Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.9881

Overview

General Information

Sample Name:SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.9881 (renamed file extension from 9881 to exe)
Analysis ID:671866
MD5:06479be352128f527656809d8a2e1943
SHA1:e5ae7ebeebcab238b19595981b06c44fd4cb455d
SHA256:a9e441722bbaab6eb53c633f5a6e54a0a51ee2c540ab0bf34b78582c3a9ad5a8
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
.NET source code references suspicious native API functions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe (PID: 6912 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe" MD5: 06479BE352128F527656809D8A2E1943)
    • cvtres.exe (PID: 7012 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe MD5: C09985AE74F0882F208D75DE27770DFA)
    • cvtres.exe (PID: 7028 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "facturare@rematinvest.ro", "Password": "RyN!2020-", "Host": "mail.rematinvest.ro"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.690286569.0000000006FC3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.690286569.0000000006FC3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000004.00000000.429466512.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000000.429466512.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000004.00000002.688515843.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.0.cvtres.exe.400000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.0.cvtres.exe.400000.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                4.0.cvtres.exe.400000.3.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x32784:$s10: logins
                • 0x321eb:$s11: credential
                • 0x2e7d5:$g1: get_Clipboard
                • 0x2e7e3:$g2: get_Keyboard
                • 0x2e7f0:$g3: get_Password
                • 0x2faf2:$g4: get_CtrlKeyDown
                • 0x2fb02:$g5: get_ShiftKeyDown
                • 0x2fb13:$g6: get_AltKeyDown
                4.0.cvtres.exe.400000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.0.cvtres.exe.400000.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 19 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:192.168.2.5109.99.162.14497755872851779 07/22/22-19:36:28.834857
                    SID:2851779
                    Source Port:49775
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.5109.99.162.14497755872030171 07/22/22-19:36:28.834742
                    SID:2030171
                    Source Port:49775
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.5109.99.162.14497755872840032 07/22/22-19:36:28.834857
                    SID:2840032
                    Source Port:49775
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for submitted file
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeVirustotal: Detection: 38%Perma Link
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeReversingLabs: Detection: 30%
                    Machine Learning detection for sample
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeJoe Sandbox ML: detected
                    Source: 4.0.cvtres.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.cvtres.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.2.cvtres.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.cvtres.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.cvtres.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.cvtres.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.cvtres.exe.400000.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "facturare@rematinvest.ro", "Password": "RyN!2020-", "Host": "mail.rematinvest.ro"}
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: NBCBNCXHJKDJHD23442.pdbD source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe
                    Source: Binary string: NBCBNCXHJKDJHD23442.pdb source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h1_2_014AC902
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h1_2_014A6820
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h1_2_014AD3CC
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h1_2_014AD3D8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h1_2_014AD79D
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h1_2_014AD7A8

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49775 -> 109.99.162.14:587
                    Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49775 -> 109.99.162.14:587
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49775 -> 109.99.162.14:587
                    Source: Joe Sandbox ViewASN Name: RTDBucharestRomaniaRO RTDBucharestRomaniaRO
                    Source: global trafficTCP traffic: 192.168.2.5:49775 -> 109.99.162.14:587
                    Source: global trafficTCP traffic: 192.168.2.5:49775 -> 109.99.162.14:587
                    Source: cvtres.exe, 00000004.00000002.690286569.0000000006FC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: cvtres.exe, 00000004.00000002.690286569.0000000006FC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: cvtres.exe, 00000004.00000002.690286569.0000000006FC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://NKVjVb.com
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                    Source: cvtres.exe, 00000004.00000002.690948171.00000000070A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.rematinvest.ro
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeString found in binary or memory: http://ocsp.digicert.com0C
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeString found in binary or memory: http://ocsp.digicert.com0O
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                    Source: cvtres.exe, 00000004.00000002.690948171.00000000070A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://rematinvest.ro
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeString found in binary or memory: http://www.digicert.com/CPS0
                    Source: cvtres.exe, 00000004.00000002.690286569.0000000006FC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                    Source: cvtres.exe, 00000004.00000002.690286569.0000000006FC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%%startupfolder%
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeString found in binary or memory: https://www.digicert.com/CPS0
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeString found in binary or memory: https://www.globalsign.com/repository/0
                    Source: cvtres.exe, 00000004.00000002.690286569.0000000006FC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownDNS traffic detected: queries for: mail.rematinvest.ro

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeJump to behavior
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe, 00000001.00000002.430657010.000000000123B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 4.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe.4da49c8.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe.4da49c8.1.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 4.0.cvtres.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b981CEEEFu002d4B38u002d43ACu002d9478u002d1F4F4963991Cu007d/u0038654F4E6u002dC851u002d420Eu002d862Fu002d7C681F2A7AF8.csLarge array initialization: .cctor: array initializer size 11645
                    Source: 4.0.cvtres.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b981CEEEFu002d4B38u002d43ACu002d9478u002d1F4F4963991Cu007d/u0038654F4E6u002dC851u002d420Eu002d862Fu002d7C681F2A7AF8.csLarge array initialization: .cctor: array initializer size 11645
                    Source: 4.0.cvtres.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007b981CEEEFu002d4B38u002d43ACu002d9478u002d1F4F4963991Cu007d/u0038654F4E6u002dC851u002d420Eu002d862Fu002d7C681F2A7AF8.csLarge array initialization: .cctor: array initializer size 11645
                    Source: 4.0.cvtres.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007b981CEEEFu002d4B38u002d43ACu002d9478u002d1F4F4963991Cu007d/u0038654F4E6u002dC851u002d420Eu002d862Fu002d7C681F2A7AF8.csLarge array initialization: .cctor: array initializer size 11645
                    Source: 4.0.cvtres.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b981CEEEFu002d4B38u002d43ACu002d9478u002d1F4F4963991Cu007d/u0038654F4E6u002dC851u002d420Eu002d862Fu002d7C681F2A7AF8.csLarge array initialization: .cctor: array initializer size 11645
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: 4.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe.4da49c8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe.4da49c8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A35301_2_014A3530
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A25FA1_2_014A25FA
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A13701_2_014A1370
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A1BB81_2_014A1BB8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A9E781_2_014A9E78
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A6EC01_2_014A6EC0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A8AF01_2_014A8AF0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014ADAB81_2_014ADAB8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014ABEB41_2_014ABEB4
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A896F1_2_014A896F
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A79A91_2_014A79A9
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A04481_2_014A0448
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A6C611_2_014A6C61
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A040F1_2_014A040F
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A34301_2_014A3430
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A4F581_2_014A4F58
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A4F681_2_014A4F68
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A13281_2_014A1328
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A43901_2_014A4390
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A43A01_2_014A43A0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A525A1_2_014A525A
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A9E681_2_014A9E68
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A5ED81_2_014A5ED8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A5E851_2_014A5E85
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014ADAA91_2_014ADAA9
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A6EB01_2_014A6EB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_054D8BB04_2_054D8BB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_054DF0804_2_054DF080
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_054DF3C84_2_054DF3C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_054D61204_2_054D6120
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_09AF2A584_2_09AF2A58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_09AFBCF04_2_09AFBCF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_09AF1FF84_2_09AF1FF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_09AF00404_2_09AF0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_09AFC4284_2_09AFC428
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_09AFB6C94_2_09AFB6C9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_0A8AAE904_2_0A8AAE90
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_0A8A73D04_2_0A8A73D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_0A8A1FC04_2_0A8A1FC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_0A8A44F84_2_0A8A44F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_0AB5E3204_2_0AB5E320
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_0AB570E04_2_0AB570E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_0AB519B04_2_0AB519B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: String function: 09AF5A58 appears 34 times
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe, 00000001.00000002.431461693.0000000002EF2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRTmykTJsYGNhcLtpIFpFmzfqYxFnyHj.exe4 vs SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe, 00000001.00000002.430657010.000000000123B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe, 00000001.00000002.433445075.00000000048BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRTmykTJsYGNhcLtpIFpFmzfqYxFnyHj.exe4 vs SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe, 00000001.00000000.422673745.0000000000B8D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNBCBNCXHJKDJHD23442.exeH vs SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeBinary or memory string: OriginalFilenameNBCBNCXHJKDJHD23442.exeH vs SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeStatic PE information: invalid certificate
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeVirustotal: Detection: 38%
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeReversingLabs: Detection: 30%
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@2/1
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: 4.0.cvtres.exe.400000.4.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.cvtres.exe.400000.4.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.cvtres.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.cvtres.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.cvtres.exe.400000.2.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.cvtres.exe.400000.2.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: NBCBNCXHJKDJHD23442.pdbD source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe
                    Source: Binary string: NBCBNCXHJKDJHD23442.pdb source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_00B4231F pushad ; ret 1_2_00B42320
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_00B4796F push 00000020h; retf 1_2_00B4797A
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014A6236 push es; iretd 1_2_014A6237
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_09AFA01A push 8B000005h; retf 4_2_09AFA01F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_09AFF538 pushad ; ret 4_2_09AFF539
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_0A8A128A pushfd ; iretd 4_2_0A8A128B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_0A8A122D pushad ; iretd 4_2_0A8A122E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_0A8A13EA pushad ; iretd 4_2_0A8A13EB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_0A8A1372 push esp; iretd 4_2_0A8A1373
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_0A8A10EE pushfd ; iretd 4_2_0A8A10EF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_0A8A102B pushad ; iretd 4_2_0A8A102C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_0A8A1482 pushfd ; iretd 4_2_0A8A1483
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeStatic PE information: real checksum: 0x5d486 should be: 0x60a28
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.673868780802566
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe TID: 6960Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 7112Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 7116Thread sleep count: 9477 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWindow / User API: threadDelayed 9477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: cvtres.exe, 00000004.00000002.691765963.000000000A550000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeCode function: 1_2_014AD5D0 CheckRemoteDebuggerPresent,1_2_014AD5D0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 4_2_0A8A73D0 LdrInitializeThunk,4_2_0A8A73D0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 436000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 438000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 4E6A008Jump to behavior
                    .NET source code references suspicious native API functions
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe, u206b????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'GetProcAddress@kernel32'), ('?????????????????????????????????????????', 'LoadLibraryA@kernel32')
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe, u200c????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'OpenProcess@kernel32.dll'), ('????????????????????????????????????????', 'GetProcAddress@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
                    Source: 4.0.cvtres.exe.400000.4.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 4.0.cvtres.exe.400000.0.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 4.0.cvtres.exe.400000.2.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 4.0.cvtres.exe.400000.3.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 4.0.cvtres.exe.400000.1.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeJump to behavior
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe, 00000001.00000002.431461693.0000000002EF2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                    Source: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe, 00000001.00000002.431461693.0000000002EF2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Progman
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe.4da49c8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe.4da49c8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000000.429466512.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.688515843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.428206053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.428807538.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.428533310.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.433445075.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.690286569.0000000006FC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.690509343.0000000007018000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe PID: 6912, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 7028, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: Yara matchFile source: 00000004.00000002.690286569.0000000006FC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 7028, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe.4da49c8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe.4da49c8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000000.429466512.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.688515843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.428206053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.428807538.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.428533310.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.433445075.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.690286569.0000000006FC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.690509343.0000000007018000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe PID: 6912, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 7028, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		Path Interception312
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		221
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Native API                    		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		111
                    Input Capture                    		2
                    Process Discovery                    		Remote Desktop Protocol111
                    Input Capture                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)141
                    Virtualization/Sandbox Evasion                    		Security Account Manager141
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares11
                    Archive Collected Data                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)312
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object Model1
                    Data from Local System                    		Scheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Remote System Discovery                    		SSH1
                    Clipboard Data                    		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common4
                    Obfuscated Files or Information                    		Cached Domain Credentials114
                    System Information Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items3
                    Software Packing                    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe38%VirustotalBrowse
                    SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe30%ReversingLabsByteCode-MSIL.Spyware.Noon
                    SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    4.0.cvtres.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.cvtres.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    4.2.cvtres.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.cvtres.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.cvtres.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.cvtres.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    SourceDetectionScannerLabelLink
                    rematinvest.ro0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://mail.rematinvest.ro0%Avira URL Cloudsafe
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://rematinvest.ro0%Avira URL Cloudsafe
                    https://api.ipify.org%%startupfolder%0%URL Reputationsafe
                    http://NKVjVb.com0%Avira URL Cloudsafe
                    https://api.ipify.org%0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    rematinvest.ro
                    		109.99.162.14
                    		truetrueunknown
                    mail.rematinvest.ro
                    		unknown
                    		unknownfalse
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://mail.rematinvest.rocvtres.exe, 00000004.00000002.690948171.00000000070A8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://127.0.0.1:HTTP/1.1cvtres.exe, 00000004.00000002.690286569.0000000006FC3000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://rematinvest.rocvtres.exe, 00000004.00000002.690948171.00000000070A8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.ipify.org%%startupfolder%cvtres.exe, 00000004.00000002.690286569.0000000006FC3000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		low
                      http://NKVjVb.comcvtres.exe, 00000004.00000002.690286569.0000000006FC3000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.ipify.org%cvtres.exe, 00000004.00000002.690286569.0000000006FC3000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		low
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwcvtres.exe, 00000004.00000002.690286569.0000000006FC3000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://DynDns.comDynDNSnamejidpasswordPsi/Psicvtres.exe, 00000004.00000002.690286569.0000000006FC3000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      109.99.162.14
                      		rematinvest.roRomania
                      		9050RTDBucharestRomaniaROtrue

                      General Information

                      Joe Sandbox Version:35.0.0 Citrine
                      Analysis ID:671866
                      Start date and time: 22/07/202219:35:082022-07-22 19:35:08 +02:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 7m 32s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.9881 (renamed file extension from 9881 to exe)
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:23
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@5/1@2/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HDC Information:
                      • Successful, ratio: 14.9% (good quality ratio 9.6%)
                      • Quality average: 42.8%
                      • Quality standard deviation: 37.7%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 53
                      • Number of non-executed functions: 17
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                      • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, licensing.mp.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      19:36:18API Interceptor1x Sleep call for process: SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe modified
                      19:36:24API Interceptor805x Sleep call for process: cvtres.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      109.99.162.14SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exeGet hashmaliciousBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        RTDBucharestRomaniaROSecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exeGet hashmaliciousBrowse
                        • 109.99.162.14
                        bMwvKA6Owe.exeGet hashmaliciousBrowse
                        • 109.102.255.230
                        kfHWoySTelGet hashmaliciousBrowse
                        • 109.99.173.28
                        home.mipsGet hashmaliciousBrowse
                        • 80.97.224.199
                        #Ud83d#Udd0a VM 9193408792.wav.htmlGet hashmaliciousBrowse
                        • 92.87.6.53
                        jTpjSXxHjt.dllGet hashmaliciousBrowse
                        • 92.81.66.155
                        oWmdf3W67o.dllGet hashmaliciousBrowse
                        • 109.103.48.81
                        djA1JX3UZv.dllGet hashmaliciousBrowse
                        • 92.83.238.161
                        342hs5UFG1.dllGet hashmaliciousBrowse
                        • 109.102.113.172
                        196608.htmGet hashmaliciousBrowse
                        • 92.87.6.53
                        fxyKXb2hV5.dllGet hashmaliciousBrowse
                        • 109.103.83.54
                        v8Rhp4teOl.dllGet hashmaliciousBrowse
                        • 92.85.58.229
                        7T2Y8w1zOi.dllGet hashmaliciousBrowse
                        • 92.83.239.195
                        E3mbtPKpoj.dllGet hashmaliciousBrowse
                        • 92.80.107.22
                        agsS7yP4eP.dllGet hashmaliciousBrowse
                        • 89.121.130.106
                        Vi3ioqKqPS.dllGet hashmaliciousBrowse
                        • 86.35.226.0
                        eYB6B0ahQe.dllGet hashmaliciousBrowse
                        • 92.81.231.56
                        196488.htmGet hashmaliciousBrowse
                        • 92.87.6.53
                        cutie.spcGet hashmaliciousBrowse
                        • 92.84.221.174
                        xd.arm7Get hashmaliciousBrowse
                        • 109.97.15.12

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe.log

                        Download File
                        Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):226
                        Entropy (8bit):5.3467126928258955
                        Encrypted:false
                        SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2LDY3U21v:Q3La/KDLI4MWuPk21v
                        MD5:DD8B7A943A5D834CEEAB90A6BBBF4781
                        SHA1:2BED8D47DF1C0FF76B40811E5F11298BD2D06389
                        SHA-256:E1D0A304B16BE51AE361E392A678D887AB0B76630B42A12D252EDC0484F0333B
                        SHA-512:24167174EA259CAF57F65B9B9B9C113DD944FC957DB444C2F66BC656EC2E6565EFE4B4354660A5BE85CE4847434B3BDD4F7E05A9E9D61F4CC99FF0284DAA1C87
                        Malicious:true
                        Reputation:moderate, very likely benign file
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):6.826479487170498
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                        • Win32 Executable (generic) a (10002005/4) 49.97%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        • DOS Executable Generic (2002/1) 0.01%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe
                        File size:352408
                        MD5:06479be352128f527656809d8a2e1943
                        SHA1:e5ae7ebeebcab238b19595981b06c44fd4cb455d
                        SHA256:a9e441722bbaab6eb53c633f5a6e54a0a51ee2c540ab0bf34b78582c3a9ad5a8
                        SHA512:b52578f2a1969d253325cdffb661ce2b3304827b163078772c01b79bfb035b8109598a83ddd660183c092a8fd53d12121243dcfa38977b148e85e974ede8017d
                        SSDEEP:6144:F65ozXWHoc5uKB9lcXXiREBMUXjC+3PdhHd2mEfW9hbbK32yr4nrA:HXWICLaiREBMUXjrhHd2mEfW9hbG32y1
                        TLSH:957428883E5071CFCC02C871DA787C54AADC6C6657179202AC5736ADAB3F59F8E371A2
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[.b..............0.............n.... ........@.. ....................................`................................

                        File Icon

                        Icon Hash:18d0c4ccccc4d800

                        Static PE Info

                        General

                        Entrypoint:0x43a06e
                        Entrypoint Section:.text
                        Digitally signed:true
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x62DA5BF3 [Fri Jul 22 08:12:35 2022 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Authenticode Signature

                        Signature Valid:false
                        Signature Issuer:CN=GlobalSign CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE
                        Signature Validation Error:The digital signature of the object did not verify
                        Error Number:-2146869232
                        Not Before, Not After
                        • 8/25/2020 6:42:07 AM 8/26/2023 6:42:07 AM
                        Subject Chain
                        • CN=win.rar GmbH, O=win.rar GmbH, L=Berlin, S=Berlin, C=DE
                        Version:3
                        Thumbprint MD5:185DBD4A2E2671589EEB3E7E1920EA9F
                        Thumbprint SHA-1:B3DF816A17A25557316D181DDB9F46254D6D8CA0
                        Thumbprint SHA-256:66DB1C86D38273627C837F4638122FA88BBFFFF31C4052115B98CAF6CE0C631E
                        Serial:731D40AE3F3A1FB2BC3D8395

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x3a01c0x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c0000x19a76.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x522000x3e98
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x560000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x39fd00x1c.text
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x380740x38200False0.8407876879175946data7.673868780802566IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0x3c0000x19a760x19c00False0.08731227245145631data3.132050181683162IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x560000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_ICON0x3c2540xd68PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                        RT_ICON0x3cfbc0x10828dBase III DBT, version number 0, next free block index 40
                        RT_ICON0x4d7e40x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                        RT_ICON0x51a0c0x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                        RT_ICON0x53fb40x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                        RT_ICON0x5505c0x468GLS_BINARY_LSB_FIRST
                        RT_GROUP_ICON0x554c40x5adata
                        RT_VERSION0x555200x36cdata
                        RT_MANIFEST0x5588c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        192.168.2.5109.99.162.14497755872851779 07/22/22-19:36:28.834857TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49775587192.168.2.5109.99.162.14
                        192.168.2.5109.99.162.14497755872030171 07/22/22-19:36:28.834742TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49775587192.168.2.5109.99.162.14
                        192.168.2.5109.99.162.14497755872840032 07/22/22-19:36:28.834857TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249775587192.168.2.5109.99.162.14

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jul 22, 2022 19:36:28.328042984 CEST49775587192.168.2.5109.99.162.14
                        Jul 22, 2022 19:36:28.373176098 CEST58749775109.99.162.14192.168.2.5
                        Jul 22, 2022 19:36:28.373307943 CEST49775587192.168.2.5109.99.162.14
                        Jul 22, 2022 19:36:28.486587048 CEST58749775109.99.162.14192.168.2.5
                        Jul 22, 2022 19:36:28.486896992 CEST49775587192.168.2.5109.99.162.14
                        Jul 22, 2022 19:36:28.534585953 CEST58749775109.99.162.14192.168.2.5
                        Jul 22, 2022 19:36:28.535618067 CEST49775587192.168.2.5109.99.162.14
                        Jul 22, 2022 19:36:28.584765911 CEST58749775109.99.162.14192.168.2.5
                        Jul 22, 2022 19:36:28.585371017 CEST49775587192.168.2.5109.99.162.14
                        Jul 22, 2022 19:36:28.636060953 CEST58749775109.99.162.14192.168.2.5
                        Jul 22, 2022 19:36:28.640392065 CEST49775587192.168.2.5109.99.162.14
                        Jul 22, 2022 19:36:28.690749884 CEST58749775109.99.162.14192.168.2.5
                        Jul 22, 2022 19:36:28.692682028 CEST49775587192.168.2.5109.99.162.14
                        Jul 22, 2022 19:36:28.777312040 CEST58749775109.99.162.14192.168.2.5
                        Jul 22, 2022 19:36:28.786739111 CEST58749775109.99.162.14192.168.2.5
                        Jul 22, 2022 19:36:28.787060022 CEST49775587192.168.2.5109.99.162.14
                        Jul 22, 2022 19:36:28.833581924 CEST58749775109.99.162.14192.168.2.5
                        Jul 22, 2022 19:36:28.833668947 CEST58749775109.99.162.14192.168.2.5
                        Jul 22, 2022 19:36:28.834742069 CEST49775587192.168.2.5109.99.162.14
                        Jul 22, 2022 19:36:28.834856987 CEST49775587192.168.2.5109.99.162.14
                        Jul 22, 2022 19:36:28.835726976 CEST49775587192.168.2.5109.99.162.14
                        Jul 22, 2022 19:36:28.835818052 CEST49775587192.168.2.5109.99.162.14
                        Jul 22, 2022 19:36:28.879703045 CEST58749775109.99.162.14192.168.2.5
                        Jul 22, 2022 19:36:28.880513906 CEST58749775109.99.162.14192.168.2.5
                        Jul 22, 2022 19:36:33.293950081 CEST58749775109.99.162.14192.168.2.5
                        Jul 22, 2022 19:36:33.407489061 CEST49775587192.168.2.5109.99.162.14
                        Jul 22, 2022 19:38:08.092817068 CEST49775587192.168.2.5109.99.162.14
                        Jul 22, 2022 19:38:08.140233040 CEST58749775109.99.162.14192.168.2.5
                        Jul 22, 2022 19:38:08.140414000 CEST49775587192.168.2.5109.99.162.14
                        Jul 22, 2022 19:38:08.142493010 CEST49775587192.168.2.5109.99.162.14
                        Jul 22, 2022 19:38:08.188280106 CEST58749775109.99.162.14192.168.2.5

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jul 22, 2022 19:36:28.130073071 CEST6246653192.168.2.58.8.8.8
                        Jul 22, 2022 19:36:28.194483995 CEST53624668.8.8.8192.168.2.5
                        Jul 22, 2022 19:36:28.235074997 CEST6096953192.168.2.58.8.8.8
                        Jul 22, 2022 19:36:28.312767982 CEST53609698.8.8.8192.168.2.5

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                        Jul 22, 2022 19:36:28.130073071 CEST192.168.2.58.8.8.80x656eStandard query (0)mail.rematinvest.roA (IP address)IN (0x0001)
                        Jul 22, 2022 19:36:28.235074997 CEST192.168.2.58.8.8.80x73dcStandard query (0)mail.rematinvest.roA (IP address)IN (0x0001)

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                        Jul 22, 2022 19:36:28.194483995 CEST8.8.8.8192.168.2.50x656eNo error (0)mail.rematinvest.rorematinvest.roCNAME (Canonical name)IN (0x0001)
                        Jul 22, 2022 19:36:28.194483995 CEST8.8.8.8192.168.2.50x656eNo error (0)rematinvest.ro109.99.162.14A (IP address)IN (0x0001)
                        Jul 22, 2022 19:36:28.312767982 CEST8.8.8.8192.168.2.50x73dcNo error (0)mail.rematinvest.rorematinvest.roCNAME (Canonical name)IN (0x0001)
                        Jul 22, 2022 19:36:28.312767982 CEST8.8.8.8192.168.2.50x73dcNo error (0)rematinvest.ro109.99.162.14A (IP address)IN (0x0001)

                        SMTP Packets

                        TimestampSource PortDest PortSource IPDest IPCommands
                        Jul 22, 2022 19:36:28.486587048 CEST58749775109.99.162.14192.168.2.5220-cpanel4.romtelecom.net ESMTP Exim 4.93 #2 Fri, 22 Jul 2022 20:36:28 +0300
                        220-We do not authorize the use of this system to transport unsolicited,
                        220 and/or bulk e-mail.
                        Jul 22, 2022 19:36:28.486896992 CEST49775587192.168.2.5109.99.162.14EHLO 216041
                        Jul 22, 2022 19:36:28.534585953 CEST58749775109.99.162.14192.168.2.5250-cpanel4.romtelecom.net Hello 216041 [84.17.52.2]
                        250-SIZE 52428800
                        250-8BITMIME
                        250-PIPELINING
                        250-AUTH PLAIN LOGIN
                        250-STARTTLS
                        250 HELP
                        Jul 22, 2022 19:36:28.535618067 CEST49775587192.168.2.5109.99.162.14AUTH login ZmFjdHVyYXJlQHJlbWF0aW52ZXN0LnJv
                        Jul 22, 2022 19:36:28.584765911 CEST58749775109.99.162.14192.168.2.5334 UGFzc3dvcmQ6
                        Jul 22, 2022 19:36:28.636060953 CEST58749775109.99.162.14192.168.2.5235 Authentication succeeded
                        Jul 22, 2022 19:36:28.640392065 CEST49775587192.168.2.5109.99.162.14MAIL FROM:<facturare@rematinvest.ro>
                        Jul 22, 2022 19:36:28.690749884 CEST58749775109.99.162.14192.168.2.5250 OK
                        Jul 22, 2022 19:36:28.692682028 CEST49775587192.168.2.5109.99.162.14RCPT TO:<mikeandreas1991@gmail.com>
                        Jul 22, 2022 19:36:28.786739111 CEST58749775109.99.162.14192.168.2.5250 Accepted
                        Jul 22, 2022 19:36:28.787060022 CEST49775587192.168.2.5109.99.162.14DATA
                        Jul 22, 2022 19:36:28.833668947 CEST58749775109.99.162.14192.168.2.5354 Enter message, ending with "." on a line by itself
                        Jul 22, 2022 19:36:28.835818052 CEST49775587192.168.2.5109.99.162.14.
                        Jul 22, 2022 19:36:33.293950081 CEST58749775109.99.162.14192.168.2.5250 OK id=1oEwZg-000BXz-Q0
                        Jul 22, 2022 19:38:08.092817068 CEST49775587192.168.2.5109.99.162.14QUIT
                        Jul 22, 2022 19:38:08.140233040 CEST58749775109.99.162.14192.168.2.5221 cpanel4.romtelecom.net closing connection

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:1
                        Start time:19:36:17
                        Start date:22/07/2022
                        Path:C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe"
                        Imagebase:0xb40000
                        File size:352408 bytes
                        MD5 hash:06479BE352128F527656809D8A2E1943
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.433445075.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.433445075.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low

                        General

                        Target ID:3
                        Start time:19:36:19
                        Start date:22/07/2022
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                        Imagebase:0xbd0000
                        File size:43176 bytes
                        MD5 hash:C09985AE74F0882F208D75DE27770DFA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        General

                        Target ID:4
                        Start time:19:36:20
                        Start date:22/07/2022
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                        Imagebase:0xbd0000
                        File size:43176 bytes
                        MD5 hash:C09985AE74F0882F208D75DE27770DFA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.690286569.0000000006FC3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.690286569.0000000006FC3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.429466512.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.429466512.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.688515843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.688515843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.428206053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.428206053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.428807538.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.428807538.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.428533310.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.428533310.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.690509343.0000000007018000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:moderate

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:25%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:18.3%
                          Total number of Nodes:120
                          Total number of Limit Nodes:9
                          execution_graph 4184 14aadab 4188 14a9328 4184->4188 4192 14a9320 4184->4192 4185 14aadc0 4189 14a936c ResumeThread 4188->4189 4191 14a93b8 4189->4191 4191->4185 4193 14a936c ResumeThread 4192->4193 4195 14a93b8 4193->4195 4195->4185 4196 14aa76b 4197 14aa775 4196->4197 4201 14a9659 4197->4201 4205 14a9660 4197->4205 4198 14aa833 4202 14a96ac WriteProcessMemory 4201->4202 4204 14a9745 4202->4204 4204->4198 4206 14a96ac WriteProcessMemory 4205->4206 4208 14a9745 4206->4208 4208->4198 4209 14ab3a8 4210 14ab3d4 4209->4210 4214 14a9539 4210->4214 4218 14a9540 4210->4218 4211 14ab417 4215 14a9584 VirtualAllocEx 4214->4215 4217 14a95fc 4215->4217 4217->4211 4219 14a9584 VirtualAllocEx 4218->4219 4221 14a95fc 4219->4221 4221->4211 4333 14a9e68 4334 14a9e9a 4333->4334 4337 14abcb1 4 API calls 4334->4337 4335 14abb00 4336 14a9ee6 4336->4335 4338 14a99e8 CreateProcessA 4336->4338 4339 14a99dd CreateProcessA 4336->4339 4337->4336 4338->4336 4339->4336 4340 14ad6c9 4341 14ad715 FindCloseChangeNotification 4340->4341 4342 14ad760 4341->4342 4222 14aa9ac 4223 14aa9cf 4222->4223 4227 14a97b8 4223->4227 4231 14a97b0 4223->4231 4224 14aaa2b 4228 14a9804 ReadProcessMemory 4227->4228 4230 14a987c 4228->4230 4230->4224 4232 14a9804 ReadProcessMemory 4231->4232 4234 14a987c 4232->4234 4234->4224 4235 14aac02 4237 14a9659 WriteProcessMemory 4235->4237 4238 14a9660 WriteProcessMemory 4235->4238 4236 14aac23 4237->4236 4238->4236 4323 14aa303 4325 14aa14e 4323->4325 4324 14abb00 4325->4323 4325->4324 4326 14a99e8 CreateProcessA 4325->4326 4327 14a99dd CreateProcessA 4325->4327 4326->4325 4327->4325 4239 14ab9c1 4241 14aa14e 4239->4241 4240 14abb00 4241->4240 4244 14a99e8 4241->4244 4248 14a99dd 4241->4248 4245 14a9a6f CreateProcessA 4244->4245 4247 14a9cc4 4245->4247 4247->4247 4249 14a9a6f CreateProcessA 4248->4249 4251 14a9cc4 4249->4251 4251->4251 4252 14ab225 4253 14ab236 4252->4253 4255 14a9659 WriteProcessMemory 4253->4255 4256 14a9660 WriteProcessMemory 4253->4256 4254 14ab280 4255->4254 4256->4254 4257 14aa51a 4261 14a9418 4257->4261 4265 14a9410 4257->4265 4258 14aa534 4262 14a9461 SetThreadContext 4261->4262 4264 14a94d9 4262->4264 4264->4258 4266 14a9461 SetThreadContext 4265->4266 4268 14a94d9 4266->4268 4268->4258 4328 14aa33a 4328->4328 4329 14aa14e 4328->4329 4330 14abb00 4329->4330 4331 14a99e8 CreateProcessA 4329->4331 4332 14a99dd CreateProcessA 4329->4332 4331->4329 4332->4329 4269 14a9e78 4270 14a9e9a 4269->4270 4276 14abcb1 4270->4276 4271 14abb00 4272 14a9ee6 4272->4271 4274 14a99e8 CreateProcessA 4272->4274 4275 14a99dd CreateProcessA 4272->4275 4274->4272 4275->4272 4277 14abcdc 4276->4277 4282 14ac47f 4277->4282 4287 14abeb4 4277->4287 4295 14ac41f 4277->4295 4278 14abcf1 4278->4272 4284 14ac3da 4282->4284 4283 14ac4a4 4283->4278 4284->4282 4284->4283 4300 14ad999 4284->4300 4304 14ad9a0 4284->4304 4288 14abec0 4287->4288 4289 14abf77 4288->4289 4290 14ac1e5 4288->4290 4308 14ad5c8 4288->4308 4312 14ad5d0 4288->4312 4289->4278 4290->4289 4291 14ad999 EnumWindows 4290->4291 4292 14ad9a0 EnumWindows 4290->4292 4291->4290 4292->4290 4297 14ac3da 4295->4297 4296 14ac4a4 4296->4278 4297->4296 4298 14ad999 EnumWindows 4297->4298 4299 14ad9a0 EnumWindows 4297->4299 4298->4297 4299->4297 4301 14ad9e4 EnumWindows 4300->4301 4303 14ada4b 4301->4303 4303->4284 4305 14ad9e4 EnumWindows 4304->4305 4307 14ada4b 4305->4307 4307->4284 4309 14ad619 CheckRemoteDebuggerPresent 4308->4309 4311 14ad670 4309->4311 4311->4288 4313 14ad619 CheckRemoteDebuggerPresent 4312->4313 4315 14ad670 4313->4315 4315->4288 4316 14aa3f3 4318 14a9418 SetThreadContext 4316->4318 4319 14a9410 SetThreadContext 4316->4319 4317 14aa40d 4318->4317 4319->4317

                          Executed Functions

                          Function 014ABEB4 Relevance: 4.2, Strings: 3, Instructions: 483COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 157 14abeb4-14abebb 158 14abec0-14abec2 157->158 159 14abec7-14abee3 158->159 160 14abeec-14abeed 159->160 161 14abee5 159->161 166 14ac16c-14ac173 160->166 161->158 161->160 162 14abfe8-14abfe9 161->162 163 14abf29-14abf2e 161->163 164 14abfee-14ac00b 161->164 165 14ac06f-14ac096 161->165 161->166 167 14ac24d-14ac27c 161->167 168 14abf61-14abf68 161->168 169 14ac104-14ac119 call 14a682c 161->169 170 14ac09b-14ac0a2 161->170 171 14ac059-14ac060 161->171 172 14abf7d-14abfe3 call 14a8af0 call 14a6814 call 14a8af0 call 14a6820 161->172 173 14abef2-14abef9 161->173 174 14ac010-14ac026 161->174 175 14ac0b1-14ac0d0 161->175 176 14abf77-14abf78 161->176 177 14ac0d5-14ac0e7 161->177 185 14ac72e-14ac736 162->185 182 14abf30-14abf3f 163->182 183 14abf41-14abf48 163->183 164->159 165->159 166->166 188 14ac175-14ac1ad call 14a8af0 call 14a6844 166->188 200 14ac1bd-14ac1dc 167->200 168->168 184 14abf6a-14abf72 168->184 211 14ac124-14ac167 call 14a6838 169->211 170->170 181 14ac0a4-14ac0ac 170->181 171->171 178 14ac062-14ac06a 171->178 172->159 179 14abefb-14abf0a 173->179 180 14abf0c-14abf13 173->180 205 14ac028-14ac037 174->205 206 14ac039-14ac040 174->206 175->159 176->185 201 14ac3da-14ac410 call 14a6850 177->201 202 14ac0ed-14ac0ff 177->202 178->159 190 14abf1a-14abf27 179->190 180->190 181->159 191 14abf4f-14abf5c 182->191 183->191 184->159 224 14ac1b3 188->224 190->159 191->159 208 14ac1de 200->208 209 14ac1e5-14ac1e6 200->209 285 14ac415-14ac44b 201->285 202->159 207 14ac047-14ac054 205->207 206->207 207->159 208->167 208->209 213 14ac2ca-14ac2d1 208->213 214 14ac1eb-14ac1f2 208->214 215 14ac48e-14ac495 208->215 216 14ac44d 208->216 217 14ac2e3-14ac2ea 208->217 218 14ac281-14ac285 208->218 219 14ac364-14ac36b 208->219 220 14ac4a4-14ac4c0 208->220 221 14ac2fc-14ac30c 208->221 222 14ac37d-14ac3ad 208->222 223 14ac3b2-14ac3c6 208->223 208->224 225 14ac5b3-14ac5cf 208->225 226 14ac4f1 208->226 227 14ac234-14ac248 208->227 209->223 211->159 213->213 236 14ac2d3-14ac2de 213->236 231 14ac20b-14ac215 214->231 232 14ac1f4-14ac209 214->232 215->215 239 14ac497-14ac4a2 215->239 237 14ac457-14ac476 216->237 217->217 238 14ac2ec-14ac2f7 217->238 234 14ac29e-14ac2a8 218->234 235 14ac287-14ac29c 218->235 219->219 243 14ac36d-14ac378 219->243 220->185 302 14ac30f call 14ad5c8 221->302 303 14ac30f call 14ad5d0 221->303 222->200 233 14ac3c8-14ac3d7 call 14a6850 223->233 224->200 225->185 242 14ac4fb-14ac51a 226->242 227->233 246 14ac21f-14ac232 231->246 232->246 233->201 248 14ac2b2-14ac2c5 234->248 235->248 236->200 249 14ac48b-14ac48c 237->249 250 14ac478 237->250 238->200 239->237 255 14ac51c 242->255 256 14ac523-14ac524 242->256 243->200 246->200 248->200 249->215 249->220 250->215 250->216 250->220 250->225 250->226 259 14ac60a-14ac643 250->259 260 14ac669-14ac670 250->260 261 14ac529-14ac56e call 14a8af0 call 14a685c 250->261 262 14ac6ce-14ac6d5 250->262 263 14ac682-14ac689 250->263 264 14ac6e7-14ac724 250->264 265 14ac47f-14ac486 250->265 266 14ac5d4-14ac605 250->266 251 14ac311-14ac31f 267 14ac338-14ac342 251->267 268 14ac321-14ac336 251->268 255->225 255->226 255->259 255->260 255->261 255->262 255->263 255->264 255->266 256->261 256->264 300 14ac646 call 14ad999 259->300 301 14ac646 call 14ad9a0 259->301 260->260 272 14ac672-14ac67d 260->272 291 14ac570-14ac585 261->291 292 14ac587-14ac591 261->292 262->262 275 14ac6d7-14ac6e2 262->275 273 14ac68b-14ac6a0 263->273 274 14ac6a2-14ac6ac 263->274 265->201 266->242 277 14ac34c-14ac35f 267->277 268->277 272->242 282 14ac6b6-14ac6c9 273->282 274->282 275->242 277->200 282->242 285->216 293 14ac4c5-14ac4ee call 14a8af0 call 14a6814 285->293 294 14ac59b-14ac5ae 291->294 292->294 293->226 294->242 295 14ac648-14ac664 295->242 300->295 301->295 302->251 303->251
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: !1$nw$7$nw$7
                          • API String ID: 0-765070513
                          • Opcode ID: 974bc4bef4af99ad1a61e44164ab21785d5bd1b8f964c56151f135c0e1d00039
                          • Instruction ID: ae99834862b45949076487c17805e98ca4cd23841131e5ef67ae1d3a47b28b54
                          • Opcode Fuzzy Hash: 974bc4bef4af99ad1a61e44164ab21785d5bd1b8f964c56151f135c0e1d00039
                          • Instruction Fuzzy Hash: 6E226874E05219CFDB64CFA5D880BEEBBB1EF69300F5590AAC509AB351DB309A81CF15
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A896F Relevance: 4.2, Strings: 3, Instructions: 406COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 304 14a896f-14a8978 305 14a897b-14a89a8 304->305 306 14a89c5 304->306 307 14a89aa-14a89b9 305->307 308 14a892e-14a893e 305->308 309 14a8a11-14a8a21 306->309 310 14a89c7-14a89d4 306->310 311 14a89bb-14a89bd 307->311 312 14a8a05-14a8a08 307->312 308->304 315 14a8a25-14a8a2c 309->315 313 14a8a51 310->313 314 14a89d6-14a89d9 310->314 316 14a8a09 311->316 317 14a89bf-14a89c3 311->317 312->316 318 14a8a9d-14a8aa4 313->318 319 14a8a53 313->319 314->315 320 14a89db-14a89e1 314->320 321 14a8a2d 315->321 324 14a8a55-14a8a58 316->324 326 14a8a0b-14a8a0d 316->326 317->306 327 14a8aa5 318->327 319->324 320->321 325 14a89e3-14a89f5 320->325 322 14a8a79 321->322 323 14a8a2f-14a8a40 321->323 331 14a8a7b-14a8a85 322->331 332 14a8ac5-14a8ac6 322->332 328 14a8a41-14a8a4d 323->328 329 14a8a59 324->329 325->328 330 14a89f7-14a89ff 325->330 326->329 333 14a8a0f 326->333 334 14a8aec-14a8b12 327->334 335 14a8aa6-14a8aa7 327->335 328->313 329->327 337 14a8a5b-14a8a5d 329->337 330->312 341 14a8ad1-14a8add 331->341 342 14a8a87-14a8a97 331->342 338 14a8ac7-14a8aca 332->338 333->309 339 14a8b19-14a8b39 334->339 340 14a8b14 334->340 336 14a8aa9-14a8ab6 335->336 343 14a8ab9 336->343 337->336 344 14a8a5f-14a8a6d 337->344 338->341 345 14a8b3b 339->345 346 14a8b40-14a8b45 339->346 340->339 342->318 349 14a8abd-14a8ac0 343->349 344->343 350 14a8a6f-14a8a71 344->350 345->346 347 14a8b79-14a8b85 346->347 348 14a8b47 346->348 353 14a8b8c-14a8b91 347->353 354 14a8b87 347->354 351 14a8b4e-14a8b6a 348->351 349->338 352 14a8ac2 349->352 350->349 355 14a8a73-14a8a75 350->355 356 14a8b6c 351->356 357 14a8b73-14a8b74 351->357 352->332 358 14a8b93-14a8ba2 353->358 359 14a8ba4-14a8bab 353->359 354->353 355->322 356->347 356->348 360 14a8d8a-14a8d96 356->360 361 14a8ce9-14a8cf0 356->361 362 14a8c6c-14a8c7e 356->362 363 14a8d0c-14a8d13 356->363 364 14a8d22-14a8d27 356->364 365 14a8c83-14a8c98 356->365 366 14a8cc1-14a8ccd 356->366 367 14a8dc6-14a8dd2 356->367 368 14a8c24-14a8c2b 356->368 369 14a8bba-14a8bc8 356->369 370 14a8d5a-14a8d5e 356->370 371 14a8c3a-14a8c4c 356->371 372 14a8cff-14a8d0b 356->372 373 14a8c9d-14a8cbc 356->373 374 14a8e50 356->374 375 14a8c51-14a8c67 356->375 376 14a8bf1-14a8bfe 356->376 377 14a8e17-14a8e26 356->377 357->347 357->374 378 14a8bb2-14a8bb8 358->378 359->378 390 14a8d98 360->390 391 14a8d9d-14a8dc1 360->391 361->361 384 14a8cf2-14a8cfa 361->384 362->351 363->363 385 14a8d15-14a8d1d 363->385 386 14a8d3a-14a8d41 364->386 387 14a8d29-14a8d38 364->387 365->351 382 14a8ccf 366->382 383 14a8cd4-14a8ce4 366->383 394 14a8dd9-14a8df8 367->394 395 14a8dd4 367->395 368->368 379 14a8c2d-14a8c35 368->379 392 14a8bca 369->392 393 14a8bcf-14a8bec 369->393 388 14a8d60-14a8d6f 370->388 389 14a8d71-14a8d78 370->389 371->351 373->351 403 14a8e55-14a8e6a 374->403 375->351 396 14a8c00 376->396 397 14a8c05-14a8c1f 376->397 380 14a8e28 377->380 381 14a8e2d-14a8e4b 377->381 378->351 379->351 380->381 381->351 382->383 383->351 384->351 385->351 400 14a8d48-14a8d55 386->400 387->400 401 14a8d7f-14a8d85 388->401 389->401 390->391 391->351 392->393 393->351 398 14a8dfa 394->398 399 14a8dff-14a8e12 394->399 395->394 396->397 397->351 398->399 399->351 400->351 401->351 404 14a8e70-14a8e8f 403->404
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: 3c"$6p1$J
                          • API String ID: 0-217036146
                          • Opcode ID: 6acf68a5495db3fdcdd40b60a215810b3017abbec85b0c08623c5cb6399a3149
                          • Instruction ID: 9279f7c134aa05c2b7ede9b2e67ead5a90f198cc60ca37137e4e984f8fa20df5
                          • Opcode Fuzzy Hash: 6acf68a5495db3fdcdd40b60a215810b3017abbec85b0c08623c5cb6399a3149
                          • Instruction Fuzzy Hash: 7BF1CFB0D05317CFCB14CFA8C8405AEFBB1FF65321B5A86ABD504AA266D334D942CB94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A8AF0 Relevance: 4.0, Strings: 3, Instructions: 260COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 406 14a8af0-14a8b12 407 14a8b19-14a8b39 406->407 408 14a8b14 406->408 409 14a8b3b 407->409 410 14a8b40-14a8b45 407->410 408->407 409->410 411 14a8b79-14a8b85 410->411 412 14a8b47 410->412 414 14a8b8c-14a8b91 411->414 415 14a8b87 411->415 413 14a8b4e-14a8b6a 412->413 416 14a8b6c 413->416 417 14a8b73-14a8b74 413->417 418 14a8b93-14a8ba2 414->418 419 14a8ba4-14a8bab 414->419 415->414 416->411 416->412 420 14a8d8a-14a8d96 416->420 421 14a8ce9-14a8cf0 416->421 422 14a8c6c-14a8c7e 416->422 423 14a8d0c-14a8d13 416->423 424 14a8d22-14a8d27 416->424 425 14a8c83-14a8c98 416->425 426 14a8cc1-14a8ccd 416->426 427 14a8dc6-14a8dd2 416->427 428 14a8c24-14a8c2b 416->428 429 14a8bba-14a8bc8 416->429 430 14a8d5a-14a8d5e 416->430 431 14a8c3a-14a8c4c 416->431 432 14a8cff-14a8d0b 416->432 433 14a8c9d-14a8cbc 416->433 434 14a8e50-14a8e6a 416->434 435 14a8c51-14a8c67 416->435 436 14a8bf1-14a8bfe 416->436 437 14a8e17-14a8e26 416->437 417->411 417->434 438 14a8bb2-14a8bb8 418->438 419->438 450 14a8d98 420->450 451 14a8d9d-14a8dc1 420->451 421->421 444 14a8cf2-14a8cfa 421->444 422->413 423->423 445 14a8d15-14a8d1d 423->445 446 14a8d3a-14a8d41 424->446 447 14a8d29-14a8d38 424->447 425->413 442 14a8ccf 426->442 443 14a8cd4-14a8ce4 426->443 454 14a8dd9-14a8df8 427->454 455 14a8dd4 427->455 428->428 439 14a8c2d-14a8c35 428->439 452 14a8bca 429->452 453 14a8bcf-14a8bec 429->453 448 14a8d60-14a8d6f 430->448 449 14a8d71-14a8d78 430->449 431->413 433->413 464 14a8e70-14a8e8f 434->464 435->413 456 14a8c00 436->456 457 14a8c05-14a8c1f 436->457 440 14a8e28 437->440 441 14a8e2d-14a8e4b 437->441 438->413 439->413 440->441 441->413 442->443 443->413 444->413 445->413 460 14a8d48-14a8d55 446->460 447->460 461 14a8d7f-14a8d85 448->461 449->461 450->451 451->413 452->453 453->413 458 14a8dfa 454->458 459 14a8dff-14a8e12 454->459 455->454 456->457 457->413 458->459 459->413 460->413 461->413
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: 3c"$6p1$6p1
                          • API String ID: 0-2752395122
                          • Opcode ID: 419a2512f5bc6d7e565133c6995c729c42b183814a2930af0b538eab65f6becf
                          • Instruction ID: d095c477f09fe673498ebaf65cf4328e3513363cddadc4176e7f93992c1eed9a
                          • Opcode Fuzzy Hash: 419a2512f5bc6d7e565133c6995c729c42b183814a2930af0b538eab65f6becf
                          • Instruction Fuzzy Hash: 4CB18AB4D0521ACFCB00DFA5C9419AEFBB2FF58311B55862AD515AB224D334DA02CFA8
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014AD5D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON
                          Download Yara Rule
                          APIs
                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 014AD65E
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CheckDebuggerPresentRemote
                          • String ID: QS9t
                          • API String ID: 3662101638-1709383597
                          • Opcode ID: 297d62bf7679f207a5b3902e869507db03cc02b5401878a4053fd5e7f9cd91b1
                          • Instruction ID: dc5627bc3a292f0ca0be863210edd4197576483820809b42fefc262a316cb61d
                          • Opcode Fuzzy Hash: 297d62bf7679f207a5b3902e869507db03cc02b5401878a4053fd5e7f9cd91b1
                          • Instruction Fuzzy Hash: 0431B7B8D012189FCB14CFE9D880ADEFBF5BB49314F54942AE818B7200C775A9468F94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A3430 Relevance: 2.9, Strings: 2, Instructions: 404COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: $9p,$I=J
                          • API String ID: 0-1513552547
                          • Opcode ID: 2e61500f2ccfed6620b7edfce697514e3b0737e236c0bd67944a8e10084755a0
                          • Instruction ID: 321a128248f641f8f6b28072d8fdb92ddf783ab5449a636ef3ae0271b12992fa
                          • Opcode Fuzzy Hash: 2e61500f2ccfed6620b7edfce697514e3b0737e236c0bd67944a8e10084755a0
                          • Instruction Fuzzy Hash: B4F17270D04206DFC758CFA5C4854AEFBB2FF99310B56CA5AC405AB665D734E982CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A3530 Relevance: 2.8, Strings: 2, Instructions: 296COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: $9p,$I=J
                          • API String ID: 0-1513552547
                          • Opcode ID: d789b77d827fb02aba0f41b88e18948a153ffde62e91d627840d516c74a8df58
                          • Instruction ID: 3bdac888966186bcdfd7624355d027a5acfddb82329f3615ed3b3ec9d70cad91
                          • Opcode Fuzzy Hash: d789b77d827fb02aba0f41b88e18948a153ffde62e91d627840d516c74a8df58
                          • Instruction Fuzzy Hash: 92D14F70D0020ADFCB14CFA9C5818AEFBB2FF99340B55C55AD515AB225E734EA82CF94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A6C61 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: xsl$xsl
                          • API String ID: 0-2450867006
                          • Opcode ID: 7a40251c6a999e5fea51c3a624ddd04c4d30e5a7055d3d0bcd3f1ce50b099255
                          • Instruction ID: e066c16fb4dab6d83cc8223ee9de7954a406ab0a7fdca27261443d0ccec65f1a
                          • Opcode Fuzzy Hash: 7a40251c6a999e5fea51c3a624ddd04c4d30e5a7055d3d0bcd3f1ce50b099255
                          • Instruction Fuzzy Hash: 11518C74E05218DFDB18CFA9C0446EEBBB1FF55304F56882AD012AB360DB799942CF95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014ADAA9 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: @:v\
                          • API String ID: 0-2283021512
                          • Opcode ID: 29095eb05bb44c6675e0d19c22b58bd9390daa1dc12e70d6c4f82686c240b34d
                          • Instruction ID: e96104fc5b86e8d6ec7a6eee80119447551bbfe5dc0db71ef3dea4e03ab6b700
                          • Opcode Fuzzy Hash: 29095eb05bb44c6675e0d19c22b58bd9390daa1dc12e70d6c4f82686c240b34d
                          • Instruction Fuzzy Hash: BB910274E05219CFDB14CFEAD840AEEFBB2BB98300F95816AD405BB664DB349942CF54
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014ADAB8 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: @:v\
                          • API String ID: 0-2283021512
                          • Opcode ID: c8313e92d9aa4374795b6f33e3616320ab525dd2f711c7240ec0cf366aca8a3c
                          • Instruction ID: 907b6a33c713ab620e153fce1fc856e1ca41f9c629312beb2be1f1fcad256af5
                          • Opcode Fuzzy Hash: c8313e92d9aa4374795b6f33e3616320ab525dd2f711c7240ec0cf366aca8a3c
                          • Instruction Fuzzy Hash: 9891F274E05219CFDB14CFEAD9806DEFBB2BB98300F91816AD409BB664D7309942CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A9E78 Relevance: .3, Instructions: 346COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 504816786a020de7af6d139b15c1a0eb9d16de130433fb013ede5f438e20696a
                          • Instruction ID: 5d0237d2a840505d48efedb2922d9ebdbc8b40dc6d502e0be5c53c178b5737b3
                          • Opcode Fuzzy Hash: 504816786a020de7af6d139b15c1a0eb9d16de130433fb013ede5f438e20696a
                          • Instruction Fuzzy Hash: 6FF1F274E042298FDB69CF65C850BDEBBB6EFA9300F1091EA9509A7254EB305F81CF45
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A9E68 Relevance: .3, Instructions: 327COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 718699d6c7ea3b73c44093229f3f65f66e54368f7414610bb1e1769692223028
                          • Instruction ID: 7ac9d9577163497ac2d5e7e2edcded5ce2d5760b52283e4e661a972e93c56563
                          • Opcode Fuzzy Hash: 718699d6c7ea3b73c44093229f3f65f66e54368f7414610bb1e1769692223028
                          • Instruction Fuzzy Hash: 80E1F174E042298FDB69CF65D840BDEBBB6FFA9300F1091EAD509A7254EB305E818F45
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A1328 Relevance: .3, Instructions: 274COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d5e4f2239a924566d86d75346a09d43221b8809d06d5abe3181cb9e20561f828
                          • Instruction ID: 846cb4f19977f8cee728e680aeec64adc95df53af14d1163523311c9825eb363
                          • Opcode Fuzzy Hash: d5e4f2239a924566d86d75346a09d43221b8809d06d5abe3181cb9e20561f828
                          • Instruction Fuzzy Hash: 77B10174E042198FDB18CFA9C9809EEFBF2FF89700F24862AD405AB365D7359946CB54
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A1370 Relevance: .2, Instructions: 248COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f3039a6a9e2bd6bcedc927f58f8ed22d779cb4f83c26b29a6db6ba9428b4e2d2
                          • Instruction ID: d1e4e145b5cbd6438a23577d41abab7e0e0efb079465b056432028c56b5a96ee
                          • Opcode Fuzzy Hash: f3039a6a9e2bd6bcedc927f58f8ed22d779cb4f83c26b29a6db6ba9428b4e2d2
                          • Instruction Fuzzy Hash: 22B1D0B4E002198FDB18CFA9C9809EEBBF2FF89700F24852AD515AB365D7319946CB54
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A1BB8 Relevance: .1, Instructions: 145COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d092df02f69b31827ad700819c03bb7b83d88b89f2b10241adb8c16544ef03be
                          • Instruction ID: 55e2babfc80e70f65acbe328f78cb4ecb18c36d18c1ade73eda9a7f70e2dfe0b
                          • Opcode Fuzzy Hash: d092df02f69b31827ad700819c03bb7b83d88b89f2b10241adb8c16544ef03be
                          • Instruction Fuzzy Hash: E2511A74E046098FCB08CFA9C9446EEFBF2BF88700F14D56AD415B7265D7349942CB68
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A6EB0 Relevance: .1, Instructions: 145COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a5ee0ad3b6aae994cbf0e11c96bfcfb9063a22bfcc3dd62bdbcab07886c38991
                          • Instruction ID: 17e46e34e89af0bbe4c43365026df0205af3ee8cbd1a9ec7b414d9180e38871b
                          • Opcode Fuzzy Hash: a5ee0ad3b6aae994cbf0e11c96bfcfb9063a22bfcc3dd62bdbcab07886c38991
                          • Instruction Fuzzy Hash: 10513774E05208DFDB04CFA5D9509DEBBB6FF99300F66A46AE501A7364E7349A018F14
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A6EC0 Relevance: .1, Instructions: 142COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8bd7dbd17f953cd51eaf9219a780dd39cebef0fb2ba7eefe7be8b046c4663f96
                          • Instruction ID: 85d91268ffa623732b4b04efec3a7305a164a4bb544e73764bac8d0619c2e3ec
                          • Opcode Fuzzy Hash: 8bd7dbd17f953cd51eaf9219a780dd39cebef0fb2ba7eefe7be8b046c4663f96
                          • Instruction Fuzzy Hash: 79513974E04208DFDF04CFA5E5509DEBBB6FF99300F66A46AE511A7324E7349A018F54
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A25FA Relevance: .1, Instructions: 76COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 806ecd2544ad36f81c414f45752abc645067fa8356c719781125aa4129c162e8
                          • Instruction ID: ef8c014a58b8df0e202f57a7ff1c844a65280b60a6332a9296305c300d252ecf
                          • Opcode Fuzzy Hash: 806ecd2544ad36f81c414f45752abc645067fa8356c719781125aa4129c162e8
                          • Instruction Fuzzy Hash: 0A312771E006588BDB58CFAAD8446DEBBB2AFC9311F14C17AD409AB268DB341946CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A99DD Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 326processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 14a99dd-14a9a81 2 14a9aca-14a9af2 0->2 3 14a9a83-14a9a9a 0->3 7 14a9b38-14a9b8e 2->7 8 14a9af4-14a9b08 2->8 3->2 6 14a9a9c-14a9aa1 3->6 9 14a9aa3-14a9aad 6->9 10 14a9ac4-14a9ac7 6->10 16 14a9b90-14a9ba4 7->16 17 14a9bd4-14a9cc2 CreateProcessA 7->17 8->7 18 14a9b0a-14a9b0f 8->18 11 14a9aaf 9->11 12 14a9ab1-14a9ac0 9->12 10->2 11->12 12->12 15 14a9ac2 12->15 15->10 16->17 26 14a9ba6-14a9bab 16->26 36 14a9ccb-14a9db0 17->36 37 14a9cc4-14a9cca 17->37 19 14a9b32-14a9b35 18->19 20 14a9b11-14a9b1b 18->20 19->7 21 14a9b1f-14a9b2e 20->21 22 14a9b1d 20->22 21->21 25 14a9b30 21->25 22->21 25->19 28 14a9bce-14a9bd1 26->28 29 14a9bad-14a9bb7 26->29 28->17 30 14a9bbb-14a9bca 29->30 31 14a9bb9 29->31 30->30 33 14a9bcc 30->33 31->30 33->28 49 14a9db2-14a9db6 36->49 50 14a9dc0-14a9dc4 36->50 37->36 49->50 51 14a9db8 49->51 52 14a9dc6-14a9dca 50->52 53 14a9dd4-14a9dd8 50->53 51->50 52->53 54 14a9dcc 52->54 55 14a9dda-14a9dde 53->55 56 14a9de8-14a9dec 53->56 54->53 55->56 57 14a9de0 55->57 58 14a9dee-14a9e17 56->58 59 14a9e22-14a9e2d 56->59 57->56 58->59 63 14a9e2e 59->63 63->63
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 014A9CAF
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID: QS9t$QS9t
                          • API String ID: 963392458-2233947037
                          • Opcode ID: 8a06df2213a353a0b0eb88b5d35975c3f528e17219e0137a5a75e5ea9ad16b51
                          • Instruction ID: 360b1659ed4f194cda7312aeb488a4d65860d2dc675e499cdb41bc9fbdbf6ab3
                          • Opcode Fuzzy Hash: 8a06df2213a353a0b0eb88b5d35975c3f528e17219e0137a5a75e5ea9ad16b51
                          • Instruction Fuzzy Hash: CDC13670D0022D8FDB24DFA8C8807EEBBB1BF55308F4485AAD409B7290DB749A85CF84
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A99E8 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 321processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 64 14a99e8-14a9a81 66 14a9aca-14a9af2 64->66 67 14a9a83-14a9a9a 64->67 71 14a9b38-14a9b8e 66->71 72 14a9af4-14a9b08 66->72 67->66 70 14a9a9c-14a9aa1 67->70 73 14a9aa3-14a9aad 70->73 74 14a9ac4-14a9ac7 70->74 80 14a9b90-14a9ba4 71->80 81 14a9bd4-14a9cc2 CreateProcessA 71->81 72->71 82 14a9b0a-14a9b0f 72->82 75 14a9aaf 73->75 76 14a9ab1-14a9ac0 73->76 74->66 75->76 76->76 79 14a9ac2 76->79 79->74 80->81 90 14a9ba6-14a9bab 80->90 100 14a9ccb-14a9db0 81->100 101 14a9cc4-14a9cca 81->101 83 14a9b32-14a9b35 82->83 84 14a9b11-14a9b1b 82->84 83->71 85 14a9b1f-14a9b2e 84->85 86 14a9b1d 84->86 85->85 89 14a9b30 85->89 86->85 89->83 92 14a9bce-14a9bd1 90->92 93 14a9bad-14a9bb7 90->93 92->81 94 14a9bbb-14a9bca 93->94 95 14a9bb9 93->95 94->94 97 14a9bcc 94->97 95->94 97->92 113 14a9db2-14a9db6 100->113 114 14a9dc0-14a9dc4 100->114 101->100 113->114 115 14a9db8 113->115 116 14a9dc6-14a9dca 114->116 117 14a9dd4-14a9dd8 114->117 115->114 116->117 118 14a9dcc 116->118 119 14a9dda-14a9dde 117->119 120 14a9de8-14a9dec 117->120 118->117 119->120 121 14a9de0 119->121 122 14a9dee-14a9e17 120->122 123 14a9e22-14a9e2d 120->123 121->120 122->123 127 14a9e2e 123->127 127->127
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 014A9CAF
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID: QS9t$QS9t
                          • API String ID: 963392458-2233947037
                          • Opcode ID: 9d715509b302e72349e80700c9897bb249e6d8c8a346c2ba0ea16e26a78cd292
                          • Instruction ID: 9dd881449c991578d63a00c634cb9716becff3340bfe728aad3516588a219166
                          • Opcode Fuzzy Hash: 9d715509b302e72349e80700c9897bb249e6d8c8a346c2ba0ea16e26a78cd292
                          • Instruction Fuzzy Hash: 44C12770D0021D8FDF24DFA8C8807EEBBB5BB55308F4495AAD409B7290DB749A85CF95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A9659 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119injectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 128 14a9659-14a96cb 130 14a96cd-14a96df 128->130 131 14a96e2-14a9743 WriteProcessMemory 128->131 130->131 133 14a974c-14a979e 131->133 134 14a9745-14a974b 131->134 134->133
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 014A9733
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID: QS9t$U
                          • API String ID: 3559483778-1032977552
                          • Opcode ID: d1388f59eac02ac5b8762705229fe80d0caa2740d3677eac4c4666ce2f1e52d3
                          • Instruction ID: 2fad8c33f9c02b311c43326cb3fcd24833ead4b050303c4caa87c291739a56ca
                          • Opcode Fuzzy Hash: d1388f59eac02ac5b8762705229fe80d0caa2740d3677eac4c4666ce2f1e52d3
                          • Instruction Fuzzy Hash: 3341CAB8D002589FCF04CFA9D984ADEFBF1BB49314F14942AE818B7250D739AA45CF64
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A97B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 139 14a97b0-14a987a ReadProcessMemory 142 14a987c-14a9882 139->142 143 14a9883-14a98d5 139->143 142->143
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 014A986A
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID: QS9t$U
                          • API String ID: 1726664587-1032977552
                          • Opcode ID: 8a378ae412f776a862bfa8d76b15852ed6f6190ab0d4faaa88bd1bbdbe613faf
                          • Instruction ID: 40c4723b2747d0e72684087c2cb0096800c13c298393bd86a11d25fc3f83f5e9
                          • Opcode Fuzzy Hash: 8a378ae412f776a862bfa8d76b15852ed6f6190ab0d4faaa88bd1bbdbe613faf
                          • Instruction Fuzzy Hash: CC41B9B9D00258DFCF00CFA9D880AEEFBB5BB19314F14942AE815B7210D735A945CF68
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A9320 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 148 14a9320-14a93b6 ResumeThread 151 14a93b8-14a93be 148->151 152 14a93bf-14a9401 148->152 151->152
                          APIs
                          • ResumeThread.KERNELBASE(?), ref: 014A93A6
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID: QS9t$U
                          • API String ID: 947044025-1032977552
                          • Opcode ID: ac26bedcfc51ba35578ecb88b1ee32ec014ee22d6677928dc23f41622388bf15
                          • Instruction ID: 2aa78707ffaf0b1b14779d887f2af317063e5de86e5ca1d779f6624104e2fdae
                          • Opcode Fuzzy Hash: ac26bedcfc51ba35578ecb88b1ee32ec014ee22d6677928dc23f41622388bf15
                          • Instruction Fuzzy Hash: 6D31ECB4D002189FCF14CFA9D884ADEFBB5AF49318F14942AE818B7350CB79A901CF94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A9660 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116injectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 466 14a9660-14a96cb 468 14a96cd-14a96df 466->468 469 14a96e2-14a9743 WriteProcessMemory 466->469 468->469 471 14a974c-14a979e 469->471 472 14a9745-14a974b 469->472 472->471
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 014A9733
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID: QS9t
                          • API String ID: 3559483778-1709383597
                          • Opcode ID: 723f840f6bcb7e4ac10767663f766613139bc58cfe1d25f5dbdb4f9b54186665
                          • Instruction ID: d98b831c633fca9db2920a59e2bf2fa94dd5a1b49ec109e726328fdc1ee16dbe
                          • Opcode Fuzzy Hash: 723f840f6bcb7e4ac10767663f766613139bc58cfe1d25f5dbdb4f9b54186665
                          • Instruction Fuzzy Hash: D641AAB8D002589FCF00CFA9D984ADEFBF5BB49314F14942AE818B7250D734AA45CF64
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A97B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 477 14a97b8-14a987a ReadProcessMemory 480 14a987c-14a9882 477->480 481 14a9883-14a98d5 477->481 480->481
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 014A986A
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID: QS9t
                          • API String ID: 1726664587-1709383597
                          • Opcode ID: 1f676a5a4843156f6f33a13577163cca196d7ae6b4b0b6d2e1a8eca99083748e
                          • Instruction ID: 9b6781bdc3b379fba414882deb56deb9f3ce92a532243d8cc4a9cc3d159d264c
                          • Opcode Fuzzy Hash: 1f676a5a4843156f6f33a13577163cca196d7ae6b4b0b6d2e1a8eca99083748e
                          • Instruction Fuzzy Hash: 7841B8B8D00258DFCF00CFAAD880AEEFBB5BB09314F14942AE814B7210C734A945CF68
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A9539 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 486 14a9539-14a95fa VirtualAllocEx 489 14a95fc-14a9602 486->489 490 14a9603-14a964d 486->490 489->490
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 014A95EA
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID: QS9t
                          • API String ID: 4275171209-1709383597
                          • Opcode ID: f3c45b0915fd4ba981bcd6839da3ccdba2291e4c2f8b6b4b2319d537b9c92e48
                          • Instruction ID: 54c2816fe6276c816a26dc17ecc4491495ec8fe3832454d730b6af390f40363a
                          • Opcode Fuzzy Hash: f3c45b0915fd4ba981bcd6839da3ccdba2291e4c2f8b6b4b2319d537b9c92e48
                          • Instruction Fuzzy Hash: A441A8B9D00258DFCF14CFA9D880AEEFBB5BB59314F10942AE815B7210C735A946CF58
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A9540 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 495 14a9540-14a95fa VirtualAllocEx 498 14a95fc-14a9602 495->498 499 14a9603-14a964d 495->499 498->499
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 014A95EA
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID: QS9t
                          • API String ID: 4275171209-1709383597
                          • Opcode ID: a56d5ec697b164088c9462b8976e96f50c31be08bd52b7322517089815d16a9d
                          • Instruction ID: 655d51c643a70ef6e6ae4f92ca679ad2deb6dfa26259b65c3f696163743e789f
                          • Opcode Fuzzy Hash: a56d5ec697b164088c9462b8976e96f50c31be08bd52b7322517089815d16a9d
                          • Instruction Fuzzy Hash: BD3197B9D002589FCF10CFA9D880ADEFBB5BB19314F10942AE819B7210D735A946CF58
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A9410 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97threadinjectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 504 14a9410-14a9478 506 14a947a-14a948c 504->506 507 14a948f-14a94d7 SetThreadContext 504->507 506->507 509 14a94d9-14a94df 507->509 510 14a94e0-14a952c 507->510 509->510
                          APIs
                          • SetThreadContext.KERNELBASE(?,?), ref: 014A94C7
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ContextThread
                          • String ID: QS9t
                          • API String ID: 1591575202-1709383597
                          • Opcode ID: e029c57df772103a59e5c2e2a5f05e8799b28f07e6a4324adaa36f8d492f208c
                          • Instruction ID: be1ca5fc36a6b7e822a0625fb34f6ec4885801d8f5016347f69313cc9b890185
                          • Opcode Fuzzy Hash: e029c57df772103a59e5c2e2a5f05e8799b28f07e6a4324adaa36f8d492f208c
                          • Instruction Fuzzy Hash: 9141CBB5D002189FDB14CFE9D884AEEBBF5BB48314F14842AE418B7250D778A945CF94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A9418 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94threadinjectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 515 14a9418-14a9478 517 14a947a-14a948c 515->517 518 14a948f-14a94d7 SetThreadContext 515->518 517->518 520 14a94d9-14a94df 518->520 521 14a94e0-14a952c 518->521 520->521
                          APIs
                          • SetThreadContext.KERNELBASE(?,?), ref: 014A94C7
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ContextThread
                          • String ID: QS9t
                          • API String ID: 1591575202-1709383597
                          • Opcode ID: dfe6d48f45f68dcd55471fff9f3bef24f8bfe688eb3db8e67c68811c8e7fbd34
                          • Instruction ID: b6bd52280eb41cbfa15022b7c6b3d497784a2b2fbac35573e1fc4941e2618123
                          • Opcode Fuzzy Hash: dfe6d48f45f68dcd55471fff9f3bef24f8bfe688eb3db8e67c68811c8e7fbd34
                          • Instruction Fuzzy Hash: 0E31CAB4D002189FCB14CFAAD884AEEFBF5BB48318F14842AE418B7240C738A945CF94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014AD999 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 526 14ad999-14ad9f3 528 14ada00-14ada49 EnumWindows 526->528 529 14ad9f5 526->529 532 14ada4b-14ada51 528->532 533 14ada52-14ada9e 528->533 530 14ad9fd 529->530 530->528 532->533
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: EnumWindows
                          • String ID: QS9t
                          • API String ID: 1129996299-1709383597
                          • Opcode ID: 92877f5b1bdca1626f6be1c68629a6551d632dde03596073e02a834c339dd063
                          • Instruction ID: 048f03a7ebc9c4eab42b3e128524a26c4425a3d8e76cc2cd6701ec0e9a1f40dc
                          • Opcode Fuzzy Hash: 92877f5b1bdca1626f6be1c68629a6551d632dde03596073e02a834c339dd063
                          • Instruction Fuzzy Hash: 7631DCB4D002189FDB14CFA9D884AEEFBB5BF5A314F10942AE805B7350C734A946CF98
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014AD9A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: EnumWindows
                          • String ID: QS9t
                          • API String ID: 1129996299-1709383597
                          • Opcode ID: b9ab80603815750126c69502cbe9b7aada28f62620570d27fcd84e3bbea24410
                          • Instruction ID: 7891b47e4719ed66cb34fd15edd31581cdcd773c6f17df87d5c142009c859dd8
                          • Opcode Fuzzy Hash: b9ab80603815750126c69502cbe9b7aada28f62620570d27fcd84e3bbea24410
                          • Instruction Fuzzy Hash: 0131EBB4D002189FCB14CFA9D884AEEFBB5BF49314F10942AE805B7350C734A946CF98
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014AD5C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85COMMON
                          Download Yara Rule
                          APIs
                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 014AD65E
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CheckDebuggerPresentRemote
                          • String ID: QS9t
                          • API String ID: 3662101638-1709383597
                          • Opcode ID: d942c3e41f16ed32be07209fad33b550cd669387350f07816d3a0681e1dae9fc
                          • Instruction ID: 96244c7acfcb2ab1f6b81c5f985dcbe0d1b2b3da218f68a1ce433a9d0392283c
                          • Opcode Fuzzy Hash: d942c3e41f16ed32be07209fad33b550cd669387350f07816d3a0681e1dae9fc
                          • Instruction Fuzzy Hash: A931CAB4D002189FCB14CFE9D880ADEFBF5BB48314F50842AE808B7210C775A9458F94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A9328 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73threadCOMMON
                          Download Yara Rule
                          APIs
                          • ResumeThread.KERNELBASE(?), ref: 014A93A6
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID: QS9t
                          • API String ID: 947044025-1709383597
                          • Opcode ID: 545a5a211cc100ee6b28d17db510bec771e3f0598033a93a74d5578dccbc0fe3
                          • Instruction ID: f130fe9c2d5fdd19def8c2503f30e68d4fe8df948b3f004432e4c4cd6a8f64dc
                          • Opcode Fuzzy Hash: 545a5a211cc100ee6b28d17db510bec771e3f0598033a93a74d5578dccbc0fe3
                          • Instruction Fuzzy Hash: B131AAB4D002189FCF14CFA9D884ADEFBB5AF49314F14942AE819B7350C775A945CF98
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014AD6C9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73COMMON
                          Download Yara Rule
                          APIs
                          • FindCloseChangeNotification.KERNELBASE(?), ref: 014AD74E
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ChangeCloseFindNotification
                          • String ID: QS9t
                          • API String ID: 2591292051-1709383597
                          • Opcode ID: cc8fa908e9eb8b10a72328a2be3831f28aba6d5210747d12d4299c41d013517c
                          • Instruction ID: 1bfda4f10d526b2dd3b2c949eca3dd8c179bac6bdb73ea42c6fcd0aae3ea07cb
                          • Opcode Fuzzy Hash: cc8fa908e9eb8b10a72328a2be3831f28aba6d5210747d12d4299c41d013517c
                          • Instruction Fuzzy Hash: 5B31ACB8D002189FCB14CFA9D884AEEFBF4BB49324F14902AE818B7350D775A945CF64
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014AD6D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                          • FindCloseChangeNotification.KERNELBASE(?), ref: 014AD74E
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ChangeCloseFindNotification
                          • String ID: QS9t
                          • API String ID: 2591292051-1709383597
                          • Opcode ID: 28ead3acfb3f646996398fd6bb303cfa67eb9bcdf3362037e7df699654b15269
                          • Instruction ID: 07f10fa65b512e9907a178c250a6bd64e6074095290b424c0168b6a014bab8af
                          • Opcode Fuzzy Hash: 28ead3acfb3f646996398fd6bb303cfa67eb9bcdf3362037e7df699654b15269
                          • Instruction Fuzzy Hash: 2A21BBB8D002189FCB14CFA9D984ADEFBF4BB09324F14942AE818B3310D775A945CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0145D01C Relevance: .1, Instructions: 70COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.431027520.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_145d000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 61d19739ebd24fd92f09907319d3c078b3a96618f861081b78242f655fd59b19
                          • Instruction ID: 9d1fe310df796bbd6360f3548786b8268193b482893320c328a2cc9752731b01
                          • Opcode Fuzzy Hash: 61d19739ebd24fd92f09907319d3c078b3a96618f861081b78242f655fd59b19
                          • Instruction Fuzzy Hash: C521F2B09042449FDB54DFA4D9C4B26BBA9FF84A58F20C96AE80A4B353C336D847C661
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0145D005 Relevance: .1, Instructions: 60COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.431027520.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_145d000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 22c594ff78b8faeaf1e41c4f18a6878c41e48f21f152f271abbc085b2cd756ed
                          • Instruction ID: 91d252226e5428228813d26a3dad48ad77b05181ba2e6b481c86953f2614e1d5
                          • Opcode Fuzzy Hash: 22c594ff78b8faeaf1e41c4f18a6878c41e48f21f152f271abbc085b2cd756ed
                          • Instruction Fuzzy Hash: 1F219F715093C08FDB12DF24D594B15BF71AF46614F28C5EBD8498B6A3C33A984ACB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Function 014A4F68 Relevance: 3.9, Strings: 3, Instructions: 160COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: Cx~H$Cx~H$Cx~H
                          • API String ID: 0-43860315
                          • Opcode ID: 6f09a331ff883ed960e9cb016b0ace8acea45bb4aac4fa49b10577a58f396e33
                          • Instruction ID: 65ab9328221d6d8af6d0eb920611978a0412f1d48a62324b26db6ee378e8964d
                          • Opcode Fuzzy Hash: 6f09a331ff883ed960e9cb016b0ace8acea45bb4aac4fa49b10577a58f396e33
                          • Instruction Fuzzy Hash: E671F2B4D0420ADFCB04CF99C5849AEFBF6FF69210F59941AE415AB324D730A982CF95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A4F58 Relevance: 3.9, Strings: 3, Instructions: 157COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: Cx~H$Cx~H$Cx~H
                          • API String ID: 0-43860315
                          • Opcode ID: bde8ff995fa1a3c809c08c30f31388f7eeeb6df406bcc82da3d5ffb00fef4d6f
                          • Instruction ID: d89a2dbde012357ba91dc738043e6792254928835894b0a57d6d3186001757a3
                          • Opcode Fuzzy Hash: bde8ff995fa1a3c809c08c30f31388f7eeeb6df406bcc82da3d5ffb00fef4d6f
                          • Instruction Fuzzy Hash: 0161F574E0420ADFCB04CF99C5849AEFBF2FF69210F59955AE415AB314D370A982CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014AC902 Relevance: 3.1, Strings: 2, Instructions: 637COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: QS9t$QS9t
                          • API String ID: 0-2233947037
                          • Opcode ID: 7bebdddd8e0dd05fef2eedac8468336d5e030ad2dbd3d0b53c0e52ffe2420a5a
                          • Instruction ID: 500fea395814aaec15a4ba348f31e5cb8f6ac7583a52db67c42c36f040678e38
                          • Opcode Fuzzy Hash: 7bebdddd8e0dd05fef2eedac8468336d5e030ad2dbd3d0b53c0e52ffe2420a5a
                          • Instruction Fuzzy Hash: F1815870C093988FCB12CFA8C8947DEBFB1FF06314F1585AAD445AB2A2DB74584ACB55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014AD3CC Relevance: 2.6, Strings: 2, Instructions: 138COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: QS9t$QS9t
                          • API String ID: 0-2233947037
                          • Opcode ID: 1855821db392e93604a7d34e63c52f7cd343f39437ee66b0fd49b8d1bc10801c
                          • Instruction ID: 5bab7750af20a308ba62a9e8e24031ad7575074705a2ca9df8f92b719e2f1258
                          • Opcode Fuzzy Hash: 1855821db392e93604a7d34e63c52f7cd343f39437ee66b0fd49b8d1bc10801c
                          • Instruction Fuzzy Hash: C8510FB4D002188FDB14CFE9D884BEEBBB1BB59314F24852AD815AB7A0DB749846CF45
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014AD79D Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: QS9t$QS9t
                          • API String ID: 0-2233947037
                          • Opcode ID: 8143b9471c7a0a97ef00aab6a57548a9b201dd08e3a03b36dcb1750343f9db8f
                          • Instruction ID: 1bf7abab67d3242198a43a2ee3634fe382e54e2d2a7b1d144a3718a9d4a149b1
                          • Opcode Fuzzy Hash: 8143b9471c7a0a97ef00aab6a57548a9b201dd08e3a03b36dcb1750343f9db8f
                          • Instruction Fuzzy Hash: AB51F2B4D002188FDB14CFE9D884BEEBBB6BF49314F24852AD419AB7A0DB749845CF45
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A6820 Relevance: 2.6, Strings: 2, Instructions: 134COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: QS9t$QS9t
                          • API String ID: 0-2233947037
                          • Opcode ID: ae1967a6ba7b5c3c956b8f392bbb002778d10055ca8cd9c8804bc55193f248f2
                          • Instruction ID: dab8b3d18a06bc3595f27e511a28382e75fc7488407f6651b8e09b29870c43a7
                          • Opcode Fuzzy Hash: ae1967a6ba7b5c3c956b8f392bbb002778d10055ca8cd9c8804bc55193f248f2
                          • Instruction Fuzzy Hash: 3D5100B4D00218CFDB54CFA9C884BDEBBB1BB59314F64852AE415BB360DB749846CF85
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014AD3D8 Relevance: 2.6, Strings: 2, Instructions: 131COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: QS9t$QS9t
                          • API String ID: 0-2233947037
                          • Opcode ID: edf2655b1a35738513b1d2545fb216331cef1ba0da711581de5e980fd3bb9c2b
                          • Instruction ID: 4d71610efc25751741dd5eda7bb33329097c246d6c895796db60fa9745320156
                          • Opcode Fuzzy Hash: edf2655b1a35738513b1d2545fb216331cef1ba0da711581de5e980fd3bb9c2b
                          • Instruction Fuzzy Hash: D751F0B4D002188FDB14CFE9C884BDEBBB1BF59304F64952AE815AB7A0DB74A845CF45
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014AD7A8 Relevance: 2.6, Strings: 2, Instructions: 131COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: QS9t$QS9t
                          • API String ID: 0-2233947037
                          • Opcode ID: 5a2b182c19e202f0f896f6b0296add067ac88a6d410ffe8b7284d2d408025b22
                          • Instruction ID: 7268bad64687179732fa4c6fb438dbc517c0a0c67e22bffa058a89c1cc209ca9
                          • Opcode Fuzzy Hash: 5a2b182c19e202f0f896f6b0296add067ac88a6d410ffe8b7284d2d408025b22
                          • Instruction Fuzzy Hash: CD51F0B4D002188FDB14CFE9C884BDEBBB6BB49314F54852AE429AB7A0DB749845CF45
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A525A Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: 0grt
                          • API String ID: 0-3600176201
                          • Opcode ID: e58042a041b35b1209971e5b268c19b6e07e53b208c5c7fff2f2947b598890b4
                          • Instruction ID: a05337999dd4e30cab433fb9c9b6671c58a1650f62780c8534bc72c66c42c01b
                          • Opcode Fuzzy Hash: e58042a041b35b1209971e5b268c19b6e07e53b208c5c7fff2f2947b598890b4
                          • Instruction Fuzzy Hash: D56134B5E0520ADFCB04CFAAC5805EEFBB1BF99300F55842AD515AB364D734AA42CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A040F Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID: 0-3916222277
                          • Opcode ID: d731e6f6ae5143ef9e6f1b6b7b326f68cffcd9418eab02e09b01530b07338778
                          • Instruction ID: a894e557c9b93656b6d375d08efb7b547cf662c749e21ae8d7de46d17e610be0
                          • Opcode Fuzzy Hash: d731e6f6ae5143ef9e6f1b6b7b326f68cffcd9418eab02e09b01530b07338778
                          • Instruction Fuzzy Hash: E3314DB1D007459FE759CF6B88446DABBB3AFD9340F08C0BAD808AA265DB3409468F11
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A0448 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID: 0-3916222277
                          • Opcode ID: e39d0f302dfa9a02eb03449a4345e73253bbd71b884f11f6a95c3c2969bd465b
                          • Instruction ID: fb1119f769fb1260a3d83f923f46e406e15d96ed804d75ff8521a1ee49710248
                          • Opcode Fuzzy Hash: e39d0f302dfa9a02eb03449a4345e73253bbd71b884f11f6a95c3c2969bd465b
                          • Instruction Fuzzy Hash: 0821C1B5E006199BEB18CF6BD8406DEFBF7BFC8300F04C176D918A6268EB3015568E50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A43A0 Relevance: .2, Instructions: 172COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 698b4453778ceebbd2df13f52a9db0c55061a0d104f97ab35a5397ae44652a03
                          • Instruction ID: cc2d71b67ad653aad53f28a8bdbb369ae7486c259012d79d41762f45c4c5dec9
                          • Opcode Fuzzy Hash: 698b4453778ceebbd2df13f52a9db0c55061a0d104f97ab35a5397ae44652a03
                          • Instruction Fuzzy Hash: 4471EE74E11219CFCB44CFA9D58499EBBF1FF88310F29816AE409AB324D374AA42CF54
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A4390 Relevance: .2, Instructions: 171COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1d022b332e5698b232af6142e5e8f02b85373425e28f98cfcb4e88ef78db2110
                          • Instruction ID: 958963adb5f6f95f04f84f254b4b4a551eaba0e333a8f1b8c3b2ebaf7b24d592
                          • Opcode Fuzzy Hash: 1d022b332e5698b232af6142e5e8f02b85373425e28f98cfcb4e88ef78db2110
                          • Instruction Fuzzy Hash: C271E274E11219CFCB44CFA9D5849AEFBF1FF88310F29856AE405AB225D374AA42CF54
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A5E85 Relevance: .1, Instructions: 127COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 764c9d3f32ee0cbe6b7eaaf6ad5e9266bf3133503dc30aedc0505ecbbb1d4d01
                          • Instruction ID: 85c88f0679111579451aee34fefd2514c3c992a6d8eb7fe7bb5c89e243befffa
                          • Opcode Fuzzy Hash: 764c9d3f32ee0cbe6b7eaaf6ad5e9266bf3133503dc30aedc0505ecbbb1d4d01
                          • Instruction Fuzzy Hash: 0D413A31E457089FDB48CFA6E8406EDBBB2EBD4320F25C66BD404ABA64D7384C42CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A79A9 Relevance: .1, Instructions: 107COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: da914aa70430d4fdfb6a9d8413c6d24ebcd429fdff6e0185f92180c187faf264
                          • Instruction ID: 2b4402bc021a559b2824dca8a599449d0775d1f2443972d7ef1b288489121d3e
                          • Opcode Fuzzy Hash: da914aa70430d4fdfb6a9d8413c6d24ebcd429fdff6e0185f92180c187faf264
                          • Instruction Fuzzy Hash: D9412D71D056948FEB19CF6A9C406DABFB3AFC9300F19C1FAD408AA265DB350946CF41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 014A5ED8 Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.431128841.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_14a0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0547f04c181a148cd472caa2afd2befba41ba7ee37c30914545b5567d3bafcf8
                          • Instruction ID: 9387135075beadaa971a5ee975c282a4d4009f727396adcf8cba5925cb336431
                          • Opcode Fuzzy Hash: 0547f04c181a148cd472caa2afd2befba41ba7ee37c30914545b5567d3bafcf8
                          • Instruction Fuzzy Hash: AD310A71E01618DBDB08CFAAD940ADEFBF6AFC8300F24C52AE508AB268D73049418F54
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Execution Graph

                          Execution Coverage:10%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:4.3%
                          Total number of Nodes:92
                          Total number of Limit Nodes:3
                          execution_graph 38205 ab5d0f4 38206 ab5ed10 CreateWindowExW 38205->38206 38208 ab5ee34 38206->38208 38257 54dfc98 38258 54dfcfe 38257->38258 38262 54dfe48 38258->38262 38266 54dfe58 38258->38266 38259 54dfdad 38270 54dfeba DuplicateHandle 38262->38270 38272 54dfec0 DuplicateHandle 38262->38272 38263 54dfe86 38263->38259 38267 54dfe86 38266->38267 38268 54dfeba DuplicateHandle 38266->38268 38269 54dfec0 DuplicateHandle 38266->38269 38267->38259 38268->38267 38269->38267 38271 54dff56 38270->38271 38271->38263 38273 54dff56 38272->38273 38273->38263 38274 a8a73d0 38277 a8a73f5 38274->38277 38275 a8a756f 38276 a8a7b54 LdrInitializeThunk 38276->38277 38277->38275 38277->38276 38209 54d4540 38210 54d4554 38209->38210 38213 54d478a 38210->38213 38211 54d455d 38214 54d4793 38213->38214 38219 54d496c 38213->38219 38224 54d4870 38213->38224 38229 54d4986 38213->38229 38234 54d485f 38213->38234 38214->38211 38220 54d491f 38219->38220 38220->38219 38221 54d49ab 38220->38221 38239 54d4c78 38220->38239 38244 54d4c67 38220->38244 38225 54d48b4 38224->38225 38226 54d49ab 38225->38226 38227 54d4c78 2 API calls 38225->38227 38228 54d4c67 2 API calls 38225->38228 38227->38226 38228->38226 38230 54d4999 38229->38230 38231 54d49ab 38229->38231 38232 54d4c78 2 API calls 38230->38232 38233 54d4c67 2 API calls 38230->38233 38232->38231 38233->38231 38235 54d4871 38234->38235 38236 54d49ab 38235->38236 38237 54d4c78 2 API calls 38235->38237 38238 54d4c67 2 API calls 38235->38238 38237->38236 38238->38236 38240 54d4c86 38239->38240 38249 54d4cc8 38240->38249 38253 54d4cb8 38240->38253 38241 54d4c96 38241->38221 38245 54d4c86 38244->38245 38247 54d4cc8 RtlEncodePointer 38245->38247 38248 54d4cb8 RtlEncodePointer 38245->38248 38246 54d4c96 38246->38221 38247->38246 38248->38246 38250 54d4d02 38249->38250 38251 54d4d2c RtlEncodePointer 38250->38251 38252 54d4d55 38250->38252 38251->38252 38252->38241 38254 54d4d02 38253->38254 38255 54d4d2c RtlEncodePointer 38254->38255 38256 54d4d55 38254->38256 38255->38256 38256->38241 38278 54dadd0 38279 54dadee 38278->38279 38282 54d9dc0 38279->38282 38281 54dae25 38283 54dc8f0 LoadLibraryA 38282->38283 38285 54dc9cc 38283->38285 38286 ab5a068 38287 ab5a07d 38286->38287 38288 ab5a35c 38287->38288 38289 ab5b3c4 GlobalMemoryStatusEx 38287->38289 38289->38287 38290 ab5d358 38291 ab5d382 38290->38291 38296 ab5d880 38291->38296 38292 ab5d400 38293 ab5d01c GetModuleHandleW 38292->38293 38294 ab5d429 38292->38294 38293->38294 38297 ab5d8ad 38296->38297 38298 ab5d92e 38297->38298 38300 ab5d9f0 38297->38300 38301 ab5da05 38300->38301 38303 ab5da29 38301->38303 38313 ab5d01c 38301->38313 38304 ab5d01c GetModuleHandleW 38303->38304 38312 ab5dbf4 38303->38312 38306 ab5db7a 38304->38306 38305 ab5dc4f 38305->38298 38306->38305 38309 ab5d01c GetModuleHandleW 38306->38309 38306->38312 38307 ab5dd78 GetModuleHandleW 38308 ab5dda5 38307->38308 38308->38298 38310 ab5dbc8 38309->38310 38311 ab5d01c GetModuleHandleW 38310->38311 38310->38312 38311->38312 38312->38305 38312->38307 38314 ab5dd30 GetModuleHandleW 38313->38314 38316 ab5dda5 38314->38316 38316->38303

                          Executed Functions

                          Function 0A8A73D0 Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 922 a8a73d0-a8a745a 1124 a8a745c call 54d2dd0 922->1124 1125 a8a745c call 54d2de0 922->1125 931 a8a7461-a8a74d6 939 a8a74d8-a8a7519 931->939 940 a8a752d-a8a7537 931->940 939->940 945 a8a751b-a8a752b 939->945 943 a8a753d-a8a7558 940->943 1122 a8a755a call a8a86e8 943->1122 1123 a8a755a call a8a86f0 943->1123 945->943 948 a8a755f-a8a756d call a8a44f8 951 a8a756f-a8a7f55 948->951 952 a8a757d-a8a792a 948->952 991 a8a7930-a8a793d 952->991 992 a8a7f15-a8a7f38 952->992 993 a8a7f3d-a8a7f47 991->993 994 a8a7943-a8a79ae 991->994 992->993 994->992 1005 a8a79b4-a8a79e9 994->1005 1008 a8a79eb-a8a7a10 1005->1008 1009 a8a7a12-a8a7a1a 1005->1009 1012 a8a7a1d-a8a7a66 1008->1012 1009->1012 1017 a8a7efc-a8a7f02 1012->1017 1018 a8a7a6c-a8a7a8b 1012->1018 1017->992 1019 a8a7f04-a8a7f0d 1017->1019 1126 a8a7a90 call a8a8e68 1018->1126 1127 a8a7a90 call a8a8da8 1018->1127 1019->994 1020 a8a7f13 1019->1020 1020->993 1022 a8a7a95-a8a7ac4 1022->1017 1025 a8a7aca-a8a7ad4 1022->1025 1025->1017 1026 a8a7ada-a8a7aed 1025->1026 1026->1017 1027 a8a7af3-a8a7b1a 1026->1027 1031 a8a7ebd-a8a7ee0 1027->1031 1032 a8a7b20-a8a7b23 1027->1032 1040 a8a7ee5-a8a7eeb 1031->1040 1032->1031 1033 a8a7b29-a8a7b63 LdrInitializeThunk 1032->1033 1043 a8a7b69-a8a7bb8 1033->1043 1040->992 1042 a8a7eed-a8a7ef6 1040->1042 1042->1017 1042->1027 1051 a8a7bbe-a8a7bf7 1043->1051 1052 a8a7cfd-a8a7d03 1043->1052 1056 a8a7d19-a8a7d1f 1051->1056 1068 a8a7bfd-a8a7c33 1051->1068 1053 a8a7d11 1052->1053 1054 a8a7d05-a8a7d07 1052->1054 1053->1056 1054->1053 1058 a8a7d2d-a8a7d30 1056->1058 1059 a8a7d21-a8a7d23 1056->1059 1061 a8a7d3b-a8a7d41 1058->1061 1059->1058 1062 a8a7d4f-a8a7d52 1061->1062 1063 a8a7d43-a8a7d45 1061->1063 1065 a8a7ca1-a8a7cd1 1062->1065 1063->1062 1070 a8a7cd3-a8a7cf2 1065->1070 1074 a8a7c39-a8a7c5c 1068->1074 1075 a8a7d57-a8a7d85 1068->1075 1077 a8a7d8a-a8a7ddc 1070->1077 1078 a8a7cf8 1070->1078 1074->1075 1084 a8a7c62-a8a7c95 1074->1084 1075->1070 1097 a8a7dde-a8a7de4 1077->1097 1098 a8a7de6-a8a7dec 1077->1098 1078->1040 1084->1061 1096 a8a7c9b 1084->1096 1096->1065 1099 a8a7dfd-a8a7e1b 1097->1099 1100 a8a7dfa 1098->1100 1101 a8a7dee-a8a7df0 1098->1101 1105 a8a7e3f-a8a7ebb 1099->1105 1106 a8a7e1d-a8a7e2d 1099->1106 1100->1099 1101->1100 1105->1040 1106->1105 1109 a8a7e2f-a8a7e38 1106->1109 1109->1105 1122->948 1123->948 1124->931 1125->931 1126->1022 1127->1022
                          APIs
                          Memory Dump Source
                          • Source File: 00000004.00000002.692137954.000000000A8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_a8a0000_cvtres.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 88d1de360e2b5dc46db729a8d49785ec35d03d09feeb14da0e03239a622fa01d
                          • Instruction ID: 25299883ec116e800d8aea470a9733e253c81cbfa73dbd92951ce4142b723a1c
                          • Opcode Fuzzy Hash: 88d1de360e2b5dc46db729a8d49785ec35d03d09feeb14da0e03239a622fa01d
                          • Instruction Fuzzy Hash: 54621871E106188FDB24EF78C95469DB7B2AF89304F1089A9D50AEB350EF309E85CF95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0AB5D9F0 Relevance: 1.8, APIs: 1, Instructions: 297COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2005 ab5d9f0-ab5da16 2008 ab5da46-ab5da4e 2005->2008 2009 ab5da18-ab5da40 call ab5d01c call ab5d07c 2005->2009 2010 ab5da94-ab5dadd call ab5d094 2008->2010 2011 ab5da50-ab5da55 call ab5d088 2008->2011 2009->2008 2021 ab5dc5b-ab5dc81 2009->2021 2032 ab5dae3-ab5db2e 2010->2032 2033 ab5dc88-ab5dcba 2010->2033 2015 ab5da5a-ab5da8f 2011->2015 2025 ab5db31-ab5db33 2015->2025 2021->2033 2029 ab5db3c-ab5db93 call ab5d01c call ab5d0a0 2025->2029 2055 ab5dc4f-ab5dc5a 2029->2055 2056 ab5db99-ab5dba6 2029->2056 2032->2025 2048 ab5dcc1-ab5dd70 2033->2048 2062 ab5dd72-ab5dd75 2048->2062 2063 ab5dd78-ab5dda3 GetModuleHandleW 2048->2063 2060 ab5dbac-ab5dbd9 call ab5d01c call ab5d094 2056->2060 2061 ab5dc4b-ab5dc4d 2056->2061 2060->2061 2073 ab5dbdb-ab5dbe8 2060->2073 2061->2048 2061->2055 2062->2063 2065 ab5dda5-ab5ddab 2063->2065 2066 ab5ddac-ab5ddc0 2063->2066 2065->2066 2073->2061 2074 ab5dbea-ab5dc01 call ab5d01c call ab5d0ac 2073->2074 2079 ab5dc03-ab5dc0c call ab5d0a0 2074->2079 2080 ab5dc0e-ab5dc3d call ab5d0a0 2074->2080 2079->2061 2080->2061 2088 ab5dc3f-ab5dc49 2080->2088 2088->2061 2088->2080
                          Memory Dump Source
                          • Source File: 00000004.00000002.692300920.000000000AB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_ab50000_cvtres.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: c25cad4d43d1047fce72311cb86674384cd92a62cbf346adb7fc345c0660a6ae
                          • Instruction ID: 0ae6a868a54291fcb8c913b10c7660c813c515830e447721e5bf9dc51a2063ce
                          • Opcode Fuzzy Hash: c25cad4d43d1047fce72311cb86674384cd92a62cbf346adb7fc345c0660a6ae
                          • Instruction Fuzzy Hash: DFB1AD74B007058FCB14EF79C4946AEBBF6FF89214B048A69C806DB751DB74E8068F95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0AB5B850 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2090 ab5b850-ab5b85b 2091 ab5b885-ab5b8a4 call ab59f1c 2090->2091 2092 ab5b85d-ab5b884 call ab59f10 2090->2092 2098 ab5b8a6-ab5b8a9 2091->2098 2099 ab5b8aa-ab5b909 2091->2099 2106 ab5b90f-ab5b99c GlobalMemoryStatusEx 2099->2106 2107 ab5b90b-ab5b90e 2099->2107 2110 ab5b9a5-ab5b9cd 2106->2110 2111 ab5b99e-ab5b9a4 2106->2111 2111->2110
                          Memory Dump Source
                          • Source File: 00000004.00000002.692300920.000000000AB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_ab50000_cvtres.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6d8db11c37c1aac1d24197916996c6b231d051e16163bd24b0cde66b70c7fcad
                          • Instruction ID: f61092b7dfd6db527e2e28c388ba54948d2fe43ead9a4985efa778f7331f3e90
                          • Opcode Fuzzy Hash: 6d8db11c37c1aac1d24197916996c6b231d051e16163bd24b0cde66b70c7fcad
                          • Instruction Fuzzy Hash: 5B411071E107498FCB14CFB9C8447EEBBF5EF89210F1489AAD844A7291EB389845CBD1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0AB5D0F4 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2114 ab5d0f4-ab5ed76 2116 ab5ed81-ab5ed88 2114->2116 2117 ab5ed78-ab5ed7e 2114->2117 2118 ab5ed93-ab5ee32 CreateWindowExW 2116->2118 2119 ab5ed8a-ab5ed90 2116->2119 2117->2116 2121 ab5ee34-ab5ee3a 2118->2121 2122 ab5ee3b-ab5ee73 2118->2122 2119->2118 2121->2122 2126 ab5ee75-ab5ee78 2122->2126 2127 ab5ee80 2122->2127 2126->2127
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0AB5EE22
                          Memory Dump Source
                          • Source File: 00000004.00000002.692300920.000000000AB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_ab50000_cvtres.jbxd
                          Similarity
                          • API ID: CreateWindow
                          • String ID:
                          • API String ID: 716092398-0
                          • Opcode ID: 7a9213d05b279a8775acfa73a0da16e185e2f16d82bbfb283f8f14e0d83098b5
                          • Instruction ID: 19cc935c2aade2698cb9511bf5341bb5d9f42700f37ce4cc01364d1545b541f5
                          • Opcode Fuzzy Hash: 7a9213d05b279a8775acfa73a0da16e185e2f16d82bbfb283f8f14e0d83098b5
                          • Instruction Fuzzy Hash: 9A51B3B1D10309DFDB14CFAAC884ADEBBB5FF48314F24856AE815AB250D774A945CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 054DC8E4 Relevance: 1.6, APIs: 1, Instructions: 90libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2128 54dc8e4-54dc947 2129 54dc949-54dc953 2128->2129 2130 54dc980-54dc9ca LoadLibraryA 2128->2130 2129->2130 2131 54dc955-54dc957 2129->2131 2137 54dc9cc-54dc9d2 2130->2137 2138 54dc9d3-54dca04 2130->2138 2132 54dc959-54dc963 2131->2132 2133 54dc97a-54dc97d 2131->2133 2135 54dc965 2132->2135 2136 54dc967-54dc976 2132->2136 2133->2130 2135->2136 2136->2136 2139 54dc978 2136->2139 2137->2138 2142 54dca14 2138->2142 2143 54dca06-54dca0a 2138->2143 2139->2133 2145 54dca15 2142->2145 2143->2142 2144 54dca0c 2143->2144 2144->2142 2145->2145
                          APIs
                          • LoadLibraryA.KERNELBASE(?), ref: 054DC9BA
                          Memory Dump Source
                          • Source File: 00000004.00000002.689730831.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_54d0000_cvtres.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 56f5e90323ec2eb81b0659d8ae0a0243102c3d33917875dec02e49c066017d02
                          • Instruction ID: d5c52d413e9eb74e7bad65aaa391640f85ad999e2b27e30a9fe204f44c0d2e03
                          • Opcode Fuzzy Hash: 56f5e90323ec2eb81b0659d8ae0a0243102c3d33917875dec02e49c066017d02
                          • Instruction Fuzzy Hash: 933112B0D002599FCB14CFA9D8957DEFBB1BB08314F14856AE816AB380D7789885CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 054D9DC0 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2146 54d9dc0-54dc947 2148 54dc949-54dc953 2146->2148 2149 54dc980-54dc9ca LoadLibraryA 2146->2149 2148->2149 2150 54dc955-54dc957 2148->2150 2156 54dc9cc-54dc9d2 2149->2156 2157 54dc9d3-54dca04 2149->2157 2151 54dc959-54dc963 2150->2151 2152 54dc97a-54dc97d 2150->2152 2154 54dc965 2151->2154 2155 54dc967-54dc976 2151->2155 2152->2149 2154->2155 2155->2155 2158 54dc978 2155->2158 2156->2157 2161 54dca14 2157->2161 2162 54dca06-54dca0a 2157->2162 2158->2152 2164 54dca15 2161->2164 2162->2161 2163 54dca0c 2162->2163 2163->2161 2164->2164
                          APIs
                          • LoadLibraryA.KERNELBASE(?), ref: 054DC9BA
                          Memory Dump Source
                          • Source File: 00000004.00000002.689730831.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_54d0000_cvtres.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 0a5079690b7fc5eebee30691212cf7490c6350f32727a9c82aa9f9863ad680bd
                          • Instruction ID: 0b0898fcf43a9f2d796f7a87f2e2491d11845573495c8fd49049a7fcf4a5ed3e
                          • Opcode Fuzzy Hash: 0a5079690b7fc5eebee30691212cf7490c6350f32727a9c82aa9f9863ad680bd
                          • Instruction Fuzzy Hash: C73112B0D042499FCB14CFA9C895BDEFBB1BB08314F14856AE816A7380D7789845CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 054DFEBA Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2784 54dfeba-54dff54 DuplicateHandle 2785 54dff5d-54dff7a 2784->2785 2786 54dff56-54dff5c 2784->2786 2786->2785
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 054DFF47
                          Memory Dump Source
                          • Source File: 00000004.00000002.689730831.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_54d0000_cvtres.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: d5aba4b7b189af66e3b0cd1dd119269fcbdbc174431f256e39aa1f449551f9e0
                          • Instruction ID: f2b9e38be1b5403fa1a289352027b1487eb820de0493abc234ae9f66d81ca8c4
                          • Opcode Fuzzy Hash: d5aba4b7b189af66e3b0cd1dd119269fcbdbc174431f256e39aa1f449551f9e0
                          • Instruction Fuzzy Hash: 9B21E3B5D00249AFDB10CFA9D884AEEFBF8FB48314F14842AE915A7310C378A944CF61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 054DFEC0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2789 54dfec0-54dff54 DuplicateHandle 2790 54dff5d-54dff7a 2789->2790 2791 54dff56-54dff5c 2789->2791 2791->2790
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 054DFF47
                          Memory Dump Source
                          • Source File: 00000004.00000002.689730831.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_54d0000_cvtres.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 3fd60261f98d08480607603f977bf11733dea3a64b4c5755129eb2056ea6295b
                          • Instruction ID: 56d662b02100abf96bd6a41250a36d652c1e5cdd223052404cad1ed69209799c
                          • Opcode Fuzzy Hash: 3fd60261f98d08480607603f977bf11733dea3a64b4c5755129eb2056ea6295b
                          • Instruction Fuzzy Hash: 4C21E6B59002489FDB10CF9AD484ADEFBF8FB48314F14842AE915A3310C374A944CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 054D4CB8 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2794 54d4cb8-54d4d0a 2797 54d4d0c-54d4d0e 2794->2797 2798 54d4d10 2794->2798 2799 54d4d15-54d4d20 2797->2799 2798->2799 2800 54d4d81-54d4d8e 2799->2800 2801 54d4d22-54d4d53 RtlEncodePointer 2799->2801 2803 54d4d5c-54d4d7c 2801->2803 2804 54d4d55-54d4d5b 2801->2804 2803->2800 2804->2803
                          APIs
                          • RtlEncodePointer.NTDLL(00000000), ref: 054D4D42
                          Memory Dump Source
                          • Source File: 00000004.00000002.689730831.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_54d0000_cvtres.jbxd
                          Similarity
                          • API ID: EncodePointer
                          • String ID:
                          • API String ID: 2118026453-0
                          • Opcode ID: 1c9dcf2414f79c6ee5601e7275d15d65711312bc6b5983e5be771ead1a8997b2
                          • Instruction ID: 56401d1cf3dca814cb25dae5b1d1c89e4c1d0636b14b169b662073d297d037ea
                          • Opcode Fuzzy Hash: 1c9dcf2414f79c6ee5601e7275d15d65711312bc6b5983e5be771ead1a8997b2
                          • Instruction Fuzzy Hash: 9B21B8B18013868FCF20EFA8DA087DEBBF4FB0A314F14846AD409A3A41C7786444CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 054D4CC8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2806 54d4cc8-54d4d0a 2809 54d4d0c-54d4d0e 2806->2809 2810 54d4d10 2806->2810 2811 54d4d15-54d4d20 2809->2811 2810->2811 2812 54d4d81-54d4d8e 2811->2812 2813 54d4d22-54d4d53 RtlEncodePointer 2811->2813 2815 54d4d5c-54d4d7c 2813->2815 2816 54d4d55-54d4d5b 2813->2816 2815->2812 2816->2815
                          APIs
                          • RtlEncodePointer.NTDLL(00000000), ref: 054D4D42
                          Memory Dump Source
                          • Source File: 00000004.00000002.689730831.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_54d0000_cvtres.jbxd
                          Similarity
                          • API ID: EncodePointer
                          • String ID:
                          • API String ID: 2118026453-0
                          • Opcode ID: 30706bf800d58cca54aed71edfee07633d611c8ef4c9fd3946db87f5d812a903
                          • Instruction ID: 3e18c8d0b1777842a6632f19ba2469bd9ef8395ec05da95a834e8a5c317c2137
                          • Opcode Fuzzy Hash: 30706bf800d58cca54aed71edfee07633d611c8ef4c9fd3946db87f5d812a903
                          • Instruction Fuzzy Hash: 111186B09003498FCF60DFA9C6087DEBBF8FB4A314F20842AD409A3A41C778A444CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0AB5D01C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2818 ab5d01c-ab5dd70 2820 ab5dd72-ab5dd75 2818->2820 2821 ab5dd78-ab5dda3 GetModuleHandleW 2818->2821 2820->2821 2822 ab5dda5-ab5ddab 2821->2822 2823 ab5ddac-ab5ddc0 2821->2823 2822->2823
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0AB5DD96
                          Memory Dump Source
                          • Source File: 00000004.00000002.692300920.000000000AB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_ab50000_cvtres.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: a4dd35a17a26d9235f06324e2387e170d38ecfb59240eb0083e1b8f04401b0bc
                          • Instruction ID: 7d7e8e734022b3f62386355e8223861ce111b38047afc1b14173331d33a6b035
                          • Opcode Fuzzy Hash: a4dd35a17a26d9235f06324e2387e170d38ecfb59240eb0083e1b8f04401b0bc
                          • Instruction Fuzzy Hash: E51102B5C006598FCB20CFAAC444BDEFBF8EF88224F14856AD819B7650D379A545CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 09AFD908 Relevance: .8, Instructions: 823COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.691651585.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_9af0000_cvtres.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 201be869f7e6539e0d90c317533525c4bdbe0a890fe2b00cc3384041fe1573f1
                          • Instruction ID: 1a307c3f25c28bf28db36440eaea400809f65739b32e5a25812b8ad293a2688c
                          • Opcode Fuzzy Hash: 201be869f7e6539e0d90c317533525c4bdbe0a890fe2b00cc3384041fe1573f1
                          • Instruction Fuzzy Hash: 41728134A0021C8FDF64DBA0C854BEEBBBAEF95304F1088A9D10A6B794DF359D459F61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 09AFE758 Relevance: .3, Instructions: 315COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.691651585.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_9af0000_cvtres.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 28df38b4fad75e586e0549f1f259659d74af50368f53bf148b462a6551f10286
                          • Instruction ID: 9f99b4c81b7e5dda56f9bbd0e785a6ca73674ced0c354b1a15524c496d5f22bc
                          • Opcode Fuzzy Hash: 28df38b4fad75e586e0549f1f259659d74af50368f53bf148b462a6551f10286
                          • Instruction Fuzzy Hash: 19D1FA75A001158FCB14DFA9D594AADBBF6FF88B11B2680A9F516AB371C730EC41CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 09AFE639 Relevance: .3, Instructions: 303COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.691651585.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_9af0000_cvtres.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 60e49be50ed2a18680a650c606ecb37206e974db191e925a72f02df007c91ec9
                          • Instruction ID: b78c79118f4e5ffd0ebbad43ca45e3acfa543d8db06d3fc7b4b6490d10bfd428
                          • Opcode Fuzzy Hash: 60e49be50ed2a18680a650c606ecb37206e974db191e925a72f02df007c91ec9
                          • Instruction Fuzzy Hash: 3AC10875E001198FCB14DFA9D998AADBBF6FF88710B268069E516AB371C730EC41CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 09AFF168 Relevance: .2, Instructions: 225COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.691651585.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_9af0000_cvtres.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: edb98da91811eed8a2bf61966bc57c8a2cd9077a6cad058030b2d4d53118e572
                          • Instruction ID: 19b4b5d7f64d1fc6120bffbec3bf0c07e9cca5786527f09d26eacd143c3ed256
                          • Opcode Fuzzy Hash: edb98da91811eed8a2bf61966bc57c8a2cd9077a6cad058030b2d4d53118e572
                          • Instruction Fuzzy Hash: 3A817035A00215CFCB15CFA9C494AAEBBB5FF44710F5684AAFA559B3A2C730EC41CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 09AFF3DA Relevance: .1, Instructions: 120COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.691651585.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_9af0000_cvtres.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 46dcfebce154806aaf369a158adcc14fa24fa31ccc20ee27696053dd494bd681
                          • Instruction ID: 9f035e65581f2aed06df5cc23492b303d83691c2d7eac90055005a0d10f0ae4a
                          • Opcode Fuzzy Hash: 46dcfebce154806aaf369a158adcc14fa24fa31ccc20ee27696053dd494bd681
                          • Instruction Fuzzy Hash: C841E3313042148FCB16DF65D8696B93BE6EF89752B04806AFA46CB3A1DB38CC11DB71
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 09AFF330 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.691651585.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_9af0000_cvtres.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b1627a6068b6c8e9542e0fda5357241cd754bec2914cb18acfa150c761eb3bf4
                          • Instruction ID: 541fd268f2e71c90186c0b0f60454039234b39f572ce71e210631e7f0f3b0300
                          • Opcode Fuzzy Hash: b1627a6068b6c8e9542e0fda5357241cd754bec2914cb18acfa150c761eb3bf4
                          • Instruction Fuzzy Hash: 6B118F71A0021A9FCB10DFA9D8556EEFBF9FF48710F00852AF925E3200D7748A05CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Function 09AFB648 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.691651585.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_9af0000_cvtres.jbxd
                          Similarity
                          • API ID:
                          • String ID: sl$sl$sl$sl
                          • API String ID: 0-3630607881
                          • Opcode ID: cd1c6f47fa939d64d5eae6b348bac1036a558eee469f0eae43d3a11b0556e66a
                          • Instruction ID: ace41fd1773b64be236ba7d9fea23a643e9bd46b00f4d4fb1090912265b0fc8a
                          • Opcode Fuzzy Hash: cd1c6f47fa939d64d5eae6b348bac1036a558eee469f0eae43d3a11b0556e66a
                          • Instruction Fuzzy Hash: 8E017C317108108F87A49BA9C56192A77FEBFDAFA0315816AF60ACF371DE30DC4187A1
                          Uniqueness

                          Uniqueness Score: -1.00%