Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Windows Analysis Report
Project.exe

Overview

General Information

Sample Name:Project.exe
Analysis ID:692165
MD5:11b5e216a3a2e854138f556ad14f5209
SHA1:9a69fc577b01037b0428e7fdab304e087e9fabf4
SHA256:b1181376125a5a10e0643ac86b6f84dcbd805fb8c34220a8223cc1cc8d25c570
Tags:AgentTeslaexeTelegram
Infos:

Detection

AgentTesla, AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Antivirus / Scanner detection for submitted sample
Yara detected AsyncRAT
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • Project.exe (PID: 5012 cmdline: "C:\Users\user\Desktop\Project.exe" MD5: 11B5E216A3A2E854138F556AD14F5209)
    • powershell.exe (PID: 6052 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • InstallUtil.exe (PID: 4888 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • InstallUtil.exe (PID: 1928 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{
  "C2 url": "https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendMessage"
}

Threatname: Agenttesla

{
  "Exfil Mode": "Telegram",
  "Chat id": "1952161154",
  "Chat URL": "https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocument"
}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000000.336086561.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000E.00000000.336086561.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000E.00000000.336086561.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x310ef:$a3: MailAccountConfiguration
      • 0x31108:$a5: SmtpAccountConfiguration
      • 0x310cf:$a8: set_BindingAccountConfiguration
      • 0x30022:$a11: get_securityProfile
      • 0x2fec3:$a12: get_useSeparateFolderTree
      • 0x31832:$a13: get_DnsResolver
      • 0x302d2:$a14: get_archivingScope
      • 0x300fa:$a15: get_providerName
      • 0x3281d:$a17: get_priority
      • 0x31df1:$a18: get_advancedParameters
      • 0x31209:$a19: get_disabledByRestriction
      • 0x2fc99:$a20: get_LastAccessed
      • 0x3036c:$a21: get_avatarType
      • 0x31f08:$a22: get_signaturePresets
      • 0x309ae:$a23: get_enableLog
      • 0x30177:$a26: set_accountName
      • 0x32353:$a27: set_InternalServerPort
      • 0x2f621:$a28: set_bindingConfigurationUID
      • 0x31ece:$a29: set_IdnAddress
      • 0x326d1:$a30: set_GuidMasterKey
      • 0x301d2:$a31: set_username
      00000000.00000002.342458204.0000000003E05000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.342458204.0000000003E05000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          Click to see the 21 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          14.0.InstallUtil.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            14.0.InstallUtil.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              14.0.InstallUtil.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                14.0.InstallUtil.exe.400000.0.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x30daa:$s1: get_kbok
                • 0x316de:$s2: get_CHoo
                • 0x32339:$s3: set_passwordIsSet
                • 0x30bae:$s4: get_enableLog
                • 0x35301:$s8: torbrowser
                • 0x33cdd:$s10: logins
                • 0x335ab:$s11: credential
                • 0x2ff87:$g1: get_Clipboard
                • 0x2ff95:$g2: get_Keyboard
                • 0x2ffa2:$g3: get_Password
                • 0x3158c:$g4: get_CtrlKeyDown
                • 0x3159c:$g5: get_ShiftKeyDown
                • 0x315ad:$g6: get_AltKeyDown
                14.0.InstallUtil.exe.400000.0.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
                • 0x312ef:$a3: MailAccountConfiguration
                • 0x31308:$a5: SmtpAccountConfiguration
                • 0x312cf:$a8: set_BindingAccountConfiguration
                • 0x30222:$a11: get_securityProfile
                • 0x300c3:$a12: get_useSeparateFolderTree
                • 0x31a32:$a13: get_DnsResolver
                • 0x304d2:$a14: get_archivingScope
                • 0x302fa:$a15: get_providerName
                • 0x32a1d:$a17: get_priority
                • 0x31ff1:$a18: get_advancedParameters
                • 0x31409:$a19: get_disabledByRestriction
                • 0x2fe99:$a20: get_LastAccessed
                • 0x3056c:$a21: get_avatarType
                • 0x32108:$a22: get_signaturePresets
                • 0x30bae:$a23: get_enableLog
                • 0x30377:$a26: set_accountName
                • 0x32553:$a27: set_InternalServerPort
                • 0x2f821:$a28: set_bindingConfigurationUID
                • 0x320ce:$a29: set_IdnAddress
                • 0x328d1:$a30: set_GuidMasterKey
                • 0x303d2:$a31: set_username
                Click to see the 19 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:192.168.2.6149.154.167.220498004432851779 08/29/22-10:54:45.237734
                SID:2851779
                Source Port:49800
                Destination Port:443
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                • AV Detection
                • Compliance
                • Networking
                • Key, Mouse, Clipboard, Microphone and Screen Capturing
                • System Summary
                • Data Obfuscation
                • Boot Survival
                • Hooking and other Techniques for Hiding and Protection
                • Malware Analysis System Evasion
                • Anti Debugging
                • HIPS / PFW / Operating System Protection Evasion
                • Language, Device and Operating System Detection
                • Lowering of HIPS / PFW / Operating System Security Settings
                • Stealing of Sensitive Information
                • Remote Access Functionality

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: Project.exeVirustotal: Detection: 35%Perma Link
                Source: Project.exeAvira: detected
                Source: Project.exeJoe Sandbox ML: detected
                Source: 14.0.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 0.2.Project.exe.3e959f8.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1952161154", "Chat URL": "https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocument"}
                Source: Project.exe.5012.0.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendMessage"}
                Source: Project.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Project.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.6:49800 -> 149.154.167.220:443
                Source: unknownDNS query: name: api.telegram.org
                Source: Yara matchFile source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Project.exe.51f0000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Project.exe.414b190.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Project.exe.3f80360.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Project.exe.3e959f8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.345928106.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: InstallUtil.exe, 0000000E.00000002.521474646.0000000003231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: InstallUtil.exe, 0000000E.00000002.521474646.0000000003231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: InstallUtil.exe, 0000000E.00000002.521474646.0000000003231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://PHCGWf.com
                Source: Project.exe, 00000000.00000002.340319043.0000000002DD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                Source: Project.exe, 00000000.00000002.340319043.0000000002DD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: Project.exe, 00000000.00000002.342458204.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, Project.exe, 00000000.00000002.342678860.0000000003E95000.00000004.00000800.00020000.00000000.sdmp, Project.exe, 00000000.00000002.340319043.0000000002DD4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000000.336086561.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/
                Source: InstallUtil.exe, 0000000E.00000002.521474646.0000000003231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocumentdocument-----
                Source: Project.exe, 00000000.00000002.342678860.0000000003E95000.00000004.00000800.00020000.00000000.sdmp, Project.exe, 00000000.00000002.345928106.00000000051F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                Source: Project.exe, 00000000.00000002.342678860.0000000003E95000.00000004.00000800.00020000.00000000.sdmp, Project.exe, 00000000.00000002.345928106.00000000051F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                Source: Project.exe, 00000000.00000002.342458204.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, Project.exe, 00000000.00000002.342678860.0000000003E95000.00000004.00000800.00020000.00000000.sdmp, Project.exe, 00000000.00000002.340319043.0000000002DD4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000000.336086561.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: InstallUtil.exe, 0000000E.00000002.521474646.0000000003231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                Source: unknownDNS traffic detected: queries for: api.telegram.org

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Source: Yara matchFile source: Process Memory Space: Project.exe PID: 5012, type: MEMORYSTR

                System Summary

                barindex
                Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.Project.exe.3e959f8.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.Project.exe.3e959f8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.Project.exe.414b190.2.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.Project.exe.3f80360.3.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.Project.exe.51f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.Project.exe.51f0000.4.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.Project.exe.414b190.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.Project.exe.3f80360.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.Project.exe.3e959f8.1.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.Project.exe.3e959f8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.Project.exe.3e959f8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0000000E.00000000.336086561.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000000.00000002.342458204.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0000000E.00000002.521474646.0000000003231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 00000000.00000002.345928106.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
                Source: 00000000.00000002.340319043.0000000002DD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000000.00000002.342678860.0000000003E95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: Project.exe PID: 5012, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: InstallUtil.exe PID: 1928, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: Process Memory Space: InstallUtil.exe PID: 1928, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Project.exe, yrol.csLarge array initialization: ljhj: array initializer size 1879568
                Source: 14.0.InstallUtil.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b5029162Bu002d2D4Eu002d489Bu002d8212u002d1A5255E1EA59u007d/u0034695CF78u002d3B59u002d4037u002dB8EEu002dF86771E06890.csLarge array initialization: .cctor: array initializer size 12005
                Source: Project.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.Project.exe.3e959f8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.Project.exe.3e959f8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.Project.exe.414b190.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.Project.exe.3f80360.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.Project.exe.51f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.Project.exe.51f0000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.Project.exe.414b190.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.Project.exe.3f80360.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.Project.exe.3e959f8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.Project.exe.3e959f8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.Project.exe.3e959f8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0000000E.00000000.336086561.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000000.00000002.342458204.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0000000E.00000002.521474646.0000000003231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 00000000.00000002.345928106.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 00000000.00000002.340319043.0000000002DD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000000.00000002.342678860.0000000003E95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: Project.exe PID: 5012, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: InstallUtil.exe PID: 1928, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: Process Memory Space: InstallUtil.exe PID: 1928, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_01234B000_2_01234B00
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_0123092C0_2_0123092C
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_012310E00_2_012310E0
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_012310D00_2_012310D0
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_0123F3180_2_0123F318
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_01234AF00_2_01234AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 14_2_0176483714_2_01764837
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 14_2_01763CCC14_2_01763CCC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 14_2_0176549014_2_01765490
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 14_2_01763CC014_2_01763CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 14_2_0658650814_2_06586508
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 14_2_065890D814_2_065890D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 14_2_0658712014_2_06587120
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 14_2_0658685014_2_06586850
                Source: Project.exe, 00000000.00000002.342458204.0000000003E05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameVotmPjzzoZkNsXdXaeSGCVVue.exe4 vs Project.exe
                Source: Project.exe, 00000000.00000000.252464187.0000000000980000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFulbuvqby.exe" vs Project.exe
                Source: Project.exe, 00000000.00000002.342678860.0000000003E95000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameVotmPjzzoZkNsXdXaeSGCVVue.exe4 vs Project.exe
                Source: Project.exe, 00000000.00000002.342678860.0000000003E95000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUeqxolzlcuvf.dll" vs Project.exe
                Source: Project.exe, 00000000.00000002.345928106.00000000051F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUeqxolzlcuvf.dll" vs Project.exe
                Source: Project.exe, 00000000.00000002.340319043.0000000002DD4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameVotmPjzzoZkNsXdXaeSGCVVue.exe4 vs Project.exe
                Source: Project.exeBinary or memory string: OriginalFilenameFulbuvqby.exe" vs Project.exe
                Source: Project.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Project.exeVirustotal: Detection: 35%
                Source: Project.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Project.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Project.exe "C:\Users\user\Desktop\Project.exe"
                Source: C:\Users\user\Desktop\Project.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Project.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                Source: C:\Users\user\Desktop\Project.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                Source: C:\Users\user\Desktop\Project.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeJump to behavior
                Source: C:\Users\user\Desktop\Project.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Project.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Project.exe.logJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4lml3wq.nf1.ps1Jump to behavior
                Source: classification engineClassification label: mal100.troj.evad.winEXE@8/6@1/0
                Source: C:\Users\user\Desktop\Project.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: Project.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\Project.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5300:120:WilError_01
                Source: Project.exe, yrom.csCryptographic APIs: 'CreateDecryptor'
                Source: 14.0.InstallUtil.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 14.0.InstallUtil.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: C:\Users\user\Desktop\Project.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: Project.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: Project.exeStatic file information: File size 1887232 > 1048576
                Source: Project.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Project.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1cc200
                Source: Project.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                Source: Project.exe, yrok.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_01231329 push ds; ret 0_2_01231335
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C252A8 push edx; retn 0002h0_2_02C252FE
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C252B0 push edx; retn 0002h0_2_02C252FE
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C21E41 push ds; retn 0002h0_2_02C21EFE
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C21E48 push ds; retn 0002h0_2_02C21EFE
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C20650 push es; retn 0002h0_2_02C206AE
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C20658 push es; retn 0002h0_2_02C206AE
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C22659 pushfd ; retn 0002h0_2_02C226A5
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C22660 pushfd ; retn 0002h0_2_02C226A5
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C25604 push ebp; retn 0002h0_2_02C25606
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C25610 push esi; retn 0002h0_2_02C2566E
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C25618 push esi; retn 0002h0_2_02C2566E
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C24FC1 push eax; retn 0002h0_2_02C25016
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C24FC8 push eax; retn 0002h0_2_02C25016
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C2537A push esp; retn 0002h0_2_02C2541E
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C25378 push esp; retn 0002h0_2_02C2541E
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C25308 push ebx; retn 0002h0_2_02C25366
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C25310 push ebx; retn 0002h0_2_02C25366
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C25480 push esp; retn 0002h0_2_02C254CE
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C25081 push edx; retn 0002h0_2_02C2529E
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C25088 push edx; retn 0002h0_2_02C2529E
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C25488 push esp; retn 0002h0_2_02C254CE
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C20420 push es; retn 0002h0_2_02C20646
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C25432 push esp; retn 0002h0_2_02C25476
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C25430 push esp; retn 0002h0_2_02C25476
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C20590 push es; retn 0002h0_2_02C20646
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C255B0 push ebp; retn 0002h0_2_02C25606
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C2554A push ebp; retn 0002h0_2_02C2559E
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C26548 push eax; retn 0002h0_2_02C2665D
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C26550 push eax; retn 0002h0_2_02C2665D
                Source: C:\Users\user\Desktop\Project.exeCode function: 0_2_02C24168 push eax; ret 0_2_02C24169
                Source: initial sampleStatic PE information: section name: .text entropy: 7.999764792551768

                Boot Survival

                barindex
                Source: Yara matchFile source: Process Memory Space: Project.exe PID: 5012, type: MEMORYSTR
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Source: Yara matchFile source: Process Memory Space: Project.exe PID: 5012, type: MEMORYSTR
                Source: Project.exe, 00000000.00000002.340319043.0000000002DD4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\Project.exe TID: 3792Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1012Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3804Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4444Thread sleep count: 9841 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Project.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9339Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 9841Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Project.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Project.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: Project.exe, 00000000.00000002.340319043.0000000002DD4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                Source: Project.exe, 00000000.00000002.340319043.0000000002DD4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                Source: C:\Users\user\Desktop\Project.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Project.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: C:\Users\user\Desktop\Project.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\Project.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                Source: C:\Users\user\Desktop\Project.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 438000Jump to behavior
                Source: C:\Users\user\Desktop\Project.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43A000Jump to behavior
                Source: C:\Users\user\Desktop\Project.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: F00008Jump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess created: Base64 decoded Start-Sleep -Seconds 20
                Source: C:\Users\user\Desktop\Project.exeProcess created: Base64 decoded Start-Sleep -Seconds 20Jump to behavior
                Source: C:\Users\user\Desktop\Project.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeJump to behavior
                Source: C:\Users\user\Desktop\Project.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeJump to behavior
                Source: C:\Users\user\Desktop\Project.exeQueries volume information: C:\Users\user\Desktop\Project.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Project.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Project.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Project.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Project.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Project.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 14_2_06585594 GetUserNameW,14_2_06585594

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Source: Yara matchFile source: Process Memory Space: Project.exe PID: 5012, type: MEMORYSTR

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 0000000E.00000002.521474646.0000000003231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1928, type: MEMORYSTR
                Source: Yara matchFile source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Project.exe.3e959f8.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Project.exe.3e959f8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000000.336086561.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.342458204.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.340319043.0000000002DD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.342678860.0000000003E95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.521474646.0000000003231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Project.exe PID: 5012, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1928, type: MEMORYSTR
                Source: Yara matchFile source: 0000000E.00000002.521474646.0000000003231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1928, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 0000000E.00000002.521474646.0000000003231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1928, type: MEMORYSTR
                Source: Yara matchFile source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Project.exe.3e959f8.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Project.exe.3e959f8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000000.336086561.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.342458204.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.340319043.0000000002DD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.342678860.0000000003E95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.521474646.0000000003231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Project.exe PID: 5012, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1928, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		1
                Scheduled Task/Job                		211
                Process Injection                		1
                Masquerading                		OS Credential Dumping211
                Security Software Discovery                		Remote Services11
                Archive Collected Data                		Exfiltration Over Other Network Medium1
                Web Service                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts1
                Scheduled Task/Job                		Boot or Logon Initialization Scripts1
                Scheduled Task/Job                		1
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                Encrypted Channel                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain Accounts1
                PowerShell                		Logon Script (Windows)Logon Script (Windows)131
                Virtualization/Sandbox Evasion                		Security Account Manager131
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)211
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer1
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common12
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items13
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem113
                System Information Discovery                		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 692165 Sample: Project.exe Startdate: 29/08/2022 Architecture: WINDOWS Score: 100 23 api.telegram.org 2->23 25 Snort IDS alert for network traffic 2->25 27 Malicious sample detected (through community Yara rule) 2->27 29 Antivirus / Scanner detection for submitted sample 2->29 31 10 other signatures 2->31 8 Project.exe 4 2->8         started        signatures3 process4 file5 21 C:\Users\user\AppData\...\Project.exe.log, ASCII 8->21 dropped 33 Encrypted powershell cmdline option found 8->33 35 Writes to foreign memory regions 8->35 37 Injects a PE file into a foreign processes 8->37 12 InstallUtil.exe 8->12         started        15 powershell.exe 16 8->15         started        17 InstallUtil.exe 2 8->17         started        signatures6 process7 signatures8 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->41 19 conhost.exe 15->19         started        process9

                Screenshots

                Download Video

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Project.exe36%VirustotalBrowse
                Project.exe100%AviraTR/Dropper.Gen
                Project.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                0.0.Project.exe.7b0000.0.unpack100%AviraHEUR/AGEN.1216705Download File
                14.0.InstallUtil.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                http://james.newtonking.com/projects/json0%URL Reputationsafe
                http://PHCGWf.com0%Avira URL Cloudsafe

                Domains and IPs

                Download Network PCAP: filteredfull

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                api.telegram.org
                		149.154.167.220
                		truefalse
                  		high
                  NameSourceMaliciousAntivirus DetectionReputation
                  http://127.0.0.1:HTTP/1.1InstallUtil.exe, 0000000E.00000002.521474646.0000000003231000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://DynDns.comDynDNSInstallUtil.exe, 0000000E.00000002.521474646.0000000003231000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.nuget.org/packages/Newtonsoft.Json.BsonProject.exe, 00000000.00000002.342678860.0000000003E95000.00000004.00000800.00020000.00000000.sdmp, Project.exe, 00000000.00000002.345928106.00000000051F0000.00000004.08000000.00040000.00000000.sdmpfalse
                    		high
                    https://api.telegram.org/botProject.exe, 00000000.00000002.340319043.0000000002DD4000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haInstallUtil.exe, 0000000E.00000002.521474646.0000000003231000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipProject.exe, 00000000.00000002.342458204.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, Project.exe, 00000000.00000002.342678860.0000000003E95000.00000004.00000800.00020000.00000000.sdmp, Project.exe, 00000000.00000002.340319043.0000000002DD4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000000.336086561.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocumentdocument-----InstallUtil.exe, 0000000E.00000002.521474646.0000000003231000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://james.newtonking.com/projects/jsonProject.exe, 00000000.00000002.340319043.0000000002DD4000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://PHCGWf.comInstallUtil.exe, 0000000E.00000002.521474646.0000000003231000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.newtonsoft.com/jsonschemaProject.exe, 00000000.00000002.342678860.0000000003E95000.00000004.00000800.00020000.00000000.sdmp, Project.exe, 00000000.00000002.345928106.00000000051F0000.00000004.08000000.00040000.00000000.sdmpfalse
                          		high
                          https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/Project.exe, 00000000.00000002.342458204.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, Project.exe, 00000000.00000002.342678860.0000000003E95000.00000004.00000800.00020000.00000000.sdmp, Project.exe, 00000000.00000002.340319043.0000000002DD4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000000.336086561.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            No contacted IP infos

                            General Information

                            Joe Sandbox Version:35.0.0 Citrine
                            Analysis ID:692165
                            Start date and time:2022-08-29 10:51:35 +02:00
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 9m 27s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:Project.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:23
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@8/6@1/0
                            EGA Information:
                            • Successful, ratio: 50%
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 94%
                            • Number of executed functions: 146
                            • Number of non-executed functions: 4
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Adjust boot time
                            • Enable AMSI
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                            • Execution Graph export aborted for target Project.exe, PID 5012 because it is empty
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            10:52:43API Interceptor41x Sleep call for process: powershell.exe modified
                            10:53:25API Interceptor540x Sleep call for process: InstallUtil.exe modified

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            api.telegram.orgsBTM72vwbi.exeGet hashmaliciousBrowse
                            • 149.154.167.220
                            Offer Request.exeGet hashmaliciousBrowse
                            • 149.154.167.220
                            SecuriteInfo.com.Trojan.DownloaderNET.345.6262.30911.exeGet hashmaliciousBrowse
                            • 149.154.167.220
                            kSWRj3IWeD.exeGet hashmaliciousBrowse
                            • 149.154.167.220
                            SecuriteInfo.com.Heur.31022.29250.exeGet hashmaliciousBrowse
                            • 149.154.167.220
                            PI-166..exeGet hashmaliciousBrowse
                            • 149.154.167.220
                            SecuriteInfo.com.W32.AIDetectNet.01.27885.exeGet hashmaliciousBrowse
                            • 149.154.167.220
                            CD227FB7681D6999EF6A988C769E3C5888DA335FDBF26.exeGet hashmaliciousBrowse
                            • 149.154.167.220
                            921041-183 DRAFT.xlsxGet hashmaliciousBrowse
                            • 149.154.167.220
                            29EF68782D29DAB6D078208FCA5D704BA33542A596EC3.exeGet hashmaliciousBrowse
                            • 149.154.167.220
                            20220826_7745553654.exeGet hashmaliciousBrowse
                            • 149.154.167.220
                            ServiceNetPayments-2022-08-25_0083472.exeGet hashmaliciousBrowse
                            • 149.154.167.220
                            NDHSGSD.exeGet hashmaliciousBrowse
                            • 149.154.167.220
                            BNADMGDS.exeGet hashmaliciousBrowse
                            • 149.154.167.220
                            DgGkOxIRui_ori40teleevery.jsGet hashmaliciousBrowse
                            • 149.154.167.220
                            T7gkM4NERP.exeGet hashmaliciousBrowse
                            • 149.154.167.220
                            walmart orderlist.jsGet hashmaliciousBrowse
                            • 149.154.167.220
                            PO on IMP Sheet.xlsxGet hashmaliciousBrowse
                            • 149.154.167.220
                            product details & specifications.exeGet hashmaliciousBrowse
                            • 149.154.167.220
                            Quotation Nr150320220825.exeGet hashmaliciousBrowse
                            • 149.154.167.220

                            ASNs

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Project.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\Project.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1039
                            Entropy (8bit):5.3436815157474165
                            Encrypted:false
                            SSDEEP:24:ML9E4Ks2EAE4Kzr7RKDE4KhK3VZ9pKhyE4KdE4KBLWE4Ks:MxHKXEAHKzvRYHKhQnoyHKdHKBqHKs
                            MD5:20799406D8EAB97C5485A916A278ED0D
                            SHA1:8547571BD0A17ED48FBECDE6D5E4749A66933D53
                            SHA-256:BDDBB29FA099BDEB1C409FE844BDA2820D0550E0C97F7A64E01A0EAE4DBDF067
                            SHA-512:CA887D0283B3B65BDFA91C90FAAD4C485B3861EEE54C1E6C3A7563DA77DD0D59AC20207259084E2A85E8FC25A48EB805E86904DA60B4C165B03B4A7D758C7506
                            Malicious:true
                            Reputation:low
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Numerics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..2,"System.Data, Version=4.0.0.0, Culture=neutra

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):5829
                            Entropy (8bit):4.8968676994158
                            Encrypted:false
                            SSDEEP:96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
                            MD5:36DE9155D6C265A1DE62A448F3B5B66E
                            SHA1:02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
                            SHA-256:8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
                            SHA-512:C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):17204
                            Entropy (8bit):5.5359908423955995
                            Encrypted:false
                            SSDEEP:384:Ht9/c0fJ9VYp1ZO0wpC3AnY4KnajultI2R7Y9gSSJ3kN1/qYKy:zwp1ZOptY4KaCltZxScCjd
                            MD5:67B84A32D98FEE8E3D4305D53878F942
                            SHA1:19BFAA93373CD2CA5284EE6B947945110DD13D5A
                            SHA-256:E163488D0AB58FBED901DD6AEE4C80C2F1A4E8DDFCF59267B13029CE43EE67D0
                            SHA-512:51DE0A655CE60F7430FFF72100F933977D01D07A4BD29C5EFB91758DF5B2ED997C8EE27FC62663B756E019A62B3BF775BCC913B5E53CDAD170EE263C199729AC
                            Malicious:false
                            Preview:@...e.....................m.C.?.p...9.B..............@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)S.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e3reyfr0.lpb.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Preview:1

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4lml3wq.nf1.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Preview:1

                            C:\Users\user\Documents\20220829\PowerShell_transcript.965969.L5qNNW4T.20220829105241.txt

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1003
                            Entropy (8bit):5.181641505354513
                            Encrypted:false
                            SSDEEP:24:BxSAh7vBVL7v+x2DOXUWjxo3WrxtHjeTKKjX4CIym1ZJXXqnxSAZq:BZZvTLKoODltqDYB1ZWZZq
                            MD5:10EA6BAEADCB7F69EE55DE623F2412D2
                            SHA1:4771FAF3A8961E93698F1907FFD3EA25D209E75F
                            SHA-256:E3CFA8E649CCFC087246341C94FC37737116498421F84B7E52CA2E8010E84BE6
                            SHA-512:5CB6DECE2E191B8466144795C630B6F108CC93087651B95D6BCBE175581D776F06580652708DF8FD8E6EEE5C7B45701650A38A36E6010F70E270A3960E8655CE
                            Malicious:false
                            Preview:.**********************..Windows PowerShell transcript start..Start time: 20220829105242..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 965969 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==..Process ID: 6052..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220829105242..**********************..PS>Start-Sleep -Seconds 20..**********************..Command start time: 20220829105813..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript end..End time: 20220829105813..*********************

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.999415767266183
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:Project.exe
                            File size:1887232
                            MD5:11b5e216a3a2e854138f556ad14f5209
                            SHA1:9a69fc577b01037b0428e7fdab304e087e9fabf4
                            SHA256:b1181376125a5a10e0643ac86b6f84dcbd805fb8c34220a8223cc1cc8d25c570
                            SHA512:ecfbd8a4ceef5cb67ee6fff28048ee7d643f756f0f6ced279b738d81f8592659df11f6bad934e6f1e3eb51b061c97bccf14371cd3962886ff14402b06365649f
                            SSDEEP:49152:a0lrb+CWQfwBGzApJ78bedBjrTHNYCZXdb2g7d:vrb+zBcAYbejvNYCZXdrd
                            TLSH:859533100264154BDBF97BB82AF3E7D60627B3149294F82F71CE18AF7D573408A6B62D
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c.c..............0.................. ........@.. .......................@............@................................

                            File Icon

                            Icon Hash:00828e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x5ce0de
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x630C63E3 [Mon Aug 29 06:59:47 2022 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x1ce0900x4b.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1d00000x600.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1d20000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x1cc0e40x1cc200False0.9992460226500951data7.999764792551768IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0x1d00000x6000x600False0.4010416666666667data3.943514900298493IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x1d20000xc0x200False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            NameRVASizeTypeLanguageCountry
                            RT_VERSION0x1d00900x2dcdata
                            RT_MANIFEST0x1d037c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Download Network PCAP: filteredfull

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            192.168.2.6149.154.167.220498004432851779 08/29/22-10:54:45.237734TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49800443192.168.2.6149.154.167.220
                            TimestampSource PortDest PortSource IPDest IP
                            Aug 29, 2022 10:54:45.068371058 CEST5612353192.168.2.68.8.8.8
                            Aug 29, 2022 10:54:45.088453054 CEST53561238.8.8.8192.168.2.6

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                            Aug 29, 2022 10:54:45.068371058 CEST192.168.2.68.8.8.80x36c2Standard query (0)api.telegram.orgA (IP address)IN (0x0001)

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                            Aug 29, 2022 10:54:45.088453054 CEST8.8.8.8192.168.2.60x36c2No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            • File
                            • Registry

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:10:52:33
                            Start date:29/08/2022
                            Path:C:\Users\user\Desktop\Project.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\Project.exe"
                            Imagebase:0x7b0000
                            File size:1887232 bytes
                            MD5 hash:11B5E216A3A2E854138F556AD14F5209
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.342458204.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.342458204.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.342458204.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.345928106.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.345928106.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.340319043.0000000002DD4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.340319043.0000000002DD4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.340319043.0000000002DD4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.342678860.0000000003E95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.342678860.0000000003E95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.342678860.0000000003E95000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            Reputation:low
                            Show Windows behavior

                            File Activities

                            Show Windows behavior

                            Section Activities

                            Show Windows behavior

                            Registry Activities

                            Show Windows behavior

                            Mutex Activities

                            Show Windows behavior

                            Process Activities

                            Show Windows behavior

                            Thread Activities

                            Show Windows behavior

                            Memory Activities

                            Show Windows behavior

                            System Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Windows UI Activities

                            Process Token Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            General

                            Target ID:2
                            Start time:10:52:39
                            Start date:29/08/2022
                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
                            Imagebase:0x160000
                            File size:430592 bytes
                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Reputation:high
                            Show Windows behavior

                            File Activities

                            Show Windows behavior

                            Section Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            Powershell Activities

                            Show Windows behavior

                            Mutex Activities

                            Show Windows behavior

                            Process Activities

                            Show Windows behavior

                            Thread Activities

                            Show Windows behavior

                            Memory Activities

                            Show Windows behavior

                            System Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Windows UI Activities

                            Process Token Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            General

                            Target ID:3
                            Start time:10:52:40
                            Start date:29/08/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6da640000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Show Windows behavior

                            File Activities

                            Show Windows behavior

                            Section Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Mutex Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Thread Activities

                            Show Windows behavior

                            Memory Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Windows UI Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            General

                            Target ID:13
                            Start time:10:53:07
                            Start date:29/08/2022
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                            Imagebase:0x1b0000
                            File size:41064 bytes
                            MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Show Windows behavior

                            Memory Activities


                            General

                            Target ID:14
                            Start time:10:53:11
                            Start date:29/08/2022
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                            Imagebase:0xdb0000
                            File size:41064 bytes
                            MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.336086561.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.336086561.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 0000000E.00000000.336086561.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.521474646.0000000003231000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000002.521474646.0000000003231000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.521474646.0000000003231000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 0000000E.00000002.521474646.0000000003231000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                            Reputation:high
                            Show Windows behavior

                            File Activities

                            Show Windows behavior

                            Section Activities

                            Show Windows behavior

                            Registry Activities

                            Show Windows behavior

                            COM Activities

                            Show Windows behavior

                            Mutex Activities

                            Show Windows behavior

                            Process Activities

                            Show Windows behavior

                            Thread Activities

                            Show Windows behavior

                            Memory Activities

                            Show Windows behavior

                            System Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Windows UI Activities

                            Process Token Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            Disassembly

                            Executed Functions

                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID: MZ+}$UUUU
                            • API String ID: 0-152894188
                            • Opcode ID: 539a85e3b99895fe68f48bd004e69574cc8c266c27f3a0f38003fd929b339e4d
                            • Instruction ID: 9db5e444c196109b3743619ac8f7b4a37d5fcce315021dbeb552d68a8326d0be
                            • Opcode Fuzzy Hash: 539a85e3b99895fe68f48bd004e69574cc8c266c27f3a0f38003fd929b339e4d
                            • Instruction Fuzzy Hash: 34B2B375E10628CFDB64CF69C984A99BBB2BF89304F1581E9D50DAB321DB319E81CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dcb8a6541f483240ed4219ea93268f8b88992c0e706cc4032aa36b9d3c0d59fc
                            • Instruction ID: 857164d19117a9a418f6c6ef34646de5c8e2102cc319344718a492290344fe76
                            • Opcode Fuzzy Hash: dcb8a6541f483240ed4219ea93268f8b88992c0e706cc4032aa36b9d3c0d59fc
                            • Instruction Fuzzy Hash: 1FC172B5E006188FDB58CF6AC944ADDBBF2AF89300F14C1A9D909AB365DB305E85CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID: HrXl$/l^
                            • API String ID: 0-1822142118
                            • Opcode ID: 0a7d6caef2296b65670f35622624c6e1a4c400d7adcfa018380b0c319ee47ccc
                            • Instruction ID: fd2b1266742197f6f25d099b8ad8b2bebbc9a80a5116b74b60aa4b993c686430
                            • Opcode Fuzzy Hash: 0a7d6caef2296b65670f35622624c6e1a4c400d7adcfa018380b0c319ee47ccc
                            • Instruction Fuzzy Hash: E5518EB1B10204CFC744DB38D498AA97BF2EF89650B154469E906DB3A2DB30DC06CB65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0#{
                            • API String ID: 0-2723472215
                            • Opcode ID: c2bd2bbdd0b0a54314616f73c6bb2a22a2e31b4b9ea04222066a8e2e167ff158
                            • Instruction ID: 5be3e2544f9324766d197cc5372671fa3b5d7b6670d84758e663ad77884ab2c9
                            • Opcode Fuzzy Hash: c2bd2bbdd0b0a54314616f73c6bb2a22a2e31b4b9ea04222066a8e2e167ff158
                            • Instruction Fuzzy Hash: 85512674B601149FCB48DB69C899A5DBBF6AF89710B1580A9E106DB371DBB1EC018F90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID: HrXl
                            • API String ID: 0-519563743
                            • Opcode ID: 7c82b3c9d808e86a79f925ac64f2f6a5d187e87d6b20f87aca1130507b24436d
                            • Instruction ID: 6b782e75c3d7d23d8dd72fbb27392c0cb6b9fc994aad8c053ac72c7ce288912b
                            • Opcode Fuzzy Hash: 7c82b3c9d808e86a79f925ac64f2f6a5d187e87d6b20f87aca1130507b24436d
                            • Instruction Fuzzy Hash: 935158B5B10204CFC758DB78E498A6E7BF2BF89650B114468E506EB3A1DF70EC05CBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID: <(Xl
                            • API String ID: 0-2608952690
                            • Opcode ID: a14566a6690b6e79fc7d86e22c2ed71bbe4beececff2f236670eff1d97e7d939
                            • Instruction ID: 730fbaa9487e3633a6b9931031b523c8344718cc0f871e5f179e574ff5dc1439
                            • Opcode Fuzzy Hash: a14566a6690b6e79fc7d86e22c2ed71bbe4beececff2f236670eff1d97e7d939
                            • Instruction Fuzzy Hash: 0441FCB0E69208DBDB14CFE5D8516EEBBF6AF8E300F10A129E419BB344CB7058418B56
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID: Sl
                            • API String ID: 0-3090847523
                            • Opcode ID: 16e95a1be2c8d9ce4dac58e9708ecca8b8d498242bffb2bef6961f04e51b6d7a
                            • Instruction ID: 174719d888a095d87b2d3eddf4edc47c0840d59db3ff3dfc012cbda972a4cd13
                            • Opcode Fuzzy Hash: 16e95a1be2c8d9ce4dac58e9708ecca8b8d498242bffb2bef6961f04e51b6d7a
                            • Instruction Fuzzy Hash: DE419074E04219DFCB04CBA9D488AEEBBF5FB88315F109026E919B7354D731A941CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID: Xl
                            • API String ID: 0-1540247272
                            • Opcode ID: 57eb135ba161bd5799f7f4f03c2b7b8aa6640aade34b2515ebb5044c1c7ac311
                            • Instruction ID: c54a838765e0aa7091fd9d07252a5b17b9d7a4296928b9c48e352ce38a6ed53c
                            • Opcode Fuzzy Hash: 57eb135ba161bd5799f7f4f03c2b7b8aa6640aade34b2515ebb5044c1c7ac311
                            • Instruction Fuzzy Hash: C6310674E45218CFDB04DFA6D584BAEB7B5EB89305F105065E10AFB245CB345E82CF51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID: hCXl
                            • API String ID: 0-2607597894
                            • Opcode ID: 151dbd02e2f4e964724701d6192a8eecd67706edd4d6f79250386ca3913c28be
                            • Instruction ID: d4dc0b7d14d1282e95b052825c40dc4f56019d2c764b873a243bf5e91084f22f
                            • Opcode Fuzzy Hash: 151dbd02e2f4e964724701d6192a8eecd67706edd4d6f79250386ca3913c28be
                            • Instruction Fuzzy Hash: B8312435E45219DFCB04DFA5E894AFEBBB6EB89300F204026E91AB7350DB355941CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID: ZWl
                            • API String ID: 0-4220144880
                            • Opcode ID: 0badb45af0d2152ed4aa046adae8bb2e82949a754ee3a64da82e0b3afd375493
                            • Instruction ID: 2fc40c9f6da7721ce22c0cd61d66ab7fe4f0f57b4b66cba3b0c282580057a952
                            • Opcode Fuzzy Hash: 0badb45af0d2152ed4aa046adae8bb2e82949a754ee3a64da82e0b3afd375493
                            • Instruction Fuzzy Hash: 1A018070E45108AFEB44EBB0E891DBEB7F6EF85201B015999D405BB782CE30AE09CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8#{
                            • API String ID: 0-2890380015
                            • Opcode ID: fc3166512b7b4bcaa8f8016474073bca93197f5e535069b2b95f2a387d4d8dc4
                            • Instruction ID: 8f01be2345b180b793e1792ebc51a1b290f2963f05c5925e79cc10e9fa55e12c
                            • Opcode Fuzzy Hash: fc3166512b7b4bcaa8f8016474073bca93197f5e535069b2b95f2a387d4d8dc4
                            • Instruction Fuzzy Hash: 82D01222B042504F4A049B64B4289DE57DBEBC63613C14479A509BF755CF68DD46D3E1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f2221921cd9f4e104222215fef5b1c727aded48a7df6d91dccd8e7083a856cba
                            • Instruction ID: 3d2aa2b936dd97e09d3de469f0102e099a4321b7bab75f8f01586939bef83b37
                            • Opcode Fuzzy Hash: f2221921cd9f4e104222215fef5b1c727aded48a7df6d91dccd8e7083a856cba
                            • Instruction Fuzzy Hash: 1B91E0B4E00218CFDB14DFA9D994A9DBBB2FF89304F248169E405AB361DB35AD45CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 58948eaabb126aa1bf5d3b85c9159925018a272b8f4c275ecc6c6af68c770a27
                            • Instruction ID: d484ea55ba788a0108843c767646c9b6491a43a52abb66c4531a9ccb8a93e20c
                            • Opcode Fuzzy Hash: 58948eaabb126aa1bf5d3b85c9159925018a272b8f4c275ecc6c6af68c770a27
                            • Instruction Fuzzy Hash: 3791D274E44258CFDB50DFA9D884BAEBBB2FB49300F1085A9D509AB385DB709E85CF11
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: febed8593b9a889ce386dd6521f7d84d1e8df220b388268c2466f5c7325c5ca6
                            • Instruction ID: 2ca6d9061232869d58800c5d9921598f34e9b5567291ea0abccdbb3654161f9f
                            • Opcode Fuzzy Hash: febed8593b9a889ce386dd6521f7d84d1e8df220b388268c2466f5c7325c5ca6
                            • Instruction Fuzzy Hash: FC712874E455489FDB08EFE1E4946AEBBB2FF88340F148429E5066B3A4DF352E05CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 38b816fab519646d96d24e7608047c9486483f376b11699d02ef6b0e5d0311bd
                            • Instruction ID: 503d800fc98b7a2cf384ed5a082b25cd66c27d1eb97228cf34f7251189bf700b
                            • Opcode Fuzzy Hash: 38b816fab519646d96d24e7608047c9486483f376b11699d02ef6b0e5d0311bd
                            • Instruction Fuzzy Hash: 0D612B74E44218DFEB20CF65D888BADB7B6FB49340F605199E90AAB382CB715D81CF01
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 20f19a7da8191bab0b5ecb830674308c7f71bff53b8c052496c782d306ace0b5
                            • Instruction ID: fa7f43360ec0bb9bdb8d1ee1d084a4b4503252674bea61cfaaf093542a0a629c
                            • Opcode Fuzzy Hash: 20f19a7da8191bab0b5ecb830674308c7f71bff53b8c052496c782d306ace0b5
                            • Instruction Fuzzy Hash: D141EF347082548FCB08EB78C4946AE77E7AFC9288B118469D509EF395DF70EE0687D2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ef49c89b7af288030c94e666710a3c54a5523e80250157249f05cf4e0644cc3b
                            • Instruction ID: 8f1c305dd1e4a2622fd9ccec05a1f99b82571d2beac513bf2cf01765713c98bc
                            • Opcode Fuzzy Hash: ef49c89b7af288030c94e666710a3c54a5523e80250157249f05cf4e0644cc3b
                            • Instruction Fuzzy Hash: 0451CAB0A59248CFDB16DF24D8457EABBB5FB8A300F0051E9D10AAB386DB744E85CF01
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a506e6e4f52820e2a06a2569d28a3971def34560908a300dad70cdcb6d1cb3ee
                            • Instruction ID: 236320c883fe408d05280b042e751f3a66b891e5dbf1d2200a822dde47c701ee
                            • Opcode Fuzzy Hash: a506e6e4f52820e2a06a2569d28a3971def34560908a300dad70cdcb6d1cb3ee
                            • Instruction Fuzzy Hash: 90513B74E44218CFDB64CF65D888BADB7B6FB89344F6041A9E40AA7346CB745D85CF01
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0eae69a0c6eb90aca76031e9f6a893df6d717bed0620235635b2a843e818ea09
                            • Instruction ID: d418543dd4a3558182a7f97c35b9582421faf6ddb5bf1145d09b280957a4d5d9
                            • Opcode Fuzzy Hash: 0eae69a0c6eb90aca76031e9f6a893df6d717bed0620235635b2a843e818ea09
                            • Instruction Fuzzy Hash: D451B278E05209CFDB04CFAAD484AEDBBF6FB89310F14912AE805AB355D734A946CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8ee09d418908b6e247589698b61d028f59e22d73a01ef38ddb7f57f149612743
                            • Instruction ID: 5840f2ffc8f35fb9dae0b685291c7fb213dc2fc5cbce7be38a6d7015f8916e96
                            • Opcode Fuzzy Hash: 8ee09d418908b6e247589698b61d028f59e22d73a01ef38ddb7f57f149612743
                            • Instruction Fuzzy Hash: 1B418C35B002058FCB10CF65C498A7AB7F2FF89324B168969D45ADB761DB30ED46CB94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 89beda59df2eef87e167b5de3c4fd51b1a4c87917d1eb6f73a2c929f15e5bf80
                            • Instruction ID: 5e945ba6c5e97cbf79a7409045ac7e2616385ddf91e0de888e132064d540104f
                            • Opcode Fuzzy Hash: 89beda59df2eef87e167b5de3c4fd51b1a4c87917d1eb6f73a2c929f15e5bf80
                            • Instruction Fuzzy Hash: 405124B4B60104DFCB49DB69C899E69BBF2EF88704B2541A9E106DB372CB71EC018F54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 598308ee8219f608e9bc5132cce8aa438f365b1514ce7493ecbaf17453685275
                            • Instruction ID: a86bc8d110ad898606d855cdee26c8a48e0fc422a6e20defb8ff89aba9b18724
                            • Opcode Fuzzy Hash: 598308ee8219f608e9bc5132cce8aa438f365b1514ce7493ecbaf17453685275
                            • Instruction Fuzzy Hash: 3C513330D49219CFCB14CFAAE488BEDBBFAFB89300F109169D40AA7245DB355985CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d6b409bba2555d6f460b6122ba041268fa943252a0687eb4f7d05c750c5a3fc2
                            • Instruction ID: d84019e9e6af8dd7d64c18f7841a7573118774ed0d4fb7822ee8c79fe70cbd78
                            • Opcode Fuzzy Hash: d6b409bba2555d6f460b6122ba041268fa943252a0687eb4f7d05c750c5a3fc2
                            • Instruction Fuzzy Hash: F5518174E04218DFCB04DF99D498AEDBBF1EF88354F10902AE945AB350D734AA41DF55
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 03a1c321a7b4e95d37a5f4e5681e596db3657ebd1e1e11a5f63c707fd1a7656b
                            • Instruction ID: 99e2df3fd201e3eca033f5dacf3a66ea9b1d2a4f1b73996e19dae3e51fcb4347
                            • Opcode Fuzzy Hash: 03a1c321a7b4e95d37a5f4e5681e596db3657ebd1e1e11a5f63c707fd1a7656b
                            • Instruction Fuzzy Hash: 5441E1B9E04219CFCB04CF99E488AEDBBF5FB88315F108465E509B7344D734A981CB62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 04f579e0d99df500a12f2c080e43fc6b1fba1d184cb6271984024f48bcde0153
                            • Instruction ID: 03cbf99eaf131ed08dc0ea8812a4a9ba9390442009669ff166e808cd2e84ec9b
                            • Opcode Fuzzy Hash: 04f579e0d99df500a12f2c080e43fc6b1fba1d184cb6271984024f48bcde0153
                            • Instruction Fuzzy Hash: 13413A70E05219CFDB14CFA9D488BAEB7B6EB89308F1045A5D10AFB245DB345E82CF52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 20509f56cd6d1a0135e53bc3912209b430ae7fbe2a8c3de4eaa57005c5eced81
                            • Instruction ID: 31e935de73de38f6ed125b2084976c1bd75cf2813e48c9ed106a348aa4a32bdf
                            • Opcode Fuzzy Hash: 20509f56cd6d1a0135e53bc3912209b430ae7fbe2a8c3de4eaa57005c5eced81
                            • Instruction Fuzzy Hash: 6F41F870E04219CFDB14CFA9D8847AEB7B9FB49304F2085AAD40AB7345CB345985CF61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1659a960b59d24085e2b176a142b4aa8afd3330f4e1db5d9cfe8bc0c3479174e
                            • Instruction ID: 893722a38833139668fb7fbd9be83a4c8c07af5eaa33bbdfc87f0be98e1d4a3c
                            • Opcode Fuzzy Hash: 1659a960b59d24085e2b176a142b4aa8afd3330f4e1db5d9cfe8bc0c3479174e
                            • Instruction Fuzzy Hash: 99410974A04218CFDB54DF69D888BAEBBB6FB49300F1084D9E50AAB346CB749D81CF51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cdb6bc150783f8ee4fbc6915c50a110f25fbcb9098d24e11f0730f1594ea9cb5
                            • Instruction ID: 70ee22ae8addf9d953062608d87465153f1a787a88b2c22bc9c4ebd795b8b73a
                            • Opcode Fuzzy Hash: cdb6bc150783f8ee4fbc6915c50a110f25fbcb9098d24e11f0730f1594ea9cb5
                            • Instruction Fuzzy Hash: 57313675E04209DFCB00DFA9D888AFDBBF1EB89320F108066E949A7740D7309A45CFA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 501ef9b66a04f61107dc375f1fb783eb771a5fb79467d66a99bee5aa8df06ab4
                            • Instruction ID: 8f8961145b391b8e2b65b8b2d4a7e127be875be753e23a6f4c410d9267b5b1c5
                            • Opcode Fuzzy Hash: 501ef9b66a04f61107dc375f1fb783eb771a5fb79467d66a99bee5aa8df06ab4
                            • Instruction Fuzzy Hash: 32319C74A54209CBDF44DFA5E841AAEB7B6FBC9318F108429E006AB345DF346D82CF61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a215e0225a822f3870662b7ee532d0e5f73aa79584ffa043a31a3783a6e63046
                            • Instruction ID: 3f81d204a188907e67baa75a7a82a23805ee14ce2f19fbfd8364eede04250e0d
                            • Opcode Fuzzy Hash: a215e0225a822f3870662b7ee532d0e5f73aa79584ffa043a31a3783a6e63046
                            • Instruction Fuzzy Hash: E431A174A8811ACFCB04EBA5E8449FFB7B9FB89305F005928D10A77396CB715D05CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5f89a70ef9499243430191e81a66480de6730e9e141b0b469923f3cd2056d40b
                            • Instruction ID: 4d87095719861709c799ff25b9b33c41b9a6d5fc48e2310ba40614ec81946895
                            • Opcode Fuzzy Hash: 5f89a70ef9499243430191e81a66480de6730e9e141b0b469923f3cd2056d40b
                            • Instruction Fuzzy Hash: F441B074D45218CFDB54CFA5D888BADBBB6FB48300F2081AAE51AB7395DB309985DF10
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f44f797ab0b7368dbeac7891611e38ac91ab25484183962f6c8123308ff270be
                            • Instruction ID: ea3208bedb8cdb0b47c8c3c24bbdb6995a782267fe3b2f1f5695c9c626344df0
                            • Opcode Fuzzy Hash: f44f797ab0b7368dbeac7891611e38ac91ab25484183962f6c8123308ff270be
                            • Instruction Fuzzy Hash: AD41F0B4954228CFDB61DF68D8807D9BBB5FB89300F0085A6E94AAB345DB745E81CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fdbe92641a7bbcfe218a9cdb3fd81dc3e84fa5a38fa497e0f97b8507ea27942e
                            • Instruction ID: 2b01a67380c562a74653b75a51a6a29a837fe23f0c3ee68b5b4ec87103318b7e
                            • Opcode Fuzzy Hash: fdbe92641a7bbcfe218a9cdb3fd81dc3e84fa5a38fa497e0f97b8507ea27942e
                            • Instruction Fuzzy Hash: FE411770A08218CFDB50DB68D898BADB7B6FB4A300F5051D9D10EA7255DB309EC6CF51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a95a002c3b85a6e029a4d2d62aa4f83a6fcc8494b65f896a01f39468d2663116
                            • Instruction ID: 1e19fc0213a73f00e8057e1e6e331ad1190b041b2d1a861b3fd33ffa717f8298
                            • Opcode Fuzzy Hash: a95a002c3b85a6e029a4d2d62aa4f83a6fcc8494b65f896a01f39468d2663116
                            • Instruction Fuzzy Hash: B631F870E05258CFEB24CF6AD8987ADBBF6BB89344F64C169C40DAB255DB314985CF00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 16b699e5ba7927f9bb34012d81ae699137ab85b0547ee8d8c6139ec9d0a192a7
                            • Instruction ID: bfe57678de015feb3ad666bc200c1601ebb674f797e83a512789af65f4c8bcfa
                            • Opcode Fuzzy Hash: 16b699e5ba7927f9bb34012d81ae699137ab85b0547ee8d8c6139ec9d0a192a7
                            • Instruction Fuzzy Hash: 2C310970E05218CFEB24CF6AD8847ADB7F6BB89344F64C06AC40DAB255DB705985CF40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 562b0221e010325a39ee9431d81fc659b2afdbf1529c8d6c795008ec2f759eaf
                            • Instruction ID: fb079c6323edc31f2a6ffc2782a8110a04f511533b9c96c1329b85a876de3a5a
                            • Opcode Fuzzy Hash: 562b0221e010325a39ee9431d81fc659b2afdbf1529c8d6c795008ec2f759eaf
                            • Instruction Fuzzy Hash: EE310774E0820ADFCB04EFA9C094ABEBBB6FB88314F008499D545A7351DB34AE41CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 18cd23b8d9e6838abbdd9b257e685dfda69c9da8e3afa2a9ab8a97f9b07d8ecf
                            • Instruction ID: 082aac7b770c5d0f0c96a368c740e0db9fb2f27cc7cec3780dabdeb0e5c7e3c3
                            • Opcode Fuzzy Hash: 18cd23b8d9e6838abbdd9b257e685dfda69c9da8e3afa2a9ab8a97f9b07d8ecf
                            • Instruction Fuzzy Hash: 29215C70E05209CFDB14DFAAD888AFEBBB9EB89304F045026C909B7251D7745D45CBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8c0321aa22d4c6903dba4bc39a71e536b127e7919381dd29637499c401847488
                            • Instruction ID: 16b0da8778c37dcfa14880ed332126c0abb881ee61fef45eb03ffa89a2ce16e8
                            • Opcode Fuzzy Hash: 8c0321aa22d4c6903dba4bc39a71e536b127e7919381dd29637499c401847488
                            • Instruction Fuzzy Hash: 51212A70E49208DBDB04CB9AD4886FEF7B9EF8D259F14946AC509B3201D7345E48CF60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 22dc34f03483ba11b5a734555cc544442fc7ebd6be206db290e85dedeaddf79b
                            • Instruction ID: a073c3242a770635c0ebfb8ccdf4908d59d6b31a9fa7bbb06ca57fadd52d645c
                            • Opcode Fuzzy Hash: 22dc34f03483ba11b5a734555cc544442fc7ebd6be206db290e85dedeaddf79b
                            • Instruction Fuzzy Hash: E4313A74E40218DFDB14DFA4D884BADB7B6FB89304F2085A9E40AAB345DB345D85CF51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 020c52d40a7caf05d3757d4f87d14d41f203ca71f9f62c71198f3cc784064489
                            • Instruction ID: b18f53a1fccbba613d942df84c88ae98fba015cbf0e39fa53ba5c0f22110280b
                            • Opcode Fuzzy Hash: 020c52d40a7caf05d3757d4f87d14d41f203ca71f9f62c71198f3cc784064489
                            • Instruction Fuzzy Hash: 6621AE74E45209DFCB44EFA9D484AAEBBB1FB89304F10896AD815B7350D734AE45CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5c9d93820d62294784f618e3c7482764278fcbaa05d029389a151ff1b349077b
                            • Instruction ID: e7136887b6a0af03cbb49dcf2264c9f456010c3dd7ebb28c5712b3a9874b4f11
                            • Opcode Fuzzy Hash: 5c9d93820d62294784f618e3c7482764278fcbaa05d029389a151ff1b349077b
                            • Instruction Fuzzy Hash: 84211374E04209DFCB00DFA9C484AAEBBB1FB88304F10866AD819A7350D775AE41CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fb37ac71f55e99d4537ef9983a00ebb95f77a7b2c171349dce28eb0549ebeaea
                            • Instruction ID: b2577ca6cc7280fa81dcfbbe582a02f464988a4bd10e1d7e035312c948a71df3
                            • Opcode Fuzzy Hash: fb37ac71f55e99d4537ef9983a00ebb95f77a7b2c171349dce28eb0549ebeaea
                            • Instruction Fuzzy Hash: 96212670A5C204DBDB08CB7AE4457ED77F2EBC6344F08D6A9D00A6B25ACB744D498B51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8a3a89594dff08350815a2f41686eda0422a98d7148a070c0cbcbb5a02bfecd4
                            • Instruction ID: f0052d7c18fb94184c7c8ed2dbabf324f53ebda7f82e0600da876059bd764e16
                            • Opcode Fuzzy Hash: 8a3a89594dff08350815a2f41686eda0422a98d7148a070c0cbcbb5a02bfecd4
                            • Instruction Fuzzy Hash: 42218630A05218CFCF04CBAAE888AFEB3B6FB89301F005629D109B7341DBB51D41CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 22b6fbfd6fcc07770b223c881268962e47d395284f3e39e05b935150ff24901c
                            • Instruction ID: 6397d38e36ab101b6b2572caa8dd3f4ebbfa508ca73e82b0f726398f0aac52de
                            • Opcode Fuzzy Hash: 22b6fbfd6fcc07770b223c881268962e47d395284f3e39e05b935150ff24901c
                            • Instruction Fuzzy Hash: 61213071E052298BDB54DF66CC447AABBB6EF8A300F00D0EAD40DB7254DB301985CF51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3018a1f702befad1d56479ff31bb4ce78f2b068e81f2d54acf32232e3044323a
                            • Instruction ID: 6d266f2918110e119e6d37d6b8a3e19a81b372a9a0a5938b1b2c2adb59082df7
                            • Opcode Fuzzy Hash: 3018a1f702befad1d56479ff31bb4ce78f2b068e81f2d54acf32232e3044323a
                            • Instruction Fuzzy Hash: A1116070E092089BDB08CFA7D8845EEBBB6EF89308F149069E415BB355DB305841CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a61e9a0bedff464815090ffe10495bae5dceed1c2332a9003d499ac0e7bb32ca
                            • Instruction ID: 2cb2c8f721d776ab63a3159dbe3901bf09b7f84d01cfff4b93bcc402d26f920d
                            • Opcode Fuzzy Hash: a61e9a0bedff464815090ffe10495bae5dceed1c2332a9003d499ac0e7bb32ca
                            • Instruction Fuzzy Hash: FF21AE74E05248CFDB55DF64D8457DABBB1EB8A300F004596C219AB385DB740E8ACF81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fba76f3fdc7c3b44a1f84f9f828ffde6765969fc26da87045a839b194198681b
                            • Instruction ID: e63aa1b4085beb4daa6256f8014da03729783ae9e415261be07daf319b553458
                            • Opcode Fuzzy Hash: fba76f3fdc7c3b44a1f84f9f828ffde6765969fc26da87045a839b194198681b
                            • Instruction Fuzzy Hash: 91217974E14218CFDB55EF64D845BDAB7B5EB89300F0045A5D21AAB344DB305E868F81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8cde0317de477640d3fce5e0b4d05cfa41d951a4accb9a07ff44ab4f17478d1d
                            • Instruction ID: 8bcc019c4d0f4389d462c074b5d9ae7fe050fcea056b396272e8c749e7fbd847
                            • Opcode Fuzzy Hash: 8cde0317de477640d3fce5e0b4d05cfa41d951a4accb9a07ff44ab4f17478d1d
                            • Instruction Fuzzy Hash: 5221DB71E052288BDB58DF6ADC44BAEB7B6EB89300F00C1EAD50EB7254DB305985CF51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f44a6c64f86ce0939fb1dda319cfd1ec6114d1d590dac830cc314f57908fe8af
                            • Instruction ID: 1b7b274bde276fc27a98d015989857d9b155937ab14d21e26562504ca4062a09
                            • Opcode Fuzzy Hash: f44a6c64f86ce0939fb1dda319cfd1ec6114d1d590dac830cc314f57908fe8af
                            • Instruction Fuzzy Hash: 6E210274A402298FDB64DF68D984BAAB7F5FB49300F1080E9A40AA7345DB309EC1CF51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a636020278523085264697fd356d9deab9621ea43c47a854c7045374425b9ea2
                            • Instruction ID: 3d65f7152cfbd2c00e5d733c1c7c7ce2e6c4a0efa8d0dbdd714a5e6e42b2f0bb
                            • Opcode Fuzzy Hash: a636020278523085264697fd356d9deab9621ea43c47a854c7045374425b9ea2
                            • Instruction Fuzzy Hash: BE111574E052189FCB08CFAAD8845AEFBF6FF8A300F14806AE905AB355DB301946CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5b33f841835b97dc714785251bc6cf7fa3511d8491680889651bec7afa2211d7
                            • Instruction ID: 84a252d4d1928ccc4e2d7ac16fe7eac5bb819a475c9af83d66a706c473f9a211
                            • Opcode Fuzzy Hash: 5b33f841835b97dc714785251bc6cf7fa3511d8491680889651bec7afa2211d7
                            • Instruction Fuzzy Hash: 15114974E14208CBDB08DFAAD84069EB7F2EB8E344F10C02AE80AB7345DB705C418F90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bbcf9c9cf6c04885b0b638ebfc5398d21ab407e1f7ae06a2828cd9d3acfadd7e
                            • Instruction ID: 7c85a8fb60b109c1195daf1573a120d30d9388c17544a56ae5305ae5598173a8
                            • Opcode Fuzzy Hash: bbcf9c9cf6c04885b0b638ebfc5398d21ab407e1f7ae06a2828cd9d3acfadd7e
                            • Instruction Fuzzy Hash: 7311B2B0959254CFDB01CF28D885BACBBB5FB4B300F1055DAD45AAB286CB744E81CF01
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9424264d183f11fcc668c03f09f1a8abaf012697fe1e6b3f498d5f5dd83de016
                            • Instruction ID: a5821647d053ca4715c1163fd76e10618819b1fe872d091eeeecb53c157a8bbc
                            • Opcode Fuzzy Hash: 9424264d183f11fcc668c03f09f1a8abaf012697fe1e6b3f498d5f5dd83de016
                            • Instruction Fuzzy Hash: FC11213094C248DFDB05DBB5E8156AD7BB2DBCA340F04949485466B2A6CF7419058711
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cb05988867ad84f61ae76c531407e6078a87a1e2092b30900ae71ae778d7fd7d
                            • Instruction ID: 2a4f8944d458c149d5849e585a5315b77a6d38935ef148fb330027eb4bb1cd69
                            • Opcode Fuzzy Hash: cb05988867ad84f61ae76c531407e6078a87a1e2092b30900ae71ae778d7fd7d
                            • Instruction Fuzzy Hash: C1012970E09208ABDB08CFABD8885AEBBBAAB89304F04D029E519B7355DB301841CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3722320c25752bf4ef90c4959c203f03cf290052688f02c176bd8ffd6a72cb31
                            • Instruction ID: 0ce432fd06ed95170148d3b81d6bc2fea46bcea6b60171217f55749c35cad0d5
                            • Opcode Fuzzy Hash: 3722320c25752bf4ef90c4959c203f03cf290052688f02c176bd8ffd6a72cb31
                            • Instruction Fuzzy Hash: B4114674E44218CFDB55DFA4D841ACEB7B2FB89300F1046A6D11AAB349DB305E868F81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a13b2803f4146cba54ea00ebdcac36ba7c0c32e5553cb8f059e7939f1116fd1c
                            • Instruction ID: d3c58e9a3dd84b9907991c5f5a1064a9f3d3f3cc67dc77b623f51e2c028998d3
                            • Opcode Fuzzy Hash: a13b2803f4146cba54ea00ebdcac36ba7c0c32e5553cb8f059e7939f1116fd1c
                            • Instruction Fuzzy Hash: 0111ADB0D14208CFDB00DFA8D4052AEBBF6FB89300F1095AAA91DBB305DB304A41CF61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6b642bd65010855e74bfc319a5d04f20e520be51789b0990d6932e51c0ffa4af
                            • Instruction ID: eec09362341fb10a38f143eea3475550c62ef9d75188194a719496399d456248
                            • Opcode Fuzzy Hash: 6b642bd65010855e74bfc319a5d04f20e520be51789b0990d6932e51c0ffa4af
                            • Instruction Fuzzy Hash: 9301F270909288DFCB05DFAAD8486BCBFB4EF8A208F0184DEC909A7251DB324A40DF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b6bf2ae8c9b9d71df20ed67646b2cf5e581ad1df47fab2f8642e5e2317884ef9
                            • Instruction ID: 09918ba89cfa45c64a94a391ce1843229c55c9b30130be11a9ef5bd83698803e
                            • Opcode Fuzzy Hash: b6bf2ae8c9b9d71df20ed67646b2cf5e581ad1df47fab2f8642e5e2317884ef9
                            • Instruction Fuzzy Hash: 2B012B70A58208DBDB08DB76E5057AE77F6DBCA344F009828950A6B355CF741D458B51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 48462af635bafdf385f93ea34388622c7d082a66050acb61bc011a0b660eea93
                            • Instruction ID: 5957b0a11752054cd1b86530509e7827c6b73f14afef9242613086d3eb9a74b4
                            • Opcode Fuzzy Hash: 48462af635bafdf385f93ea34388622c7d082a66050acb61bc011a0b660eea93
                            • Instruction Fuzzy Hash: CC018F70E042099FCB44DFA9D8487BEF7F5FB88344F508599D819A3344DB309A41CB81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339588610.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c20000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 55b33a47afe18af5172d8d4d849b6d3d599a4854aad89c4c9981ad2689a8873e
                            • Instruction ID: c1d7918b73490aef6fe9b7108316d6a8ccfe2d350a2e5336260dbab41f2f74d7
                            • Opcode Fuzzy Hash: 55b33a47afe18af5172d8d4d849b6d3d599a4854aad89c4c9981ad2689a8873e
                            • Instruction Fuzzy Hash: C511803090A794DFCB06CF68D85465DBFF0AF46205F2690EBC4499B2A2C7345A48DF22
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 46e5c604977eeea44b7ef86395c0a8d3070d7002309955199f7d32c8fad82f9d
                            • Instruction ID: 6f8cd39a9c15fb64353e274ee9e8247df91b897ca42b594c3bd88d69906aa7c8
                            • Opcode Fuzzy Hash: 46e5c604977eeea44b7ef86395c0a8d3070d7002309955199f7d32c8fad82f9d
                            • Instruction Fuzzy Hash: F9F062797092409FD321CB6CD498AA67BF2BBDD2147194596E185CB362D661CC02CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339588610.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c20000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1bc1d40053b42f5550882f70bf9fa7417597c1db4c282744767c65ceadd201de
                            • Instruction ID: 730a6fe96b6d76accf5218f5460d71d68d91941b9cae46f40bfab46c365268a0
                            • Opcode Fuzzy Hash: 1bc1d40053b42f5550882f70bf9fa7417597c1db4c282744767c65ceadd201de
                            • Instruction Fuzzy Hash: C6011634E04628EFCB04DFA9D54469DBBF1EB85205F2290E9D805A7350DB309F48DF52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b442984e791f9584ad2a659fdbd79535edba1bc7abf1ebfc0b2089f0cebeb876
                            • Instruction ID: 3bd0377c9b3f1c1cb53a90aaf22c621606f3e07735273154468b1230af9a13fd
                            • Opcode Fuzzy Hash: b442984e791f9584ad2a659fdbd79535edba1bc7abf1ebfc0b2089f0cebeb876
                            • Instruction Fuzzy Hash: 98012878D04208DFCB40DFA9D544AAEBBF5FB48300F5085AAC818A3340D7355E40CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c3e3352a584e54b99a359a9e6fc0afa1bb5de04dede223e2d8ab0ed96c45c770
                            • Instruction ID: cd755e291600f03a4c8eec70def46609054b3a5d3e0a71481fa7091f8c4c2238
                            • Opcode Fuzzy Hash: c3e3352a584e54b99a359a9e6fc0afa1bb5de04dede223e2d8ab0ed96c45c770
                            • Instruction Fuzzy Hash: 3D01C874E4425ACFDB10CFA5D884BAEBBB5FB49304F20949AD806B7345DB345982CF61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 76a443b473df55593e8a88bcf9f2afcfb8909d905e906e88c16b5757c0ae686b
                            • Instruction ID: 7661b03d74d49bd55f2d2f1ca85e4bb3693e7ac1afcae541f34f74e2c45443cb
                            • Opcode Fuzzy Hash: 76a443b473df55593e8a88bcf9f2afcfb8909d905e906e88c16b5757c0ae686b
                            • Instruction Fuzzy Hash: 5AF06D30D053489FC742DFAAD40866DBFB4EB47204F1085E6C949A7292D7388A55CF51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9275723454d8ce4492e8341908d90146e3355216480d7442192624234afd4868
                            • Instruction ID: 2ce378ff956466bbb7be308640eadec2d8113fa305a1e3a3fb0ed411b025265a
                            • Opcode Fuzzy Hash: 9275723454d8ce4492e8341908d90146e3355216480d7442192624234afd4868
                            • Instruction Fuzzy Hash: AE01B274D04209DFCB44DFA9D489AAEBBF4FB48315F1085AAD919A3350D7309A80CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 21b26c6e8ade39f0844f76960b8e4742f45fb3e6668771218eee469a85d47560
                            • Instruction ID: 271f86745a4a779140aef87cf2ecd54c58a18c160572b35de4bf5cfcd5f7105a
                            • Opcode Fuzzy Hash: 21b26c6e8ade39f0844f76960b8e4742f45fb3e6668771218eee469a85d47560
                            • Instruction Fuzzy Hash: 74018074A002189FCB40DFA9E984AAEB7F6FB48300F109595E916B7344CA709E81CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7de728700e10c8c17d8ea7939f3dc079d14846ea771c260f36524a92403a4513
                            • Instruction ID: e470dec64c65f02fce32dce632b4f70749113e8c77fb384d1e7ad7ecc8025080
                            • Opcode Fuzzy Hash: 7de728700e10c8c17d8ea7939f3dc079d14846ea771c260f36524a92403a4513
                            • Instruction Fuzzy Hash: 7DF04970D09249CFCB45DFA8C4841ADBFB1FF4A308F1045AAC518A7310D7304A41CF51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 70d62cc2863bccc69b518c2d142ef170a2327b3f4e57bccec779970c2282a96f
                            • Instruction ID: bd8d5d5abf4e1765586c7d3dfd7a0b6ecf72f300768eed59c37e726c3f4bb3c5
                            • Opcode Fuzzy Hash: 70d62cc2863bccc69b518c2d142ef170a2327b3f4e57bccec779970c2282a96f
                            • Instruction Fuzzy Hash: 4301FBB4E55228CFEB15DF29D8453AABBB5EB8A300F1044E9D14A6B286CB740EC5CF01
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b0564935c1eaba9bbbe2336adb85efcca34922a48bb51e9ae46b83ed597db0f6
                            • Instruction ID: 407e3e1a1872665add200ffa3940db8080bca7ced3ac8ec37e471cee5f75bf8f
                            • Opcode Fuzzy Hash: b0564935c1eaba9bbbe2336adb85efcca34922a48bb51e9ae46b83ed597db0f6
                            • Instruction Fuzzy Hash: FDF05E34808248EFCB05CFA9D9481ACFFB4AF4A308F1480EAC84897242C7355A45DB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d33ec145896b9929b5b5c63f15f3cd3120935e3060f0f6a2fb197ada9bcaf4a1
                            • Instruction ID: 47eaec9cd8649067261723c135eddda099ba4d50dd0f7451b74dc08dc5815996
                            • Opcode Fuzzy Hash: d33ec145896b9929b5b5c63f15f3cd3120935e3060f0f6a2fb197ada9bcaf4a1
                            • Instruction Fuzzy Hash: 1EF01770D09244EFCB41DFA9D4556ACBFB0EF4A208B14C4EAC858E3242D6395A45CF40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 920193a0f2747f3809534389da2727f4e0d9136638a45ce2b8b30d85bb9509c0
                            • Instruction ID: 07be12eb9383f053327acb0f959fbec68fb5ab39ea96f4e4f332c4c2a6819db5
                            • Opcode Fuzzy Hash: 920193a0f2747f3809534389da2727f4e0d9136638a45ce2b8b30d85bb9509c0
                            • Instruction Fuzzy Hash: 23F06734909208AFCB40DFA8C4886ACBFB0EF49310F00C0EAC85897351D3395A46CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a9d1ed0c7d74cef3f1f6129be24e17f0e94f9671eee9f82c722638e5ee6b002d
                            • Instruction ID: 0e0415d6d678f36b512937b57f05cf0d84aa9bdcacacfaca5cf6392786e7701d
                            • Opcode Fuzzy Hash: a9d1ed0c7d74cef3f1f6129be24e17f0e94f9671eee9f82c722638e5ee6b002d
                            • Instruction Fuzzy Hash: 05F0E274E04208EFCB40DFA9D848AADBBF5FB48344F2085AAD819A3301DB309A41CF40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4e928b37006923d962d9d839a7cf7faffe9bca589f03895961a6d83ffeda05ca
                            • Instruction ID: d4401885435cc288708f304999ba2ca7438e011415dd8c6ad7a7c19910d8a9cf
                            • Opcode Fuzzy Hash: 4e928b37006923d962d9d839a7cf7faffe9bca589f03895961a6d83ffeda05ca
                            • Instruction Fuzzy Hash: 1BF09A78909208EFC741CFA9D8896ACBBB0EF8A344F14C0EAD84897392D3319A41CF40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 05db409857c1d57223c909504c7f5397c7bdf782747907a258bd12b8b77ed691
                            • Instruction ID: bd55fcd95c28d3247f886e1c41f2df3610aed2448c005fda4bc0d55ba37b1f56
                            • Opcode Fuzzy Hash: 05db409857c1d57223c909504c7f5397c7bdf782747907a258bd12b8b77ed691
                            • Instruction Fuzzy Hash: 67F02B30A49108DBDF04DF75E655A5E77F2FFC6304B14655890066F355CB342E06CB01
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9b6be2864725c45bcfa05dd352d9230a842135a7979a938a159f5e1733842d13
                            • Instruction ID: 0ae7c13654cc812762daf08398dfe76f2dd1797802eb3e38c1542388fab00e41
                            • Opcode Fuzzy Hash: 9b6be2864725c45bcfa05dd352d9230a842135a7979a938a159f5e1733842d13
                            • Instruction Fuzzy Hash: 54F03434908248EFCB41DFA9D884AACBFB0FF4A304F10C4EAD848A7251D7359A56EF40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7ccffb3eeb2c5195a059c1d2b77895a389d09c56efcb2e06add1e7639a4b815d
                            • Instruction ID: 8a8ea8bcbb2da912199d0efd7a3c994061b8f02a6b129988b9db08a5125298b5
                            • Opcode Fuzzy Hash: 7ccffb3eeb2c5195a059c1d2b77895a389d09c56efcb2e06add1e7639a4b815d
                            • Instruction Fuzzy Hash: 67F08C30809384DFC711EFB9D58829CBFB1EB0A308F2044EAC408D7242E3354E44DB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6ed75c17d0490699e52d82357ac66acc3787332963ab8ccd86ef7d7f07796dc9
                            • Instruction ID: 4fe2e77872f3bc8dce1d30fb7d3013437efb2265f5b7fd480735728bedb2fb54
                            • Opcode Fuzzy Hash: 6ed75c17d0490699e52d82357ac66acc3787332963ab8ccd86ef7d7f07796dc9
                            • Instruction Fuzzy Hash: 8BF03A34909248EFCB41DFA9D9849ACBFB0EB89304F10C4EAD84897252D7319A66DF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0ef0a4a0d9da64fa6868b40bef8c02eda77fab68bffefa64bc142c6453d78ae1
                            • Instruction ID: 878ea8f6f0d60d4ec458605585f0fa07e7984a173b7ecba129701248cb2e7297
                            • Opcode Fuzzy Hash: 0ef0a4a0d9da64fa6868b40bef8c02eda77fab68bffefa64bc142c6453d78ae1
                            • Instruction Fuzzy Hash: 82F0E5B1424A05CFCB41FFA1D4083A97F74EB86245F0005D2C60ACB0A0DB310E85CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d6fc9b750e30625f0187781d83329551ded5e7f7b4c5b0bfb9c19df0f3de5b46
                            • Instruction ID: bc43245d189a3613ead369c83598b5d0b2035f5acde86d9af4dafef76d5cb49f
                            • Opcode Fuzzy Hash: d6fc9b750e30625f0187781d83329551ded5e7f7b4c5b0bfb9c19df0f3de5b46
                            • Instruction Fuzzy Hash: 89F01C7490A244DFCB05CFA9D4485ACBFB0EF8A318F1881EAC84997252C6358A5ACF51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 602e18e4adb2cda4a69f02a9e20ac4c61d93329b40169698685bd7953dceea8b
                            • Instruction ID: b6659562d802a2f3693ea6ed433d008ce230dd1014cacb26219a1922890601e6
                            • Opcode Fuzzy Hash: 602e18e4adb2cda4a69f02a9e20ac4c61d93329b40169698685bd7953dceea8b
                            • Instruction Fuzzy Hash: EFF08234905248DFCB15CF69D4889ACBFB0EF8A314F0485DFD844A7252C3325A45DF40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 87c20d9c8f3f4cf8902f71efc230212588699a65d7bd21b4bcd159575ec45475
                            • Instruction ID: 649d59c6c245f3cec1362847de1241c9081423c747e6ba32ddd54ed673106fcd
                            • Opcode Fuzzy Hash: 87c20d9c8f3f4cf8902f71efc230212588699a65d7bd21b4bcd159575ec45475
                            • Instruction Fuzzy Hash: 59F0F274D04208EFCB54DFEAD988AADBBF4FB48304F1089AAD818A3310D7359A40CF80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 38b982caa697d90caa59350c4e0afef1a2295bac12c268eac404c1fa661e1f89
                            • Instruction ID: 0d2841cceb37d3d7fbd3bfe1dc80729886980c6fb5650471622258ceab52f48c
                            • Opcode Fuzzy Hash: 38b982caa697d90caa59350c4e0afef1a2295bac12c268eac404c1fa661e1f89
                            • Instruction Fuzzy Hash: EDF03430909248EFCB40CFA9D8946ACBFB0EB49304F14C0EAD84897351D7359A42DF41
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 67dd35f868503cfa6bb213f169ccea380b1062586e4bb12beb3cc7daafddbfed
                            • Instruction ID: e7ef0f9d7331f0681acea3ac11b29290c56ea8e96773083ed18751c5ee97f2c9
                            • Opcode Fuzzy Hash: 67dd35f868503cfa6bb213f169ccea380b1062586e4bb12beb3cc7daafddbfed
                            • Instruction Fuzzy Hash: 14F0D435404109EBCF05DF94D844DADBB76FB88304F108199ED0826220C7329A61EB94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 220eddaa3e43b7400725c46157f1b03663d21e65a88293bd5f707efe798b5afe
                            • Instruction ID: 0af25201b0071615e6333269a83ca3139f973db891565bab96f511b5fd853bf6
                            • Opcode Fuzzy Hash: 220eddaa3e43b7400725c46157f1b03663d21e65a88293bd5f707efe798b5afe
                            • Instruction Fuzzy Hash: 4DF01C70E04208EFCB54DFA9E8446AEBBB5FB89304F1084A9D918A3344D7345A95DF51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0c92b2461b073b41ad77818747e7d8b904c1f31b27c49ed2db64550dc40b79de
                            • Instruction ID: 1e0e0ae4bd1433a399d80c6571d66b9f385dc84629ae5244f5e790a0bf1cccc5
                            • Opcode Fuzzy Hash: 0c92b2461b073b41ad77818747e7d8b904c1f31b27c49ed2db64550dc40b79de
                            • Instruction Fuzzy Hash: ADF0F274D04208EFCB94DFA9D884AADBBF4EB88305F10C0AAE818A3240D6369A51DF51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a9ed4f82b9cdb69dbecdef7eb36ca36a0bb64711ece36c958a441cdde19298fc
                            • Instruction ID: 758ce39283e60b2f08b14e09da407af1b0bad6f2cfa159176b508bff29107639
                            • Opcode Fuzzy Hash: a9ed4f82b9cdb69dbecdef7eb36ca36a0bb64711ece36c958a441cdde19298fc
                            • Instruction Fuzzy Hash: 14F0F8B5A25218CFCB10CF95C981AECF7B2FB89301F2141AAE609A7311D3709A41CF51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 25b0fd0517ddf27ed2024849a29d02d0ddddf46f2bfda6b6c30d99fa0d8db4d8
                            • Instruction ID: 00babb716708c29b35180e8b1aa8f9791febbf30088d7ffaa24bba78228a5b16
                            • Opcode Fuzzy Hash: 25b0fd0517ddf27ed2024849a29d02d0ddddf46f2bfda6b6c30d99fa0d8db4d8
                            • Instruction Fuzzy Hash: A5F03970D04308EFDB40EFA9E4487ADBBB8EB88304F1086A9D409A7344EB345A84CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 15e337d647bddbae691d7bee706979c4046937474045d793dde053206fd6fae6
                            • Instruction ID: bd561b059b2d5edd2d984e35d56d2b179f7312a669ab7c844c8501daa423ac88
                            • Opcode Fuzzy Hash: 15e337d647bddbae691d7bee706979c4046937474045d793dde053206fd6fae6
                            • Instruction Fuzzy Hash: 2BF01C34D04208EFCB84DFA9D844AACBBF4EB49314F10C09AD85893340D7359B51DF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5a473b5b0f96b059150830d4b78d0c71a5b54abab59f0199e31f86453429f077
                            • Instruction ID: c9ef218bf03d36556f3f63c5cc4bcd11b535e3e2939aa410168755475d965833
                            • Opcode Fuzzy Hash: 5a473b5b0f96b059150830d4b78d0c71a5b54abab59f0199e31f86453429f077
                            • Instruction Fuzzy Hash: 91F0A034909288AFC701CFA9D4906ACFFB4EF8A304F14C0EAD888A7352D6365A16DB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 15e337d647bddbae691d7bee706979c4046937474045d793dde053206fd6fae6
                            • Instruction ID: b15537d735138956b60ee36371b57aaa37047c1c423a97b0ea1cf87defc26324
                            • Opcode Fuzzy Hash: 15e337d647bddbae691d7bee706979c4046937474045d793dde053206fd6fae6
                            • Instruction Fuzzy Hash: F9F01535D04208EFCB84DFA9D944AACBBF4EB88308F10C0AAE858E3340D6359A51DF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aea734147a8f763ac22de90b4eca82e7adca456fc901bc7ab96b16ccc069d2a8
                            • Instruction ID: 17e925480fa983860d3d0b8babe016a4006f5839abdc4cb1b1b0b5102fe067f3
                            • Opcode Fuzzy Hash: aea734147a8f763ac22de90b4eca82e7adca456fc901bc7ab96b16ccc069d2a8
                            • Instruction Fuzzy Hash: 64F01C34E04208EFCB54CFA9D4846ACFFB0EF89354F14C0AAD848A3301D6325A55CF40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 61e3044f7ef4b774f90fff573d956dce669d357f549474dac03853cad2bd3920
                            • Instruction ID: 5d57d08ad9998a3b9d5027327e7c8b5af38069a1cf81bef5f593a9b97d7b792b
                            • Opcode Fuzzy Hash: 61e3044f7ef4b774f90fff573d956dce669d357f549474dac03853cad2bd3920
                            • Instruction Fuzzy Hash: 4FF01530D04208DFCB44EBAAE4486ADBBB4EB48208F1085AA8918A2355DA388A45CF41
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 372506a9deb9ac008b688aef8e194a72b86cc62d6d23f580d3ead5db221e7140
                            • Instruction ID: fa7808185b011566a6565a55fb91e2370785863b04f3f70f5df8cd0d9b94e44a
                            • Opcode Fuzzy Hash: 372506a9deb9ac008b688aef8e194a72b86cc62d6d23f580d3ead5db221e7140
                            • Instruction Fuzzy Hash: 86F0A534D04208EFCB44DFA9D884AACBBB5FB88314F10C0AAD818A3350D7369A55DF40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 824130a3011c50b113a6f352b0928923a2bdd482fb3b06d1010b63bedffdaaeb
                            • Instruction ID: 26fcecb180bebcf983d0731e0a00ec2226860cf1a7338a697655fe185dccce8a
                            • Opcode Fuzzy Hash: 824130a3011c50b113a6f352b0928923a2bdd482fb3b06d1010b63bedffdaaeb
                            • Instruction Fuzzy Hash: A4E0DFB1518305CFC701CF55E804798BB74EB86228F1085DAC80D8B292C7334983CB80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4694f27c7d908cecc4a0839bfe7d9308c122388821b7d51a245657928bb835ba
                            • Instruction ID: 76e3510d0fb095f216d58d53a50b0b8e51a3fdbd0ec4656e7729e425f598c5d4
                            • Opcode Fuzzy Hash: 4694f27c7d908cecc4a0839bfe7d9308c122388821b7d51a245657928bb835ba
                            • Instruction Fuzzy Hash: 0BE03974E49204ABCB04CF66E8945AEBBB5EB1A318F005458E416BB304DE305841CF00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ec38104d92b2076a142af1eb85fed66e093ab5d4758eb2990b06800a332837b7
                            • Instruction ID: 801625a8554f6caa93ad57a9db9b3ba27f3834df624738204a9a70e03556814d
                            • Opcode Fuzzy Hash: ec38104d92b2076a142af1eb85fed66e093ab5d4758eb2990b06800a332837b7
                            • Instruction Fuzzy Hash: C0E0D8600AC6C5CFD71626A5F5343747F249BC6344F0554DA811A1A156C72408558B1A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a13ab140cec523989cd6b7d4129bb137673f4744d71d9019533f5023b79e2133
                            • Instruction ID: 5eab8cbaf66ac66cb9b694dbce2de3676f865092b5e6a9b4663146b09a191a81
                            • Opcode Fuzzy Hash: a13ab140cec523989cd6b7d4129bb137673f4744d71d9019533f5023b79e2133
                            • Instruction Fuzzy Hash: 8CE0ED34915208DFC744DFA9D4846ACBBF5EB49209F2480A9C80CD7341E6319A46CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 48b7b1a530e351b902ad08c66bd90c4d581ed6b54a1a6a23f65d3120fd038f6f
                            • Instruction ID: a548da249b93104c9d9e98011c9587393ada4cb922b8cd6518785e5e853d7774
                            • Opcode Fuzzy Hash: 48b7b1a530e351b902ad08c66bd90c4d581ed6b54a1a6a23f65d3120fd038f6f
                            • Instruction Fuzzy Hash: 70E05274E05208EFCB54DFA9D5856ACFBB4EB88308F10C5AAD818A3341D6369A46CF81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 58b58d5828c6b88818748b1ea654cf8bb5dfe782d1cf6829c9b291e992a13eb8
                            • Instruction ID: cb4fadacdbafef07744f4a6cf6d34ee3ac7b096e4d5319548d43c6a54c29a15d
                            • Opcode Fuzzy Hash: 58b58d5828c6b88818748b1ea654cf8bb5dfe782d1cf6829c9b291e992a13eb8
                            • Instruction Fuzzy Hash: EBE0E574E15208EFCB84DFA9D4456ACFBF4EB89308F10C4AAC918A3340D7759A45CF40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 858b45006333253db7a305a09747594c92bbf7c0cf57676bd41c863cfac04f51
                            • Instruction ID: e55f9228a68c6fbabaf63d0f9e0aa79916b5a2639e1f1eb8f0a8cac9cd1d0913
                            • Opcode Fuzzy Hash: 858b45006333253db7a305a09747594c92bbf7c0cf57676bd41c863cfac04f51
                            • Instruction Fuzzy Hash: E6E0C2B191520DDFC705FFF6E8047BEB7A8EB85248F0045A5CA0A93110EF321A04DBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a2091bdf83bf1a3a26ab2decf5a6e89fb8e1fb78c5d31d17b71291063798a844
                            • Instruction ID: 6bc556eb1a7c681aaba7730158a13826b17a2a8e1c824467e0e99b7e90e76e1e
                            • Opcode Fuzzy Hash: a2091bdf83bf1a3a26ab2decf5a6e89fb8e1fb78c5d31d17b71291063798a844
                            • Instruction Fuzzy Hash: 3DE08CB195568CDBC704FBE6E4046AE77E8EB89648F0044A9C50993110EB320A54EBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ce6d2019e61fd5fe104685147adc66d89e67a79fbaa989e730af2b60237df568
                            • Instruction ID: d3f90a4fcf0a0be4a3014a1d88cd88e4d827b13383b43314c486c288065d41c0
                            • Opcode Fuzzy Hash: ce6d2019e61fd5fe104685147adc66d89e67a79fbaa989e730af2b60237df568
                            • Instruction Fuzzy Hash: 65E08CB1915608DBC704FBB6E4047BEB7A8EB89248F0048A5C509A3110EB320A48DAA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7d02e2ac79b54262e9af1189de9149220250eaab1d2d12b96f01789d9174d993
                            • Instruction ID: 297ab9b34e17e667e79d1628855789e069e6248f8149cf2f03936cc8b29a5a3b
                            • Opcode Fuzzy Hash: 7d02e2ac79b54262e9af1189de9149220250eaab1d2d12b96f01789d9174d993
                            • Instruction Fuzzy Hash: F3E08C71915208EFC704FFB6E448AAEB7A9EB85248F0044A6C509A3110EB320A04DAA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f5a79acf11e3dddf88f5060861d7bb4e7909f033b60b3ba67219e77fe81b979b
                            • Instruction ID: cc5eeb2ec525aa0a9e0d76c40514a6ceb4bf714f48a061ffb300afe90d577222
                            • Opcode Fuzzy Hash: f5a79acf11e3dddf88f5060861d7bb4e7909f033b60b3ba67219e77fe81b979b
                            • Instruction Fuzzy Hash: 57E0C27291960DDFC704FBF6F4447BEB7B8EB85248F0044A9C50A93910EF324A04DBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1ebbec2966f3a854a1e1e0f29534a73279bb1693da5da5afe0b77db71961f0d0
                            • Instruction ID: f570e392682a8d130dd67e11278a9e95215acfb36d48b6af52a7fa365afc97de
                            • Opcode Fuzzy Hash: 1ebbec2966f3a854a1e1e0f29534a73279bb1693da5da5afe0b77db71961f0d0
                            • Instruction Fuzzy Hash: E8E0DFB0AA8208CFDB05AB14D4093AEB77AFB9B305F106158900A2F38ACF740DC2CF41
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d4f0be5d6cc31276964419d267c0bb7ddc059e050a0f2b0b81590e71c8d9e36c
                            • Instruction ID: 2b92b31b83e3562d4bb70b1bbe716d5477a044ee71635cb5c6594dfb5b182b74
                            • Opcode Fuzzy Hash: d4f0be5d6cc31276964419d267c0bb7ddc059e050a0f2b0b81590e71c8d9e36c
                            • Instruction Fuzzy Hash: 18E08CB192520EDFCB18EBA6E4007AE77A9EB85244F0049A5960997110EB321A04AAA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0c909fd7c3ea34b02ddb5dbbc74976bf4688ec5647ec511bb24ffd0026007b7b
                            • Instruction ID: 0fd2884a9a6c5ea5cc41bc82173cf03153e852fb1dcaf94fa6366d550b483c8c
                            • Opcode Fuzzy Hash: 0c909fd7c3ea34b02ddb5dbbc74976bf4688ec5647ec511bb24ffd0026007b7b
                            • Instruction Fuzzy Hash: F9E08CB1925A09DFCB40FFB5D5046AE7BA8EB85245F0045A6C60A93120EB310A149BA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 82adc11218066394d5296687fe21e3caab9bb72cf16f830b8b7feb61ad922ffe
                            • Instruction ID: 98eee1f17fe43b94121a4a913f63463c6cd044d63fb9cc6a9fdd957e79c2d851
                            • Opcode Fuzzy Hash: 82adc11218066394d5296687fe21e3caab9bb72cf16f830b8b7feb61ad922ffe
                            • Instruction Fuzzy Hash: D6E04F38904208EFCB04DF95E844DACBF75FB85304F10C0AAD80823341C7325A55DE90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4468823b1a8b1e5d4eeb5ed3daa5ed1c73282e096eaaf16db51ac99b4c32bfe2
                            • Instruction ID: 187aa1c0269d6aa43364d9f74756f82b97e28074c020306b831cd22a0ad835e7
                            • Opcode Fuzzy Hash: 4468823b1a8b1e5d4eeb5ed3daa5ed1c73282e096eaaf16db51ac99b4c32bfe2
                            • Instruction Fuzzy Hash: 80E01A34D08208EFCB44DF99E5446ACBBB4EB88208F14C0AED81953341C6399A41CF80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8304346849208a8d3911fd29f9ba3c9724deb04773045786daa532bd43506210
                            • Instruction ID: 4b2d885b7f4e91523948b465b41ddd21571f97cc6c2f49b5ee213532e31c4cc1
                            • Opcode Fuzzy Hash: 8304346849208a8d3911fd29f9ba3c9724deb04773045786daa532bd43506210
                            • Instruction Fuzzy Hash: 38E04F70905208DFCB54EFB9D4886ACBBB5EB44208F6044A9C908A3340D7355A40CF81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 569ed89eea9cfab1c7b648dd40cf9da80f61bea6528ec6cb3b64fbf7e1d805a3
                            • Instruction ID: e74be1b43416f64ba8907c21229697f3481b071a9702f2bc16d6b7c4dad08885
                            • Opcode Fuzzy Hash: 569ed89eea9cfab1c7b648dd40cf9da80f61bea6528ec6cb3b64fbf7e1d805a3
                            • Instruction Fuzzy Hash: 81E09A34D05208EFCB44DF99D5856ACFBB4EB88308F10C5A9D81857341D7315A55CF41
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4468823b1a8b1e5d4eeb5ed3daa5ed1c73282e096eaaf16db51ac99b4c32bfe2
                            • Instruction ID: b4a5803143865ae894f53f7f469f703aadd07ad9a30d9fd832e9445ae2e619d6
                            • Opcode Fuzzy Hash: 4468823b1a8b1e5d4eeb5ed3daa5ed1c73282e096eaaf16db51ac99b4c32bfe2
                            • Instruction Fuzzy Hash: 92E01A74D04208EFCB04DF99D8446ACBBB4EB88208F10C0EAC81863341C6355A41DF40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4468823b1a8b1e5d4eeb5ed3daa5ed1c73282e096eaaf16db51ac99b4c32bfe2
                            • Instruction ID: 8ccb347b342b1e807e5000b7846d8a3fca8e8a6b59ae255d052cce7630844449
                            • Opcode Fuzzy Hash: 4468823b1a8b1e5d4eeb5ed3daa5ed1c73282e096eaaf16db51ac99b4c32bfe2
                            • Instruction Fuzzy Hash: CEE01A34D04208EFCB04DFAAE4446ACFBB4EB88208F10C4AAC80893341D6355A45CF40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4468823b1a8b1e5d4eeb5ed3daa5ed1c73282e096eaaf16db51ac99b4c32bfe2
                            • Instruction ID: 53f3574e0f703568d96390b102691563e22d48a0c23209871f4dbb073e040ca2
                            • Opcode Fuzzy Hash: 4468823b1a8b1e5d4eeb5ed3daa5ed1c73282e096eaaf16db51ac99b4c32bfe2
                            • Instruction Fuzzy Hash: 92E01A34D04208EFCB04DF99D484AACBBB5EB88208F10C0AAC80867341C6355A41CF40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 95286e9eaf9fadb82a9b7aaf6a20b814ec03743c8965a0eb72f86d4e62fef524
                            • Instruction ID: b072a7bdff84fc1f9779d3f010cab22cc7fcf98f7a9c476a406ee85ee8ccf784
                            • Opcode Fuzzy Hash: 95286e9eaf9fadb82a9b7aaf6a20b814ec03743c8965a0eb72f86d4e62fef524
                            • Instruction Fuzzy Hash: A7D02B601FD285CBC61436E9F4357347B6CC7CA284F006461820E16156CF6014018B29
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 78b64f3ccb8d4042e91b0605ba3c8476e6a95710a6cfb366551d7c9ba4aa24b1
                            • Instruction ID: 42af4765ccc36d5137057a8d9f35ee2862d65167e4f2e21f06093d0b4edb27ea
                            • Opcode Fuzzy Hash: 78b64f3ccb8d4042e91b0605ba3c8476e6a95710a6cfb366551d7c9ba4aa24b1
                            • Instruction Fuzzy Hash: EDE0B674E0820CAFCB44EFB8E54459DBBF5AB88308F0085E9D809E7344EB346A14CF85
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 279ba711b0b66b2e08eff65dea1a1b85f76492fcbeabf76910be0df9d6960016
                            • Instruction ID: 94fae1a240c729087bc3518f8ea55476d9fd618a2aa451769a2a771b8df3e942
                            • Opcode Fuzzy Hash: 279ba711b0b66b2e08eff65dea1a1b85f76492fcbeabf76910be0df9d6960016
                            • Instruction Fuzzy Hash: 73E0E22045E3C08FD7230779A8642A83F748F87289B0E05CAD5C88B4A3C51A046ACB2A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 72401252216a9eb51b41043f858108ff05d66e6a970c10dafdd58f9eaf23cc93
                            • Instruction ID: 69834063700c580e81773180e96dd09afb70af5735e873d4567437e4e94393be
                            • Opcode Fuzzy Hash: 72401252216a9eb51b41043f858108ff05d66e6a970c10dafdd58f9eaf23cc93
                            • Instruction Fuzzy Hash: ADE01235A00218CBDB50CB98E880B9DF7B5FB88214F2084AAE50DA7204CB305E898FA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2f0d965f73a7479029ddfb4210343f27820e0ef309a364a5fe67b0b8d09d6da8
                            • Instruction ID: 01d460839231472f637fc53498606f755efb4e8618fbdfdffd0bc62a829828d7
                            • Opcode Fuzzy Hash: 2f0d965f73a7479029ddfb4210343f27820e0ef309a364a5fe67b0b8d09d6da8
                            • Instruction Fuzzy Hash: B8E01235E40219CBDB10CF98E880B9DF7B4FB88240F1080E6E50DE7244CA305E9A8F60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 96f3dae6fab741b023deb38ea21ba5088eec097a0efe8e445f956abb7454af62
                            • Instruction ID: 697ed6b91a171e98d7f8483f21008c91c603653405568a7f9d5a32f0dda1fc18
                            • Opcode Fuzzy Hash: 96f3dae6fab741b023deb38ea21ba5088eec097a0efe8e445f956abb7454af62
                            • Instruction Fuzzy Hash: 42D0A77009D6C4CFC7062BB864043A43FA89F47144B4A48D1C28C06423A25400DACE12
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6a802c388155026ac5cc38fe75c4ebaf7a8bb927502d4c439ba52b22f26fd446
                            • Instruction ID: 55e4c135a149c71868689e0086d2cd3587954747a9dd3e22a597fa145c003e63
                            • Opcode Fuzzy Hash: 6a802c388155026ac5cc38fe75c4ebaf7a8bb927502d4c439ba52b22f26fd446
                            • Instruction Fuzzy Hash: BAC02B700AD704CFC5183FCEB40C334374C638628DF004844C30C010108B706098CD22
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cf8784ed70bc930809f41afbbcdb5913c76d864a15632226a3f66a05d2ac0717
                            • Instruction ID: 6b10c2d9bc890a861313a269203b7f3204aa922458fd13ab05831dde8530c190
                            • Opcode Fuzzy Hash: cf8784ed70bc930809f41afbbcdb5913c76d864a15632226a3f66a05d2ac0717
                            • Instruction Fuzzy Hash: C7C02B70069B04CFE514138EB50C334374C538534DF040804F30C01030C7700050CDBD
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0075deb88aae9995252fa8b56028de4e69355d4ccbf2ba1fd895242d18ecfa2a
                            • Instruction ID: 9021c4751d24d43e3d3c3c98dff854ffcb17d867017591124a86d3505f7e329a
                            • Opcode Fuzzy Hash: 0075deb88aae9995252fa8b56028de4e69355d4ccbf2ba1fd895242d18ecfa2a
                            • Instruction Fuzzy Hash: C5D0C9B4D40268DFCB50CFA5C4987ACB7B9BB48604F20C2D9C849E3341DB389A85CF00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339808642.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2c60000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d099ece0d2146378cb36517cc3a0929330b3510f7dc721f6e2330bbb0299abea
                            • Instruction ID: c2b424d4918772e439b36f54f22d802a1f4a39140095a898e888b406ab493c00
                            • Opcode Fuzzy Hash: d099ece0d2146378cb36517cc3a0929330b3510f7dc721f6e2330bbb0299abea
                            • Instruction Fuzzy Hash: E8B0927090930CAF8710DA99990181AB7ACDA0A218B0005DAEE0C87711DA32E91056D6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a0fe2e7be87e92892aedc7c7ef84f312a065a8f2779ab151f91afd0fa76baaa7
                            • Instruction ID: 62e4509884850e21d5e409202c9db951257715c4a9d7bd72d285a79daacfbd19
                            • Opcode Fuzzy Hash: a0fe2e7be87e92892aedc7c7ef84f312a065a8f2779ab151f91afd0fa76baaa7
                            • Instruction Fuzzy Hash: D9C012705AD280CFC7066B34E86D0A5BFA5FF46245B0819B8D00A4E463CEA40988CB00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID: MZ+}$UUUU
                            • API String ID: 0-152894188
                            • Opcode ID: d821878894922c6ad7a4381b83e05a6cbb6f14cce3af2c90b18b02f54ca2a026
                            • Instruction ID: 5361abce63857f9462562b61b7b2af2d0155648ff92eb76e2f76f52bd1766641
                            • Opcode Fuzzy Hash: d821878894922c6ad7a4381b83e05a6cbb6f14cce3af2c90b18b02f54ca2a026
                            • Instruction Fuzzy Hash: BC12C5B1E106598BDB14CFAAD98069DFBF2FF88304F28C169D518EB219D730A946CF51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 354fcdd07d43e3fe7db83e4d69085948ed134f85ffb65ba344b0f1dd8647c634
                            • Instruction ID: 8991377e19700861d70d19cb381beb978baa8f97e5e23ad5e40c204af2e5366a
                            • Opcode Fuzzy Hash: 354fcdd07d43e3fe7db83e4d69085948ed134f85ffb65ba344b0f1dd8647c634
                            • Instruction Fuzzy Hash: 1861F771E41604CFDB48DFB6E941A8ABBF3EFC4304B04D929D108AF265EB745D0A8B41
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d5418d0b70648204fce6469ade6e0b118037029a9a870cb76bc11cce36c4e8bc
                            • Instruction ID: 73830a2f7e2fe9a4ead918af671e3c92302ee66dafb7112588ebabda16723439
                            • Opcode Fuzzy Hash: d5418d0b70648204fce6469ade6e0b118037029a9a870cb76bc11cce36c4e8bc
                            • Instruction Fuzzy Hash: 273164B1D156188BEB68CF6BC84979AFAF6BFC9304F14C1AAC44CA6254DB740A858F01
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 00000000.00000002.339015184.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Project.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3de441e99e73a23211a6ed482d3897c54eaf4e10902b53ccc690ab2590540f0d
                            • Instruction ID: 09c5c5bb0319a51f1be7ef8ebc03b0f23d2794080f1ca69a43befda08aec82fa
                            • Opcode Fuzzy Hash: 3de441e99e73a23211a6ed482d3897c54eaf4e10902b53ccc690ab2590540f0d
                            • Instruction Fuzzy Hash: C13189B1E056588BEB69CF6BCD4978AFBF7AFC9304F14C1AAC44CA6254DB7406858F01
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Execution Graph

                            Execution Coverage

                            Dynamic/Packed Code Coverage

                            Signature Coverage

                            Execution Coverage:13.1%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:91
                            Total number of Limit Nodes:7
                            Show Legend
                            Hide Nodes/Edges
                            execution_graph 21905 1766b50 GetCurrentProcess 21906 1766bc3 21905->21906 21907 1766bca GetCurrentThread 21905->21907 21906->21907 21908 1766c07 GetCurrentProcess 21907->21908 21909 1766c00 21907->21909 21910 1766c3d 21908->21910 21909->21908 21911 1766c65 GetCurrentThreadId 21910->21911 21912 1766c96 21911->21912 21913 1765190 21914 17651f8 CreateWindowExW 21913->21914 21916 17652b4 21914->21916 21916->21916 21917 176b6d1 21918 176b672 21917->21918 21919 176b6da 21917->21919 21922 176b8ba 21918->21922 21920 176b68d 21923 176b8c3 21922->21923 21928 176bab6 21922->21928 21932 176ba9c 21922->21932 21936 176b98f 21922->21936 21940 176b9a0 21922->21940 21923->21920 21929 176badb 21928->21929 21930 176bac9 21928->21930 21944 176bd97 21930->21944 21933 176ba4f 21932->21933 21934 176badb 21933->21934 21935 176bd97 2 API calls 21933->21935 21935->21934 21937 176b9e4 21936->21937 21938 176badb 21937->21938 21939 176bd97 2 API calls 21937->21939 21939->21938 21941 176b9e4 21940->21941 21942 176badb 21941->21942 21943 176bd97 2 API calls 21941->21943 21943->21942 21945 176bdb6 21944->21945 21949 176bdf8 21945->21949 21953 176bde9 21945->21953 21946 176bdc6 21946->21929 21950 176be32 21949->21950 21951 176be5c RtlEncodePointer 21950->21951 21952 176be85 21950->21952 21951->21952 21952->21946 21954 176be32 21953->21954 21955 176be5c RtlEncodePointer 21954->21955 21956 176be85 21954->21956 21955->21956 21956->21946 21959 6582260 21960 658227e 21959->21960 21964 6583d80 21960->21964 21968 6583d76 21960->21968 21961 65822b5 21966 6583dd9 LoadLibraryA 21964->21966 21967 6583e5c 21966->21967 21970 6583dd9 LoadLibraryA 21968->21970 21971 6583e5c 21970->21971 21972 147d01c 21973 147d034 21972->21973 21974 147d08e 21973->21974 21979 1763ca4 21973->21979 21987 1765338 21973->21987 21991 1765348 21973->21991 21995 1767961 21973->21995 21980 1763caf 21979->21980 21981 17679e9 21980->21981 21983 17679d9 21980->21983 21984 17679e7 21981->21984 22012 1766964 21981->22012 22003 1767b10 21983->22003 22007 1767b00 21983->22007 21988 1765348 21987->21988 21989 1763ca4 CallWindowProcW 21988->21989 21990 176538f 21989->21990 21990->21974 21992 176536e 21991->21992 21993 1763ca4 CallWindowProcW 21992->21993 21994 176538f 21993->21994 21994->21974 21996 1767988 21995->21996 21997 17679e9 21996->21997 21999 17679d9 21996->21999 21998 1766964 CallWindowProcW 21997->21998 22000 17679e7 21997->22000 21998->22000 22001 1767b10 CallWindowProcW 21999->22001 22002 1767b00 CallWindowProcW 21999->22002 22001->22000 22002->22000 22005 1767b1e 22003->22005 22004 1766964 CallWindowProcW 22004->22005 22005->22004 22006 1767c07 22005->22006 22006->21984 22008 1767ac0 22007->22008 22009 1767b0e 22007->22009 22008->21984 22010 1766964 CallWindowProcW 22009->22010 22011 1767c07 22009->22011 22010->22009 22011->21984 22013 176696f 22012->22013 22014 1767cd2 CallWindowProcW 22013->22014 22015 1767c81 22013->22015 22014->22015 22015->21984 21957 1766d78 DuplicateHandle 21958 1766e0e 21957->21958

                            Executed Functions

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 114 6585594-658b137 116 658b139-658b164 114->116 117 658b1a2-658b1a6 114->117 126 658b194 116->126 127 658b166-658b168 116->127 118 658b1a8-658b1cb 117->118 119 658b1d1-658b1dc 117->119 118->119 120 658b1e8-658b223 GetUserNameW 119->120 121 658b1de-658b1e6 119->121 124 658b22c-658b242 120->124 125 658b225-658b22b 120->125 121->120 130 658b258-658b27f 124->130 131 658b244-658b250 124->131 125->124 132 658b199-658b19c 126->132 128 658b18a-658b192 127->128 129 658b16a-658b174 127->129 128->132 135 658b178-658b186 129->135 136 658b176 129->136 138 658b28f 130->138 139 658b281-658b285 130->139 131->130 132->117 135->135 140 658b188 135->140 136->135 143 658b290 138->143 139->138 142 658b287 139->142 140->128 142->138 143->143
                            APIs
                            • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0658B213
                            Memory Dump Source
                            • Source File: 0000000E.00000002.523370269.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_6580000_InstallUtil.jbxd
                            Similarity
                            • API ID: NameUser
                            • String ID:
                            • API String ID: 2645101109-0
                            • Opcode ID: 0f6d6acdb5d45b57d3afba7a4755995cd765a1252f2fef2222ed14c1f91b3920
                            • Instruction ID: f51c7a6c5ae8c1e4bd817c7c663c9489c18170b8f881713a3ea99e4eeef13bcb
                            • Opcode Fuzzy Hash: 0f6d6acdb5d45b57d3afba7a4755995cd765a1252f2fef2222ed14c1f91b3920
                            • Instruction Fuzzy Hash: 5B514270E002188FDB58DFA9C884BEEBBB5BF48304F148129E816BB750D774A844CF95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Control-flow Graph

                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 01766BB0
                            • GetCurrentThread.KERNEL32 ref: 01766BED
                            • GetCurrentProcess.KERNEL32 ref: 01766C2A
                            • GetCurrentThreadId.KERNEL32 ref: 01766C83
                            Memory Dump Source
                            • Source File: 0000000E.00000002.520703255.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_1760000_InstallUtil.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: d561de0989d0d71d09c0ade1ba80fe9139a8ecac08941e0fa648de91b3a9411d
                            • Instruction ID: 72bc464124f112b912e9fdbe26a5334e8d0141d3b1e077ca209284a1ac84242e
                            • Opcode Fuzzy Hash: d561de0989d0d71d09c0ade1ba80fe9139a8ecac08941e0fa648de91b3a9411d
                            • Instruction Fuzzy Hash: BE5187B0904384CFDB19CFA9C9487DEBFF0EF89314F24849AE459A7260D7346884CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Control-flow Graph

                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 01766BB0
                            • GetCurrentThread.KERNEL32 ref: 01766BED
                            • GetCurrentProcess.KERNEL32 ref: 01766C2A
                            • GetCurrentThreadId.KERNEL32 ref: 01766C83
                            Memory Dump Source
                            • Source File: 0000000E.00000002.520703255.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_1760000_InstallUtil.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: ee458d8f662db2b86b9be731238e4fd09a5f5eb4e2095e99e43df4a3fc905ed9
                            • Instruction ID: aa58c280106a21a84dea00bf75c7e0277fc56f57547dde8cd31d8ed92f890a87
                            • Opcode Fuzzy Hash: ee458d8f662db2b86b9be731238e4fd09a5f5eb4e2095e99e43df4a3fc905ed9
                            • Instruction Fuzzy Hash: BF5144B4900648CFDB18CFAAC648B9EBBF4EF88314F24845AE419B7354D7746884CF61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 144 658b0cc-658b137 146 658b139-658b164 144->146 147 658b1a2-658b1a6 144->147 156 658b194 146->156 157 658b166-658b168 146->157 148 658b1a8-658b1cb 147->148 149 658b1d1-658b1dc 147->149 148->149 150 658b1e8-658b223 GetUserNameW 149->150 151 658b1de-658b1e6 149->151 154 658b22c-658b242 150->154 155 658b225-658b22b 150->155 151->150 160 658b258-658b27f 154->160 161 658b244-658b250 154->161 155->154 162 658b199-658b19c 156->162 158 658b18a-658b192 157->158 159 658b16a-658b174 157->159 158->162 165 658b178-658b186 159->165 166 658b176 159->166 168 658b28f 160->168 169 658b281-658b285 160->169 161->160 162->147 165->165 170 658b188 165->170 166->165 173 658b290 168->173 169->168 172 658b287 169->172 170->158 172->168 173->173
                            APIs
                            • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0658B213
                            Memory Dump Source
                            • Source File: 0000000E.00000002.523370269.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_6580000_InstallUtil.jbxd
                            Similarity
                            • API ID: NameUser
                            • String ID:
                            • API String ID: 2645101109-0
                            • Opcode ID: c262f6c44dbebd87a07578d3fed33b98249af09df013b6ba53971c73e52e1d0c
                            • Instruction ID: 8a038474ff48c4ebd6444807b11e481c45575462b5867226d501ef4be50f45ad
                            • Opcode Fuzzy Hash: c262f6c44dbebd87a07578d3fed33b98249af09df013b6ba53971c73e52e1d0c
                            • Instruction Fuzzy Hash: 91513F70E002188FDB58DFA9C884BEEBBB5BF48304F15812AE819BB751C774A844CF85
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 174 6588e0c-658b137 176 658b139-658b164 174->176 177 658b1a2-658b1a6 174->177 186 658b194 176->186 187 658b166-658b168 176->187 178 658b1a8-658b1cb 177->178 179 658b1d1-658b1dc 177->179 178->179 180 658b1e8-658b223 GetUserNameW 179->180 181 658b1de-658b1e6 179->181 184 658b22c-658b242 180->184 185 658b225-658b22b 180->185 181->180 190 658b258-658b27f 184->190 191 658b244-658b250 184->191 185->184 192 658b199-658b19c 186->192 188 658b18a-658b192 187->188 189 658b16a-658b174 187->189 188->192 195 658b178-658b186 189->195 196 658b176 189->196 198 658b28f 190->198 199 658b281-658b285 190->199 191->190 192->177 195->195 200 658b188 195->200 196->195 203 658b290 198->203 199->198 202 658b287 199->202 200->188 202->198 203->203
                            APIs
                            • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0658B213
                            Memory Dump Source
                            • Source File: 0000000E.00000002.523370269.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_6580000_InstallUtil.jbxd
                            Similarity
                            • API ID: NameUser
                            • String ID:
                            • API String ID: 2645101109-0
                            • Opcode ID: a598fccf90272726343a0c2ff304720688425cfcc473a684141cdddfc70f532e
                            • Instruction ID: 85f573abf0d1ea07f59f630e1c41fa3813f471a181f641ab5458ba550139f6ad
                            • Opcode Fuzzy Hash: a598fccf90272726343a0c2ff304720688425cfcc473a684141cdddfc70f532e
                            • Instruction Fuzzy Hash: 29513170E002188FDB58DFA9C885BEDBBB5BF48304F158129E81ABB791D774A844CF94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 204 1765184-17651f6 205 1765201-1765208 204->205 206 17651f8-17651fe 204->206 207 1765213-176524b 205->207 208 176520a-1765210 205->208 206->205 209 1765253-17652b2 CreateWindowExW 207->209 208->207 210 17652b4-17652ba 209->210 211 17652bb-17652f3 209->211 210->211 215 17652f5-17652f8 211->215 216 1765300 211->216 215->216 217 1765301 216->217 217->217
                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 017652A2
                            Memory Dump Source
                            • Source File: 0000000E.00000002.520703255.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_1760000_InstallUtil.jbxd
                            Similarity
                            • API ID: CreateWindow
                            • String ID:
                            • API String ID: 716092398-0
                            • Opcode ID: 72bcc009e682931102b45df94ebaefcb79d2da8938a3ffd03262811e6d3e1ec5
                            • Instruction ID: 3bba7f63829c03cd9dfbb5d6b8d3572530f8118839345f46c3fd92adeeeac833
                            • Opcode Fuzzy Hash: 72bcc009e682931102b45df94ebaefcb79d2da8938a3ffd03262811e6d3e1ec5
                            • Instruction Fuzzy Hash: 0351DFB1D103499FDB14CFA9C984ADEFFB5BF88354F25812AE819AB210D7749845CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 218 1765190-17651f6 219 1765201-1765208 218->219 220 17651f8-17651fe 218->220 221 1765213-17652b2 CreateWindowExW 219->221 222 176520a-1765210 219->222 220->219 224 17652b4-17652ba 221->224 225 17652bb-17652f3 221->225 222->221 224->225 229 17652f5-17652f8 225->229 230 1765300 225->230 229->230 231 1765301 230->231 231->231
                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 017652A2
                            Memory Dump Source
                            • Source File: 0000000E.00000002.520703255.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_1760000_InstallUtil.jbxd
                            Similarity
                            • API ID: CreateWindow
                            • String ID:
                            • API String ID: 716092398-0
                            • Opcode ID: 0bb8f0399e460455b587e23760ed4035764df40663bc4e661d3134ed6ccf9341
                            • Instruction ID: dcbcb7cfa6b8dd95dde3dedd69a310b423143086ffbe1628677b50d1a63e2144
                            • Opcode Fuzzy Hash: 0bb8f0399e460455b587e23760ed4035764df40663bc4e661d3134ed6ccf9341
                            • Instruction Fuzzy Hash: 4841C0B1D143499FDB14CF99C884ADEFFB5BF88354F24812AE919AB210D7749845CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 232 1766964-1767c74 235 1767d24-1767d44 call 1763ca4 232->235 236 1767c7a-1767c7f 232->236 243 1767d47-1767d54 235->243 238 1767cd2-1767d0a CallWindowProcW 236->238 239 1767c81-1767cb8 236->239 240 1767d13-1767d22 238->240 241 1767d0c-1767d12 238->241 246 1767cc1-1767cd0 239->246 247 1767cba-1767cc0 239->247 240->243 241->240 246->243 247->246
                            APIs
                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 01767CF9
                            Memory Dump Source
                            • Source File: 0000000E.00000002.520703255.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_1760000_InstallUtil.jbxd
                            Similarity
                            • API ID: CallProcWindow
                            • String ID:
                            • API String ID: 2714655100-0
                            • Opcode ID: 92ba63d51872b741c0261741a711da2cd5652b8319276f51a1a1a1dd83109a4d
                            • Instruction ID: daa9d03f1848775281b06bef41af0f1d7cf0729fe2e9ce08b98b711fde0a2eb6
                            • Opcode Fuzzy Hash: 92ba63d51872b741c0261741a711da2cd5652b8319276f51a1a1a1dd83109a4d
                            • Instruction Fuzzy Hash: FD414CB59003459FDB18CF59C488BAAFBF9FF88318F158459D919A7315D734A841CFA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 327 6583d76-6583dd7 328 6583dd9-6583de3 327->328 329 6583e10-6583e5a LoadLibraryA 327->329 328->329 330 6583de5-6583de7 328->330 336 6583e5c-6583e62 329->336 337 6583e63-6583e94 329->337 331 6583de9-6583df3 330->331 332 6583e0a-6583e0d 330->332 334 6583df5 331->334 335 6583df7-6583e06 331->335 332->329 334->335 335->335 339 6583e08 335->339 336->337 340 6583ea4 337->340 341 6583e96-6583e9a 337->341 339->332 344 6583ea5 340->344 341->340 343 6583e9c 341->343 343->340 344->344
                            APIs
                            • LoadLibraryA.KERNELBASE(?), ref: 06583E4A
                            Memory Dump Source
                            • Source File: 0000000E.00000002.523370269.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_6580000_InstallUtil.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 97e0bad142a715c8dbc2c2bdee1e0f2b8e68c603e24dae46a4d19a438bf91ce7
                            • Instruction ID: 91fc918453eb166620e7f8acd2232bdbacf5e3d7300e531008956062f61d5a17
                            • Opcode Fuzzy Hash: 97e0bad142a715c8dbc2c2bdee1e0f2b8e68c603e24dae46a4d19a438bf91ce7
                            • Instruction Fuzzy Hash: BA3132B0D1024A9FDB54EFA8C885BDEBBB1BF08714F148529E815ABB80D7749885CF81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 345 6583d80-6583dd7 346 6583dd9-6583de3 345->346 347 6583e10-6583e5a LoadLibraryA 345->347 346->347 348 6583de5-6583de7 346->348 354 6583e5c-6583e62 347->354 355 6583e63-6583e94 347->355 349 6583de9-6583df3 348->349 350 6583e0a-6583e0d 348->350 352 6583df5 349->352 353 6583df7-6583e06 349->353 350->347 352->353 353->353 357 6583e08 353->357 354->355 358 6583ea4 355->358 359 6583e96-6583e9a 355->359 357->350 362 6583ea5 358->362 359->358 361 6583e9c 359->361 361->358 362->362
                            APIs
                            • LoadLibraryA.KERNELBASE(?), ref: 06583E4A
                            Memory Dump Source
                            • Source File: 0000000E.00000002.523370269.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_6580000_InstallUtil.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 7898823d38b1fd91bc106c8fdbfb4dc7fa97c1ce4bdb8d669683b5401bc3a60f
                            • Instruction ID: 01aeb45311c95997156db52e0268a15e1a71e4dfe06f4842d79b68396065fee2
                            • Opcode Fuzzy Hash: 7898823d38b1fd91bc106c8fdbfb4dc7fa97c1ce4bdb8d669683b5401bc3a60f
                            • Instruction Fuzzy Hash: 293123B0D1024A9FDB54EFA8C885B9EBBB1FF08714F148529E815BBB80D7749845CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 934 1766d72-1766e0c DuplicateHandle 935 1766e15-1766e32 934->935 936 1766e0e-1766e14 934->936 936->935
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01766DFF
                            Memory Dump Source
                            • Source File: 0000000E.00000002.520703255.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_1760000_InstallUtil.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: cec5aaa19d2119359ade567e664e0fc79b6e906fdb75806f74b00a80f0872b18
                            • Instruction ID: 2699e4872d20dc689c185ef8a8676a40ae3f6ca377c338439c1977aa64083436
                            • Opcode Fuzzy Hash: cec5aaa19d2119359ade567e664e0fc79b6e906fdb75806f74b00a80f0872b18
                            • Instruction Fuzzy Hash: 7821D2B59002489FDB10CFA9D985ADEFBF4FF48324F14851AE914A7710D374A954CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 939 1766d78-1766e0c DuplicateHandle 940 1766e15-1766e32 939->940 941 1766e0e-1766e14 939->941 941->940
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01766DFF
                            Memory Dump Source
                            • Source File: 0000000E.00000002.520703255.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_1760000_InstallUtil.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: ff3ccf1639ebc67b34ab9e700d2b6aea384e85d60c09a445b79e9bb11b6bfa90
                            • Instruction ID: b874bf532fc25a058a3c1e9753c3c76563364dd62d9aef5d9b2153737403416d
                            • Opcode Fuzzy Hash: ff3ccf1639ebc67b34ab9e700d2b6aea384e85d60c09a445b79e9bb11b6bfa90
                            • Instruction Fuzzy Hash: 7821E2B5900248AFDB10CFAAD884ADEFBF8FB48324F14841AE914A3710D374A954CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            APIs
                            • RtlEncodePointer.NTDLL(00000000), ref: 0176BE72
                            Memory Dump Source
                            • Source File: 0000000E.00000002.520703255.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_1760000_InstallUtil.jbxd
                            Similarity
                            • API ID: EncodePointer
                            • String ID:
                            • API String ID: 2118026453-0
                            • Opcode ID: 8318bee2b3b561df3394a3fbf98593648404e03cbf159d89ad8abca61fa2bec1
                            • Instruction ID: f01df66dfe02e6526c995d5397108a8af1407f8a54502ca0654348439130bf59
                            • Opcode Fuzzy Hash: 8318bee2b3b561df3394a3fbf98593648404e03cbf159d89ad8abca61fa2bec1
                            • Instruction Fuzzy Hash: 69219A72905385CFDB20DFA9CA4878EBFF4FB0A314F14806AD844E3641C3385548CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            APIs
                            • RtlEncodePointer.NTDLL(00000000), ref: 0176BE72
                            Memory Dump Source
                            • Source File: 0000000E.00000002.520703255.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_1760000_InstallUtil.jbxd
                            Similarity
                            • API ID: EncodePointer
                            • String ID:
                            • API String ID: 2118026453-0
                            • Opcode ID: e5d43cc15cf96361acf8a043846a00fe03948d79a4d7e8a750f4559f7e3ce371
                            • Instruction ID: 4691e249c026fc7eb77183907ad8f04e6121bbd82f279e1363a2f2af3c0a4929
                            • Opcode Fuzzy Hash: e5d43cc15cf96361acf8a043846a00fe03948d79a4d7e8a750f4559f7e3ce371
                            • Instruction Fuzzy Hash: 4A116A72A00349CFDB50DFA9C9487DEBBF8FB49314F248429D905A3644C7386544CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 0000000E.00000002.520392218.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_146d000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c5a385745d10a2645648fc5d8bf49198ea07811be8dff23f6765ca857724e832
                            • Instruction ID: 3e6abab95153f0ec33666d726bec2eb3520098e6ea7b51ec3bacfa1c2e07b10e
                            • Opcode Fuzzy Hash: c5a385745d10a2645648fc5d8bf49198ea07811be8dff23f6765ca857724e832
                            • Instruction Fuzzy Hash: 24213671A04240DFDB15DF54D9C0B27BB69FB88328F24856AD9464B616C336E846CBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 0000000E.00000002.520392218.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_146d000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2bbe6de95639685c4aec8094e3be0a6c2e57b79d3555ce7fe1a9500e7d3385f0
                            • Instruction ID: 4c97b07e76e206b24a8f79f93a5f8fb827c2f46c754d341a5b7a64d1b84d7b9c
                            • Opcode Fuzzy Hash: 2bbe6de95639685c4aec8094e3be0a6c2e57b79d3555ce7fe1a9500e7d3385f0
                            • Instruction Fuzzy Hash: DB2136B1A04240DFCB05DF54D9C0B27BF69FB8832CF24856AE9494B656C336D856CAA3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 0000000E.00000002.520493553.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_147d000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3b44b4b2b9491e6b813f908374b68b31483d76224441327237ba218e1548beb6
                            • Instruction ID: 133e41cc383765218aeaeef85870266f75e99e91a0978fea281c29fab27a38a0
                            • Opcode Fuzzy Hash: 3b44b4b2b9491e6b813f908374b68b31483d76224441327237ba218e1548beb6
                            • Instruction Fuzzy Hash: D62137B5904280DFCB16CF64D9C4B66BB61FF88358F24C56ED90A4B356C336D847CA61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 0000000E.00000002.520493553.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_147d000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9c2b85eeb185ec88ce423776f686d8a716cabf563cfee6b5f90d365bf8049fb8
                            • Instruction ID: e522a994ecb651fe30c4c8be0052374673a618afde98d4c0ec89ee7e6c0730c4
                            • Opcode Fuzzy Hash: 9c2b85eeb185ec88ce423776f686d8a716cabf563cfee6b5f90d365bf8049fb8
                            • Instruction Fuzzy Hash: D2217F755093C08FCB13CF24D990756BF71EF46214F28C5DAD8498B667C33A984ACB62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 0000000E.00000002.520392218.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_146d000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4a79264ee9e5e0c6cb5b4fd92c7bd6edde55ceca95bf59a389ba197ee62f459a
                            • Instruction ID: ca5e31800a2f2939221f04f906a12e80361d2d5b8f556aa286a93f9964492fe3
                            • Opcode Fuzzy Hash: 4a79264ee9e5e0c6cb5b4fd92c7bd6edde55ceca95bf59a389ba197ee62f459a
                            • Instruction Fuzzy Hash: 1811B176904280CFDB16CF54D5C4B16BF71FB84328F2886AAD8454B627C336D45ACBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 0000000E.00000002.520392218.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_146d000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4a79264ee9e5e0c6cb5b4fd92c7bd6edde55ceca95bf59a389ba197ee62f459a
                            • Instruction ID: 4f335fb2c894a72f8e79cde6f1b2276d7f8ca5ce73f19fe97bfe75e5e333fa14
                            • Opcode Fuzzy Hash: 4a79264ee9e5e0c6cb5b4fd92c7bd6edde55ceca95bf59a389ba197ee62f459a
                            • Instruction Fuzzy Hash: ED11B476904240CFCB16CF54D5C4B16BF71FB84324F2885AAD8494B616C336D456CBA2
                            Uniqueness

                            Uniqueness Score: -1.00%