573d7f75226f2f72da59edbd83540bb6c812108ffaf330
                                                                        • Opcode Fuzzy Hash: 117a7c8544fc5900039a030114ecbcafa4cee043f437a7667ab34f79e0649a2f
                                                                        • Instruction Fuzzy Hash: 6D219EB5D01219AFCB00DF9AD984A9EFBB8FF49314F10852AE918B7240D378A554CBA5
                                                                        Function 0689EE40 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 33dda796c7146ae000275604e642c6e58e49d7fd601927b1f069a0aafbdbd104
                                                                        • Instruction ID: fd7b48e72a1d0b0ae8bc1da46d5da196fe497af789530f11121022dfe55ee365
                                                                        • Opcode Fuzzy Hash: 33dda796c7146ae000275604e642c6e58e49d7fd601927b1f069a0aafbdbd104
                                                                        • Instruction Fuzzy Hash: 93018135B104145BDF65D96D94A8B3F7BDADFC9610F188939F20AC7340DE25DC0243A1
                                                                        Function 06893C57 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4c915bc14b7d175ae8d24c7db89c740e789c2dee3b1fb1b3335d5c2823ca3d7a
                                                                        • Instruction ID: 212eb224ff88f53615d21fb6242a4b4fd5ddeeee7a899b97c8630a57335a8e4b
                                                                        • Opcode Fuzzy Hash: 4c915bc14b7d175ae8d24c7db89c740e789c2dee3b1fb1b3335d5c2823ca3d7a
                                                                        • Instruction Fuzzy Hash: 8801F732F101245BDF959968CC142EF73AA9BC8218F050179D50AE7340EE648C0647D1
                                                                        Function 0689A3A8 Relevance: .0, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ebdfa44cef726c92bef2d6ca3a46e624759f510af0677d85df29fc81ba050f9c
                                                                        • Instruction ID: d3c3103c31ebc78dfb1e2dec0652a7d481c899868afdfb465c4b92477a4e19bd
                                                                        • Opcode Fuzzy Hash: ebdfa44cef726c92bef2d6ca3a46e624759f510af0677d85df29fc81ba050f9c
                                                                        • Instruction Fuzzy Hash: 0D01D134B100144FDB68EA3CE465B2EB7D6DB85714F108938E20AC7350DE21EC0287A1
                                                                        Function 06896519 Relevance: .0, Instructions: 24COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9af3a63704c34b3d78130521e08f93ae79fdf1ae5151e21368ac8b1b89dea4cd
                                                                        • Instruction ID: aa9ffc008f14757a8931d88e36539e7a3cf18df09e7860bce61c7f22bcb85d2e
                                                                        • Opcode Fuzzy Hash: 9af3a63704c34b3d78130521e08f93ae79fdf1ae5151e21368ac8b1b89dea4cd
                                                                        • Instruction Fuzzy Hash: 48E02671E14149ABFF50CE708A0475E3369EB42208F6689E2D004DB202F176CE428750
                                                                        Function 06896528 Relevance: .0, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a3f40778c56a94cb1829351910999078a94cedfe7366333d70a95a28b265ea9a
                                                                        • Instruction ID: 19945c97c100bb625b691294c8e953f98c82e11c60bef23ed3543fbcceadbddb
                                                                        • Opcode Fuzzy Hash: a3f40778c56a94cb1829351910999078a94cedfe7366333d70a95a28b265ea9a
                                                                        • Instruction Fuzzy Hash: 5DE0C271E1010DABEF50CEB4C90575E73ACEB02204F6484A4D508C7202F172CE4187A0

                                                                        Non-executed Functions

                                                                        Function 06897740 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                        • API String ID: 0-2843079600
                                                                        • Opcode ID: cca7825c0b0732fe9578556661937d2cb78d845b98b84d73a5b5f22fe161ffdb
                                                                        • Instruction ID: e2738888d65c95472ae4ce334cfe672cab2480ac5d80a43fdf617a8df1f1c6ab
                                                                        • Opcode Fuzzy Hash: cca7825c0b0732fe9578556661937d2cb78d845b98b84d73a5b5f22fe161ffdb
                                                                        • Instruction Fuzzy Hash: 3E123A30A112198FDF68DF68C994AADB7F2BF88304F2485A9D509EB355DB309D81CF91
                                                                        Function 0689A9C8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                        • API String ID: 0-1273862796
                                                                        • Opcode ID: e1c9f3ffc1b847debdb21f19be996287b51f7c7e4d314428cec9711db8f4c930
                                                                        • Instruction ID: cb33bbd3154256e71fb138549dbc3c5a309c13b0a7a8345473bdedfa85aecf3b
                                                                        • Opcode Fuzzy Hash: e1c9f3ffc1b847debdb21f19be996287b51f7c7e4d314428cec9711db8f4c930
                                                                        • Instruction Fuzzy Hash: A2914F30A002099FDF58DF68D995B6EB7F6EF84308F148529D801EB395DB759941CBA0
                                                                        Function 06897140 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
                                                                        • API String ID: 0-981061697
                                                                        • Opcode ID: 9cece5ac835c547785c3986229ded29bd14dac766f5e7f3f6d11b847c5d83b10
                                                                        • Instruction ID: ff8b4504285536d5a975fd3b572e4974b15f9bbfc37f47111c9734b6053fc8e9
                                                                        • Opcode Fuzzy Hash: 9cece5ac835c547785c3986229ded29bd14dac766f5e7f3f6d11b847c5d83b10
                                                                        • Instruction Fuzzy Hash: C2F12E30B10209CFDB59EFA8D555A6EB7B6FF84304F248568D4059B3A9DF35AC82CB90
                                                                        Function 06898470 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q$$]q$$]q
                                                                        • API String ID: 0-858218434
                                                                        • Opcode ID: 713b0f9ae3b54c7697816e1db50648ecce0be9ab8414e90bdbdf2ec701ecf381
                                                                        • Instruction ID: eb2b14294e5886b5f34978d9ff270387d8a2d264ddf33b2575c8b4f70dedbfc7
                                                                        • Opcode Fuzzy Hash: 713b0f9ae3b54c7697816e1db50648ecce0be9ab8414e90bdbdf2ec701ecf381
                                                                        • Instruction Fuzzy Hash: B6B17D70B002098FDB68DFA8D59465EB7B6FF85304F248829D106EB395DB75DC82CBA0
                                                                        Function 0689AD50 Relevance: 5.2, Strings: 4, Instructions: 177COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q$$]q$$]q
                                                                        • API String ID: 0-858218434
                                                                        • Opcode ID: 9ac7647406d516c9060b7f4421a5316f6bb085b01ef60cf74eefa27eea8b4dfc
                                                                        • Instruction ID: 4fc34050cac85a8b1d9eb5053f6e84898e6140b7eb7c137629ff4321ef6237ce
                                                                        • Opcode Fuzzy Hash: 9ac7647406d516c9060b7f4421a5316f6bb085b01ef60cf74eefa27eea8b4dfc
                                                                        • Instruction Fuzzy Hash: 0D51A230A102059FDFADDB68D980AADB7B2EF84315F188529E906E7355DB34DC41CBA0
                                                                        Function 06898888 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LR]q$LR]q$$]q$$]q
                                                                        • API String ID: 0-3527005858
                                                                        • Opcode ID: f1517add7844d2e0cc48ba303543883183cbe7f4444ebadfdb4dd4041cacbf3f
                                                                        • Instruction ID: cc6c249ccca7032dfef22f37de6ee683b34afa7e70addda05af2acc6a4f802df
                                                                        • Opcode Fuzzy Hash: f1517add7844d2e0cc48ba303543883183cbe7f4444ebadfdb4dd4041cacbf3f
                                                                        • Instruction Fuzzy Hash: ED519070B002069FDB58EF28D981A6EB7E6FF85304F148969E506DB395DB31EC41CB61
                                                                        Function 0689ADDC Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4509606599.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_6890000_Wru9ycO2MJ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q$$]q$$]q
                                                                        • API String ID: 0-858218434
                                                                        • Opcode ID: adcf424aaf19f47b065e6784564e317f077aa72dbf86ba69069a572c71d13bdc
                                                                        • Instruction ID: a714d5f09ae09bda9ed1c4f005ec817af098fc4cd846d7653be4d346beb2db83
                                                                        • Opcode Fuzzy Hash: adcf424aaf19f47b065e6784564e317f077aa72dbf86ba69069a572c71d13bdc
                                                                        • Instruction Fuzzy Hash: AE41AF30A102059FCFA9EB68D980A6D77B2EF84309F288669D901D7295DB34EC42CB60