Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe

Overview

General Information

Sample name:G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe
Analysis ID:1501084
MD5:94117aff03dec1ed2036aab93e6ee76c
SHA1:d095d0607a47c54ed7bc407362ddd73ad3175258
SHA256:06ce17c25d36e66683f7eab6a010de3f388a3097312e47875ba3eda13c6dd4c1
Tags:exe
Infos:

Detection

AgentTesla, DarkTortilla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Outbound SMTP Connections
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe (PID: 6968 cmdline: "C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe" MD5: 94117AFF03DEC1ED2036AAB93E6EE76C)
    • cmd.exe (PID: 1192 cmdline: "cmd" /c ping 127.0.0.1 -n 17 > nul && copy "C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe" "C:\Users\user\AppData\Roaming\po.exe" && ping 127.0.0.1 -n 17 > nul && "C:\Users\user\AppData\Roaming\po.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 3892 cmdline: ping 127.0.0.1 -n 17 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • PING.EXE (PID: 7096 cmdline: ping 127.0.0.1 -n 17 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • po.exe (PID: 2712 cmdline: "C:\Users\user\AppData\Roaming\po.exe" MD5: 94117AFF03DEC1ED2036AAB93E6EE76C)
        • AppLaunch.exe (PID: 2328 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" MD5: 89D41E1CF478A3D3C2C701A27A5692B2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
DarkTortillaDarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.3317600419.0000000004296000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000000A.00000002.3317600419.0000000004296000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000B.00000002.3611482014.0000000006A31000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000B.00000002.3611482014.0000000006A31000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000B.00000002.3611482014.0000000006A5C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 23 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.po.exe.43446a8.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              10.2.po.exe.43446a8.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                10.2.po.exe.43446a8.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x31769:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31885:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31961:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a87:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                10.2.po.exe.42f4688.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  10.2.po.exe.42f4688.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 16 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, ProcessId: 6968, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\po.lnk
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe, Initiated: true, ProcessId: 2328, Protocol: tcp, SourceIp: 192.168.2.12, SourceIsIpv6: false, SourcePort: 49729

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: http://mail.iaa-airferight.comAvira URL Cloud: Label: malware
                    Found malware configuration
                    Source: 11.2.AppLaunch.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\po.exeReversingLabs: Detection: 71%
                    Multi AV Scanner detection for submitted file
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeReversingLabs: Detection: 71%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\po.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeJoe Sandbox ML: detected
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.12:49728 version: TLS 1.2
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb OU source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, 00000000.00000002.2510967632.00000000012D4000.00000004.00000020.00020000.00000000.sdmp

                    Networking

                    barindex
                    Uses ping.exe to check the status of other devices and networks
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 17
                    Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewASN Name: ASLAGIDKOM-NETUA ASLAGIDKOM-NETUA
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.12:49729 -> 46.175.148.58:25
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                    Source: cmd.exe, 00000004.00000003.2654856365.0000000002DD7000.00000004.00000020.00020000.00000000.sdmp, G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, po.exe.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: cmd.exe, 00000004.00000003.2654856365.0000000002DBE000.00000004.00000020.00020000.00000000.sdmp, G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, po.exe.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: cmd.exe, 00000004.00000003.2654856365.0000000002DD7000.00000004.00000020.00020000.00000000.sdmp, G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, po.exe.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                    Source: cmd.exe, 00000004.00000003.2654856365.0000000002DBE000.00000004.00000020.00020000.00000000.sdmp, G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, po.exe.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: cmd.exe, 00000004.00000003.2654856365.0000000002DBE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.2654856365.0000000002DD7000.00000004.00000020.00020000.00000000.sdmp, G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, po.exe.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: cmd.exe, 00000004.00000003.2654856365.0000000002DBE000.00000004.00000020.00020000.00000000.sdmp, G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, po.exe.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: cmd.exe, 00000004.00000003.2654856365.0000000002DD7000.00000004.00000020.00020000.00000000.sdmp, G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, po.exe.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                    Source: cmd.exe, 00000004.00000003.2654856365.0000000002DBE000.00000004.00000020.00020000.00000000.sdmp, G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, po.exe.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: po.exe.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: cmd.exe, 00000004.00000003.2654856365.0000000002DD7000.00000004.00000020.00020000.00000000.sdmp, G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, po.exe.4.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                    Source: cmd.exe, 00000004.00000003.2654856365.0000000002DD7000.00000004.00000020.00020000.00000000.sdmp, G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, po.exe.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: cmd.exe, 00000004.00000003.2654856365.0000000002DD7000.00000004.00000020.00020000.00000000.sdmp, G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, po.exe.4.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                    Source: AppLaunch.exe, 0000000B.00000002.3611482014.0000000006A5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                    Source: cmd.exe, 00000004.00000003.2654856365.0000000002DBE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.2654856365.0000000002DD7000.00000004.00000020.00020000.00000000.sdmp, G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, po.exe.4.drString found in binary or memory: http://ocsp.digicert.com0A
                    Source: cmd.exe, 00000004.00000003.2654856365.0000000002DBE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.2654856365.0000000002DD7000.00000004.00000020.00020000.00000000.sdmp, G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, po.exe.4.drString found in binary or memory: http://ocsp.digicert.com0C
                    Source: cmd.exe, 00000004.00000003.2654856365.0000000002DD7000.00000004.00000020.00020000.00000000.sdmp, G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, po.exe.4.drString found in binary or memory: http://ocsp.digicert.com0N
                    Source: cmd.exe, 00000004.00000003.2654856365.0000000002DBE000.00000004.00000020.00020000.00000000.sdmp, G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, po.exe.4.drString found in binary or memory: http://ocsp.digicert.com0X
                    Source: AppLaunch.exe, 0000000B.00000002.3611482014.00000000069E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: cmd.exe, 00000004.00000003.2654856365.0000000002DD7000.00000004.00000020.00020000.00000000.sdmp, G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, po.exe.4.drString found in binary or memory: http://www.digicert.com/CPS0
                    Source: po.exe, 0000000A.00000002.3317600419.0000000004344000.00000004.00000800.00020000.00000000.sdmp, po.exe, 0000000A.00000002.3317600419.0000000004296000.00000004.00000800.00020000.00000000.sdmp, po.exe, 0000000A.00000002.3317600419.00000000042F3000.00000004.00000800.00020000.00000000.sdmp, po.exe, 0000000A.00000002.3308368525.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.3608105838.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: po.exe, 0000000A.00000002.3317600419.0000000004344000.00000004.00000800.00020000.00000000.sdmp, po.exe, 0000000A.00000002.3317600419.0000000004296000.00000004.00000800.00020000.00000000.sdmp, po.exe, 0000000A.00000002.3317600419.00000000042F3000.00000004.00000800.00020000.00000000.sdmp, po.exe, 0000000A.00000002.3308368525.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.3611482014.00000000069E1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.3608105838.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: AppLaunch.exe, 0000000B.00000002.3611482014.00000000069E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: AppLaunch.exe, 0000000B.00000002.3611482014.00000000069E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: cmd.exe, 00000004.00000003.2654856365.0000000002DD7000.00000004.00000020.00020000.00000000.sdmp, G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, po.exe.4.drString found in binary or memory: https://www.digicert.com/CPS0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.12:49728 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 10.2.po.exe.43446a8.2.raw.unpack, abAX9N.cs.Net Code: BFeixnEv
                    Source: 10.2.po.exe.42f4688.1.raw.unpack, abAX9N.cs.Net Code: BFeixnEv
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 10.2.po.exe.43446a8.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.po.exe.42f4688.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 11.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.po.exe.42f4688.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.po.exe.43446a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0A1CA308 CreateProcessAsUserW,10_2_0A1CA308
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeCode function: 0_2_016F6ED80_2_016F6ED8
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeCode function: 0_2_016FAE980_2_016FAE98
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeCode function: 0_2_016F7B280_2_016F7B28
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeCode function: 0_2_016FAE680_2_016FAE68
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeCode function: 0_2_0A3600400_2_0A360040
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeCode function: 0_2_0A3676B80_2_0A3676B8
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeCode function: 0_2_0A36B3B10_2_0A36B3B1
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeCode function: 0_2_0A36B3C00_2_0A36B3C0
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeCode function: 0_2_0A5600400_2_0A560040
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeCode function: 0_2_0A56C4A80_2_0A56C4A8
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeCode function: 0_2_0A5600060_2_0A560006
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeCode function: 0_2_0A8E45070_2_0A8E4507
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeCode function: 0_2_0A8E2AF00_2_0A8E2AF0
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeCode function: 0_2_0A8E2B000_2_0A8E2B00
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeCode function: 0_2_0A8EA3780_2_0A8EA378
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_00E96ED810_2_00E96ED8
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_00E9AE9810_2_00E9AE98
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_00E97B2810_2_00E97B28
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_00E9AE6810_2_00E9AE68
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_087C003A10_2_087C003A
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_087CBA3010_2_087CBA30
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_087CBA2110_2_087CBA21
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_087C94F410_2_087C94F4
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0896044810_2_08960448
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0896872010_2_08968720
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0896A32810_2_0896A328
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09C9004010_2_09C90040
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09C976B810_2_09C976B8
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09C9B3C010_2_09C9B3C0
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09C9B3B110_2_09C9B3B1
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09C9EF5810_2_09C9EF58
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E7C15010_2_09E7C150
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E7CB2110_2_09E7CB21
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E7BA2810_2_09E7BA28
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E7DA3010_2_09E7DA30
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E79E1810_2_09E79E18
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E7ADE910_2_09E7ADE9
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E7D9C310_2_09E7D9C3
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E7B98D10_2_09E7B98D
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E7F4C010_2_09E7F4C0
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E7E8C910_2_09E7E8C9
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E7F4D010_2_09E7F4D0
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E7E8D810_2_09E7E8D8
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E7F7C010_2_09E7F7C0
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E7FB4010_2_09E7FB40
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E7074810_2_09E70748
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E7FB3110_2_09E7FB31
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E9004010_2_09E90040
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E9FB6110_2_09E9FB61
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E9FB7010_2_09E9FB70
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E9EE7110_2_09E9EE71
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0A1C564F10_2_0A1C564F
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0A1C342810_2_0A1C3428
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0A1CA57010_2_0A1CA570
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0A1CAD9010_2_0A1CAD90
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0A1CFA3810_2_0A1CFA38
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0A1CE69810_2_0A1CE698
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0A1C36C810_2_0A1C36C8
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0A1C36C710_2_0A1C36C7
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0A1C0B3110_2_0A1C0B31
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0A1C734810_2_0A1C7348
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0A1C734710_2_0A1C7347
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0A1C0B8810_2_0A1C0B88
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0A1C4B8010_2_0A1C4B80
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0A1C43BF10_2_0A1C43BF
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0A1C43C010_2_0A1C43C0
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0A1C8C3810_2_0A1C8C38
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0A1C342A10_2_0A1C342A
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0A1C004010_2_0A1C0040
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0A1C850810_2_0A1C8508
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0A1C3D5810_2_0A1C3D58
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0A1C3D5710_2_0A1C3D57
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_0A1CE9B010_2_0A1CE9B0
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E9001110_2_09E90011
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_04DCADF011_2_04DCADF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_04DC3E8011_2_04DC3E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_04DCA96811_2_04DCA968
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_04DC4A9811_2_04DC4A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_04DC41C811_2_04DC41C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_04DCF8A511_2_04DCF8A5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_0950A14011_2_0950A140
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_0950E0C811_2_0950E0C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_0950C35811_2_0950C358
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_0950033811_2_09500338
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_0950357811_2_09503578
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_095045A011_2_095045A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_09503CA011_2_09503CA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_0950565011_2_09505650
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeStatic PE information: invalid certificate
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, 00000000.00000000.2350896489.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOculusSetup.exe: vs G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, 00000000.00000002.2536597554.0000000007610000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameHPzFG9.dll" vs G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, 00000000.00000002.2510814259.000000000129E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, 00000000.00000002.2517202114.000000000497F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHPzFG9.dll" vs G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, 00000000.00000002.2534549381.0000000006211000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHPzFG9.dll" vs G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeBinary or memory string: OriginalFilenameOculusSetup.exe: vs G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 10.2.po.exe.43446a8.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.po.exe.42f4688.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 11.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.po.exe.42f4688.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.po.exe.43446a8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, Ec6.csCryptographic APIs: 'CreateDecryptor'
                    Source: po.exe.4.dr, Ec6.csCryptographic APIs: 'CreateDecryptor'
                    Source: 10.2.po.exe.43446a8.2.raw.unpack, RsYAkkzVoy.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 10.2.po.exe.43446a8.2.raw.unpack, Kqqzixk.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 10.2.po.exe.43446a8.2.raw.unpack, xROdzGigX.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 10.2.po.exe.43446a8.2.raw.unpack, ywes.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 10.2.po.exe.43446a8.2.raw.unpack, iPVW0zV.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 10.2.po.exe.43446a8.2.raw.unpack, 1Pi9sgbHwoV.csCryptographic APIs: 'CreateDecryptor'
                    Source: 10.2.po.exe.43446a8.2.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 10.2.po.exe.43446a8.2.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/5@2/3
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\po.lnkJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1416:120:WilError_03
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeReversingLabs: Detection: 71%
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeFile read: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe "C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe"
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 17 > nul && copy "C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe" "C:\Users\user\AppData\Roaming\po.exe" && ping 127.0.0.1 -n 17 > nul && "C:\Users\user\AppData\Roaming\po.exe"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 17
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 17
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\po.exe "C:\Users\user\AppData\Roaming\po.exe"
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 17 > nul && copy "C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe" "C:\Users\user\AppData\Roaming\po.exe" && ping 127.0.0.1 -n 17 > nul && "C:\Users\user\AppData\Roaming\po.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 17Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 17Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\po.exe "C:\Users\user\AppData\Roaming\po.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
                    Source: po.lnk.0.drLNK file: ..\..\..\..\..\po.exe
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeStatic file information: File size 2628152 > 1048576
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x220a00
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb OU source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, 00000000.00000002.2510967632.00000000012D4000.00000004.00000020.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    Yara detected DarkTortilla Crypter
                    Source: Yara matchFile source: 10.2.po.exe.43446a8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe.4d486d8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe.7610000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe.7610000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe.4d486d8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe.4c486b8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.3317600419.0000000004344000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2517202114.0000000004916000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2512152964.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2536597554.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2534549381.0000000006211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3308368525.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2517202114.000000000497F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe PID: 6968, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: po.exe PID: 2712, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeCode function: 0_2_0A36AE3B push esp; iretd 0_2_0A36AE41
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeCode function: 0_2_0A566205 push eax; ret 0_2_0A56630E
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeCode function: 0_2_0A8E7FCD push eax; retf 0_2_0A8E810D
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeCode function: 0_2_0A8EAB3D push FFFFFF8Bh; iretd 0_2_0A8EAB3F
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeCode function: 0_2_0A8E8115 push ebx; retf 0_2_0A8E81D2
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeCode function: 0_2_0A8E2573 push ebx; ret 0_2_0A8E2579
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_055E9900 push esp; ret 10_2_055E9901
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_055E9A00 pushfd ; ret 10_2_055E9A01
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E7797E push ds; retf 10_2_09E7797F
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E969E1 push eax; ret 10_2_09E969F3
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E97191 push ecx; ret 10_2_09E971A2
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E9E91B push ebx; ret 10_2_09E9E921
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E97080 pushad ; ret 10_2_09E97093
                    Source: C:\Users\user\AppData\Roaming\po.exeCode function: 10_2_09E96205 push eax; ret 10_2_09E9630E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_04DC0C45 push ebx; retf 11_2_04DC0C52
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_04DC0C6D push edi; retf 11_2_04DC0C7A
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\po.exeJump to dropped file
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\po.lnkJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\po.lnkJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeFile opened: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe\:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeFile opened: C:\Users\user\AppData\Roaming\po.exe\:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe PID: 6968, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: po.exe PID: 2712, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Uses ping.exe to sleep
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 17
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 17
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 17Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 17Jump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeMemory allocated: 16B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeMemory allocated: 3090000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeMemory allocated: 5090000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeMemory allocated: 6210000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeMemory allocated: 5950000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeMemory allocated: 7800000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeMemory allocated: 8800000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeMemory allocated: E90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeMemory allocated: 2A30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeMemory allocated: 2980000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeMemory allocated: 5BA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeMemory allocated: 52B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeMemory allocated: 7090000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeMemory allocated: 8090000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeMemory allocated: 7090000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeMemory allocated: A1D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeMemory allocated: B1D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeMemory allocated: B670000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: 4DC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: 69E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: 6710000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeWindow / User API: threadDelayed 6006Jump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeWindow / User API: threadDelayed 2438Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeWindow / User API: threadDelayed 6774Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeWindow / User API: threadDelayed 1705Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow / User API: threadDelayed 1890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow / User API: threadDelayed 7941Jump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe TID: 6204Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe TID: 6988Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exe TID: 652Thread sleep time: -64000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exe TID: 3336Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exe TID: 4240Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep count: 39 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -35971150943733603s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 6384Thread sleep count: 1890 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -99875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 6384Thread sleep count: 7941 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -99766s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -99641s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -99516s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -99407s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -99282s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -99157s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -99047s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -98938s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -98813s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -98688s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -98563s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -98438s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -98325s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -98213s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -98000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -97879s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -97750s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -97640s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -97531s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -97422s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -97313s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -97188s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -97063s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -96953s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -96844s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -96719s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -96609s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -96500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -96391s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -96281s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -96172s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -96063s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -95938s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -95828s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -95719s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -95594s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -95484s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -95375s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -95239s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -95124s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -95014s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -94900s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -94786s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -94665s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -94563s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -94453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -94344s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -94235s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -94110s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3636Thread sleep time: -93985s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 99766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 99641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 99516Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 99407Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 99282Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 99157Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 99047Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 98938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 98813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 98688Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 98563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 98438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 98325Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 98213Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 98000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 97879Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 97750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 97640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 97531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 97422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 97313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 97188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 97063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 96953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 96844Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 96719Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 96609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 96500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 96391Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 96281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 96172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 96063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 95938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 95828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 95719Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 95594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 95484Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 95375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 95239Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 95124Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 95014Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 94900Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 94786Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 94665Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 94563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 94453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 94344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 94235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 94110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 93985Jump to behavior
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, 00000000.00000002.2536100794.0000000007410000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}h
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, 00000000.00000002.2512152964.0000000003091000.00000004.00000800.00020000.00000000.sdmp, G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, 00000000.00000002.2536597554.0000000007610000.00000004.08000000.00040000.00000000.sdmp, G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, 00000000.00000002.2517202114.000000000497F000.00000004.00000800.00020000.00000000.sdmp, G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, 00000000.00000002.2534549381.0000000006211000.00000004.00000800.00020000.00000000.sdmp, po.exe, 0000000A.00000002.3308368525.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTray
                    Source: po.exe, 0000000A.00000002.3308368525.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q#SOFTWARE\VMware, Inc.\VMware VGAuth
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, 00000000.00000002.2534549381.0000000006211000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 806010189GSOFTWARE\VMware, Inc.\VMware VGAuth
                    Source: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe, 00000000.00000002.2536100794.0000000007410000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\)
                    Source: AppLaunch.exe, 0000000B.00000002.3618301282.0000000009BDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\AppData\Roaming\po.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Roaming\po.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 402000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 672008Jump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 17 > nul && copy "C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe" "C:\Users\user\AppData\Roaming\po.exe" && ping 127.0.0.1 -n 17 > nul && "C:\Users\user\AppData\Roaming\po.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 17Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 17Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\po.exe "C:\Users\user\AppData\Roaming\po.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeQueries volume information: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeQueries volume information: C:\Users\user\AppData\Roaming\po.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\po.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 10.2.po.exe.43446a8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.po.exe.42f4688.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.po.exe.42f4688.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.po.exe.43446a8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.3317600419.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3611482014.0000000006A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3611482014.0000000006A5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3317600419.0000000004344000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3608105838.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3317600419.00000000042F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3308368525.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: po.exe PID: 2712, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 2328, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 10.2.po.exe.43446a8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.po.exe.42f4688.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.po.exe.42f4688.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.po.exe.43446a8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.3317600419.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3611482014.0000000006A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3317600419.0000000004344000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3608105838.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3317600419.00000000042F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3308368525.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: po.exe PID: 2712, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 2328, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 10.2.po.exe.43446a8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.po.exe.42f4688.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.po.exe.42f4688.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.po.exe.43446a8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.3317600419.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3611482014.0000000006A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3611482014.0000000006A5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3317600419.0000000004344000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3608105838.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3317600419.00000000042F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3308368525.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: po.exe PID: 2712, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 2328, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure1
                    Valid Accounts                    		121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    Valid Accounts                    		1
                    Valid Accounts                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt2
                    Registry Run Keys / Startup Folder                    		1
                    Access Token Manipulation                    		1
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		221
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook211
                    Process Injection                    		1
                    DLL Side-Loading                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model21
                    Input Capture                    		23
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
                    Registry Run Keys / Startup Folder                    		1
                    Masquerading                    		LSA Secrets151
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Valid Accounts                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Access Token Manipulation                    		DCSync1
                    Remote System Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job151
                    Virtualization/Sandbox Evasion                    		Proc Filesystem11
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt211
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                    Hidden Files and Directories                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501084 Sample: G_24370-24396_SI2_S25_8658_... Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 34 mail.iaa-airferight.com 2->34 36 api.ipify.org 2->36 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for URL or domain 2->56 58 8 other signatures 2->58 9 G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe 4 2->9         started        signatures3 process4 signatures5 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->60 12 cmd.exe 3 9->12         started        process6 file7 30 C:\Users\user\AppData\Roaming\po.exe, PE32 12->30 dropped 32 C:\Users\user\...\po.exe:Zone.Identifier, ASCII 12->32 dropped 70 Uses ping.exe to sleep 12->70 72 Uses ping.exe to check the status of other devices and networks 12->72 16 po.exe 2 12->16         started        19 PING.EXE 1 12->19         started        22 conhost.exe 12->22         started        24 PING.EXE 1 12->24         started        signatures8 process9 dnsIp10 44 Multi AV Scanner detection for dropped file 16->44 46 Machine Learning detection for dropped file 16->46 48 Writes to foreign memory regions 16->48 50 2 other signatures 16->50 26 AppLaunch.exe 15 2 16->26         started        38 127.0.0.1 unknown unknown 19->38 signatures11 process12 dnsIp13 40 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 26->40 42 api.ipify.org 172.67.74.152, 443, 49728 CLOUDFLARENETUS United States 26->42 62 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->62 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 26->64 66 Tries to steal Mail credentials (via file / registry access) 26->66 68 3 other signatures 26->68 signatures14

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe71%ReversingLabsWin32.Spyware.Negasteal
                    G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\po.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\po.exe71%ReversingLabsWin32.Spyware.Negasteal

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org/0%URL Reputationsafe
                    https://api.ipify.org0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    https://api.ipify.org/t0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://mail.iaa-airferight.com100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.iaa-airferight.com
                    		46.175.148.58
                    		truetrue
                      		unknown
                      api.ipify.org
                      		172.67.74.152
                      		truefalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                        • URL Reputation: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://api.ipify.orgpo.exe, 0000000A.00000002.3317600419.0000000004344000.00000004.00000800.00020000.00000000.sdmp, po.exe, 0000000A.00000002.3317600419.0000000004296000.00000004.00000800.00020000.00000000.sdmp, po.exe, 0000000A.00000002.3317600419.00000000042F3000.00000004.00000800.00020000.00000000.sdmp, po.exe, 0000000A.00000002.3308368525.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.3611482014.00000000069E1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.3608105838.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://account.dyn.com/po.exe, 0000000A.00000002.3317600419.0000000004344000.00000004.00000800.00020000.00000000.sdmp, po.exe, 0000000A.00000002.3317600419.0000000004296000.00000004.00000800.00020000.00000000.sdmp, po.exe, 0000000A.00000002.3317600419.00000000042F3000.00000004.00000800.00020000.00000000.sdmp, po.exe, 0000000A.00000002.3308368525.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.3608105838.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.ipify.org/tAppLaunch.exe, 0000000B.00000002.3611482014.00000000069E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAppLaunch.exe, 0000000B.00000002.3611482014.00000000069E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://mail.iaa-airferight.comAppLaunch.exe, 0000000B.00000002.3611482014.0000000006A5C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        46.175.148.58
                        		mail.iaa-airferight.comUkraine
                        		56394ASLAGIDKOM-NETUAtrue
                        172.67.74.152
                        		api.ipify.orgUnited States
                        		13335CLOUDFLARENETUSfalse

                        Private

                        IP
                        127.0.0.1

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1501084
                        Start date and time:2024-08-29 12:10:44 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 6m 38s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:13
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@12/5@2/3
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 96%
                        • Number of executed functions: 177
                        • Number of non-executed functions: 5
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • VT rate limit hit for: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        06:11:46API Interceptor42x Sleep call for process: G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe modified
                        06:12:33API Interceptor75x Sleep call for process: po.exe modified
                        06:13:18API Interceptor256x Sleep call for process: AppLaunch.exe modified
                        12:11:51AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\po.lnk

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        46.175.148.58PO 102675-PI C247SH45.exeGet hashmaliciousAgentTeslaBrowse
                          Purchase Order 0042040896.pdf.exeGet hashmaliciousAgentTeslaBrowse
                            Great Wall Motor Sale Bank_Sift_Copy.Pdf.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                              SecuriteInfo.com.BackDoor.SpyBotNET.62.13095.12836.exeGet hashmaliciousAgentTeslaBrowse
                                PO 102675-PI C247SH45.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                  NINGBO-Invoices-Past Due.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                    Payment Advice-DPEB08-2SDC - SS25 Price C246SH32.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                      New RFQ Compliance_Matrix_Product.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                        New PO Compliance_Matrix_Product.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                          Shipmernt copy.exeGet hashmaliciousAgentTeslaBrowse
                                            172.67.74.152zE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                                            • api.ipify.org/
                                            FormPlayer.exeGet hashmaliciousUnknownBrowse
                                            • api.ipify.org/
                                            PandaClient.exeGet hashmaliciousUnknownBrowse
                                            • api.ipify.org/
                                            golang-modules.exeGet hashmaliciousUnknownBrowse
                                            • api.ipify.org/
                                            SecuriteInfo.com.Trojan.Win64.Agent.14415.19839.exeGet hashmaliciousUnknownBrowse
                                            • api.ipify.org/
                                            242764.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                            • api.ipify.org/?format=wef
                                            K8mzlntJVN.msiGet hashmaliciousUnknownBrowse
                                            • api.ipify.org/
                                            stub.exeGet hashmaliciousUnknownBrowse
                                            • api.ipify.org/
                                            stub.exeGet hashmaliciousUnknownBrowse
                                            • api.ipify.org/
                                            Sonic-Glyder.exeGet hashmaliciousStealitBrowse
                                            • api.ipify.org/?format=json

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            mail.iaa-airferight.comPO 102675-PI C247SH45.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            Purchase Order 0042040896.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            Great Wall Motor Sale Bank_Sift_Copy.Pdf.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                            • 46.175.148.58
                                            SecuriteInfo.com.BackDoor.SpyBotNET.62.13095.12836.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            PO 102675-PI C247SH45.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                            • 46.175.148.58
                                            NINGBO-Invoices-Past Due.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                            • 46.175.148.58
                                            Payment Advice-DPEB08-2SDC - SS25 Price C246SH32.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                            • 46.175.148.58
                                            New RFQ Compliance_Matrix_Product.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                            • 46.175.148.58
                                            New PO Compliance_Matrix_Product.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                            • 46.175.148.58
                                            Shipmernt copy.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            api.ipify.orgGreat Wall Motor Sale Bank_Sift_Copy.Pdf.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                            • 104.26.13.205
                                            Programa de Mentoring y Apoyo a la Internacionalizaci#U00f3n.exeGet hashmaliciousGuLoaderBrowse
                                            • 104.26.13.205
                                            5649237431_23-10-23-08.49.23.0107.07.exeGet hashmaliciousGuLoaderBrowse
                                            • 104.26.12.205
                                            Hua San Particulars.doc.scr.exeGet hashmaliciousAgentTeslaBrowse
                                            • 172.67.74.152
                                            BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeGet hashmaliciousAgentTeslaBrowse
                                            • 172.67.74.152
                                            Catalina - Particulars.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                            • 172.67.74.152
                                            SecuriteInfo.com.BackDoor.SpyBotNET.62.13095.12836.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.12.205
                                            rARKMONEY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 172.67.74.152
                                            z55enyioma.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.12.205
                                            https://request-label-13956753.pages.dev/help/contact/135346556695032Get hashmaliciousUnknownBrowse
                                            • 104.26.13.205

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            ASLAGIDKOM-NETUAPO 102675-PI C247SH45.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            Purchase Order 0042040896.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            Great Wall Motor Sale Bank_Sift_Copy.Pdf.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                            • 46.175.148.58
                                            SecuriteInfo.com.BackDoor.SpyBotNET.62.13095.12836.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            PO 102675-PI C247SH45.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                            • 46.175.148.58
                                            NINGBO-Invoices-Past Due.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                            • 46.175.148.58
                                            Payment Advice-DPEB08-2SDC - SS25 Price C246SH32.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                            • 46.175.148.58
                                            New RFQ Compliance_Matrix_Product.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                            • 46.175.148.58
                                            New PO Compliance_Matrix_Product.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                            • 46.175.148.58
                                            Shipmernt copy.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            CLOUDFLARENETUSOffer 2024-30496.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 188.114.97.3
                                            pagamento.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 188.114.97.3
                                            Po#70831.exeGet hashmaliciousAzorultBrowse
                                            • 172.67.128.117
                                            payment PAGO 2974749647839452.jsGet hashmaliciousUnknownBrowse
                                            • 162.159.130.233
                                            Document_pdf.exeGet hashmaliciousFormBookBrowse
                                            • 104.21.62.58
                                            file.exeGet hashmaliciousUnknownBrowse
                                            • 172.64.41.3
                                            Great Wall Motor Sale Bank_Sift_Copy.Pdf.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                            • 104.26.13.205
                                            https://my.manychat.com/r?act=179c825ab8add5f9e8bacb82e520a126&u=7459244230843026&p=108345799024755&h=708b8c96be&fbclid=IwZXh0bgNhZW0CMTAAAR07FD8Q65AMa77uMdYFT9FANMjTbvHV0BrVDR-o7WBQKwVAUtHYk2rnVVU_aem_OFd7GNUGsZzyslAWr711ggGet hashmaliciousUnknownBrowse
                                            • 104.17.25.14
                                            https://tinyurl.com/NDCEuropeGet hashmaliciousUnknownBrowse
                                            • 104.18.86.42

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            3b5074b1b5d032e5620f69f9f700ff0epayment PAGO 2974749647839452.jsGet hashmaliciousUnknownBrowse
                                            • 172.67.74.152
                                            Great Wall Motor Sale Bank_Sift_Copy.Pdf.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                            • 172.67.74.152
                                            https://paquete.centrodelvaquero.com/Get hashmaliciousUnknownBrowse
                                            • 172.67.74.152
                                            QUOTATION_AUGQTRA071244#U00b7PDF.scrGet hashmaliciousUnknownBrowse
                                            • 172.67.74.152
                                            QUOTATION_AUGQTRA071244#U00b7PDF.scrGet hashmaliciousUnknownBrowse
                                            • 172.67.74.152
                                            8468281651.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 172.67.74.152
                                            file.exeGet hashmaliciousUnknownBrowse
                                            • 172.67.74.152
                                            input.htmGet hashmaliciousUnknownBrowse
                                            • 172.67.74.152
                                            SecuriteInfo.com.Trojan.Inject5.5513.6456.21079.exeGet hashmaliciousAgentTeslaBrowse
                                            • 172.67.74.152

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\po.lnk

                                            Download File
                                            Process:C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe
                                            File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                            Category:dropped
                                            Size (bytes):862
                                            Entropy (8bit):3.0668858765696716
                                            Encrypted:false
                                            SSDEEP:12:8wl0FsXoCl/tz0/CSLvx1MJmgTCNfBT/v4t2YZ/elFlSJm:8G1WLJqEVpdqy
                                            MD5:16FC50BA1F43056DE04D32CC6B6AFE63
                                            SHA1:09C0D5ACD95282672866EAEC94CDCD7E3BC03563
                                            SHA-256:261273561DA381B137B2EB47E1847F9DDC7295213A120E945826F5ED3B84286D
                                            SHA-512:4F9179551743BA16796694CB36309E2002C918AFCC33ADDF5F8C038F77EBE0C1BE1339E4FAFC8E7CFE0F904AF5FE15ECCAC9C749609E2BEF530F906AEE8607F8
                                            Malicious:false
                                            Reputation:low
                                            Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................a.l.b.u.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....T.2...........po.exe..>............................................p.o...e.x.e.............\.....\.....\.....\.....\.p.o...e.x.e.%.C.:.\.U.s.e.r.s.\.a.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.p.o...e.x.e.............y.............>.e.L.:..er.=y...............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

                                            C:\Users\user\AppData\Roaming\po.exe

                                            Download File
                                            Process:C:\Windows\SysWOW64\cmd.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):2628152
                                            Entropy (8bit):7.766468006073971
                                            Encrypted:false
                                            SSDEEP:49152:5ZCif8dHfbds+Ee0HpEG3dNAGC/KpMxUQao54X9ioWN6MkdJSnN:PCifX+7qEpVw+J4N8rkdw
                                            MD5:94117AFF03DEC1ED2036AAB93E6EE76C
                                            SHA1:D095D0607A47C54ED7BC407362DDD73AD3175258
                                            SHA-256:06CE17C25D36E66683F7EAB6A010DE3F388A3097312E47875BA3EDA13C6DD4C1
                                            SHA-512:B15DFAA0AAAB45CE9BF20C8FD8A3CE466F1F9A77D88018262255BC67DC15436FC9FE857B5ABBE224B45DE6C2818B60571821C8EE65393CFF64F0475F5FD075D4
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 71%
                                            Reputation:low
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.O.................."..........)".. ...@"...@.. .......................@(...........`..................................)".K....@".I.............'.8.... (...................................................... ............... ..H............text.....".. ...."................. ..`.rsrc...I....@".......".............@..@.reloc....... (.......'.............@..B.................)".....H.........!..U.......... ...."!..........................................h.......q...B...I..]...h:......C.......+.......4V..D...S?..:?...q...........0......P................B...F...<..y....4..~d..Q....g..*K.....".......R....]..2....H.......O..L6...D..j....`..jc...h...&..%>..@$...=...p......h..-....Z......<...........)......6........s......ZC../X..:x...o......n.......m......^.............../...............>@..........L...H%.......l..ZD...U..o...CK..mf...u......BF...~...U..

                                            C:\Users\user\AppData\Roaming\po.exe:Zone.Identifier

                                            Download File
                                            Process:C:\Windows\SysWOW64\cmd.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:modified
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:true
                                            Reputation:high, very likely benign file
                                            Preview:[ZoneTransfer]....ZoneId=0

                                            \Device\Null

                                            Download File
                                            Process:C:\Windows\SysWOW64\PING.EXE
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1068
                                            Entropy (8bit):4.814991866910862
                                            Encrypted:false
                                            SSDEEP:12:PKMRJpTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeT0slJtCAFSkIrxMVlmJHaVzvv:/SGJsAokItULVDv
                                            MD5:C7F5131E6A85CF8BDA74092C9805F755
                                            SHA1:CA57A3BA51ECBE46FBC8143C31EED0AE4EADFA20
                                            SHA-256:54AC7EBA5E4DC544DFF04A56D60FB34322AE6D30B4246215139B50BFFD39B8EA
                                            SHA-512:79D2E71160915F618E91E181B3ABDF323B93BCC6CAACC7A364C39033118FFAF19E6CAC1F291EE3FFFBFC3992B62E4A5D282CE6E8C2D03063B3F1967A19A2ECF6
                                            Malicious:false
                                            Preview:..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 17, Received = 17, Lost = 0 (0% loss),..Approximate round trip times

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.766468006073971
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                            • Win32 Executable (generic) a (10002005/4) 49.97%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe
                                            File size:2'628'152 bytes
                                            MD5:94117aff03dec1ed2036aab93e6ee76c
                                            SHA1:d095d0607a47c54ed7bc407362ddd73ad3175258
                                            SHA256:06ce17c25d36e66683f7eab6a010de3f388a3097312e47875ba3eda13c6dd4c1
                                            SHA512:b15dfaa0aaab45ce9bf20c8fd8a3ce466f1f9a77d88018262255bc67dc15436fc9fe857b5abbe224b45de6c2818b60571821c8ee65393cff64f0475f5fd075d4
                                            SSDEEP:49152:5ZCif8dHfbds+Ee0HpEG3dNAGC/KpMxUQao54X9ioWN6MkdJSnN:PCifX+7qEpVw+J4N8rkdw
                                            TLSH:46C59D807F78D987F30A9834E0B0A6F4B0A71DA6C51B0087E47EFD69F77E614299E119
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.O.................."..........)".. ...@"...@.. .......................@(...........`................................

                                            File Icon

                                            Icon Hash:01392c2c794e1b07

                                            Static PE Info

                                            General

                                            Entrypoint:0x6229de
                                            Entrypoint Section:.text
                                            Digitally signed:true
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x4FE226CB [Wed Jun 20 19:38:51 2012 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Authenticode Signature

                                            Signature Valid:false
                                            Signature Issuer:CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
                                            Signature Validation Error:The digital signature of the object did not verify
                                            Error Number:-2146869232
                                            Not Before, Not After
                                            • 25/05/2021 02:00:00 30/05/2024 01:59:59
                                            Subject Chain
                                            • CN="Oculus VR, LLC", OU="Facebook Technologies, LLC", O="Oculus VR, LLC", L=Menlo Park, S=California, C=US
                                            Version:3
                                            Thumbprint MD5:7885AA7AA1FCC7BA4717886C139633CC
                                            Thumbprint SHA-1:2764A796D381E88A2B8AAD23B22AFAD09A37E147
                                            Thumbprint SHA-256:48FBA3244794EA26D81022CFC7E239B2E851C29C099D7B1CA7A57710C95847E9
                                            Serial:0C9344432C064405C0799B9A49E9EF89

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x2229900x4b.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x2240000x5dd49.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x27ec000x2e38.rsrc
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x2820000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x2209e40x220a001d2405c32c9eff94a112eacd336ddcc4unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0x2240000x5dd490x5de00f0cee70574b102c515fb750fb22d12beFalse0.07783112100532623data5.0314406428521625IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x2820000xc0x200fcdb585104b4dd41ba763c94b404b56aFalse0.044921875MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 """0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0x2242800x10828Device independent bitmap graphic, 128 x 256 x 32, image size 00.08968709333964273
                                            RT_ICON0x234aa80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 00.16987482286254132
                                            RT_ICON0x238cd00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.2183609958506224
                                            RT_ICON0x23b2780x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 00.253698224852071
                                            RT_ICON0x23cce00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.3198874296435272
                                            RT_ICON0x23dd880x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.37540983606557377
                                            RT_ICON0x23e7100x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.5283687943262412
                                            RT_ICON0x23eb780x42028Device independent bitmap graphic, 256 x 512 x 32, image size 00.048961446282214396
                                            RT_GROUP_ICON0x280ba00x76data0.7457627118644068
                                            RT_VERSION0x280c180x31cdataEnglishUnited States0.4396984924623116
                                            RT_MANIFEST0x280f340xe15XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF, LF line terminators0.3908460471567268

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Aug 29, 2024 12:13:18.137417078 CEST49728443192.168.2.12172.67.74.152
                                            Aug 29, 2024 12:13:18.137464046 CEST44349728172.67.74.152192.168.2.12
                                            Aug 29, 2024 12:13:18.137521029 CEST49728443192.168.2.12172.67.74.152
                                            Aug 29, 2024 12:13:18.148715973 CEST49728443192.168.2.12172.67.74.152
                                            Aug 29, 2024 12:13:18.148731947 CEST44349728172.67.74.152192.168.2.12
                                            Aug 29, 2024 12:13:18.611124992 CEST44349728172.67.74.152192.168.2.12
                                            Aug 29, 2024 12:13:18.611207008 CEST49728443192.168.2.12172.67.74.152
                                            Aug 29, 2024 12:13:18.649151087 CEST49728443192.168.2.12172.67.74.152
                                            Aug 29, 2024 12:13:18.649172068 CEST44349728172.67.74.152192.168.2.12
                                            Aug 29, 2024 12:13:18.649554014 CEST44349728172.67.74.152192.168.2.12
                                            Aug 29, 2024 12:13:18.694139004 CEST49728443192.168.2.12172.67.74.152
                                            Aug 29, 2024 12:13:18.968723059 CEST49728443192.168.2.12172.67.74.152
                                            Aug 29, 2024 12:13:19.012511969 CEST44349728172.67.74.152192.168.2.12
                                            Aug 29, 2024 12:13:19.072658062 CEST44349728172.67.74.152192.168.2.12
                                            Aug 29, 2024 12:13:19.072732925 CEST44349728172.67.74.152192.168.2.12
                                            Aug 29, 2024 12:13:19.072798014 CEST49728443192.168.2.12172.67.74.152
                                            Aug 29, 2024 12:13:19.078236103 CEST49728443192.168.2.12172.67.74.152
                                            Aug 29, 2024 12:13:19.630177021 CEST4972925192.168.2.1246.175.148.58
                                            Aug 29, 2024 12:13:20.631628036 CEST4972925192.168.2.1246.175.148.58
                                            Aug 29, 2024 12:13:22.631674051 CEST4972925192.168.2.1246.175.148.58
                                            Aug 29, 2024 12:13:26.631779909 CEST4972925192.168.2.1246.175.148.58
                                            Aug 29, 2024 12:13:34.631773949 CEST4972925192.168.2.1246.175.148.58

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Aug 29, 2024 12:13:18.086446047 CEST6523053192.168.2.121.1.1.1
                                            Aug 29, 2024 12:13:18.099723101 CEST53652301.1.1.1192.168.2.12
                                            Aug 29, 2024 12:13:19.587357044 CEST6442453192.168.2.121.1.1.1
                                            Aug 29, 2024 12:13:19.629549980 CEST53644241.1.1.1192.168.2.12

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Aug 29, 2024 12:13:18.086446047 CEST192.168.2.121.1.1.10x984Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                            Aug 29, 2024 12:13:19.587357044 CEST192.168.2.121.1.1.10xdce7Standard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Aug 29, 2024 12:13:18.099723101 CEST1.1.1.1192.168.2.120x984No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                            Aug 29, 2024 12:13:18.099723101 CEST1.1.1.1192.168.2.120x984No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                            Aug 29, 2024 12:13:18.099723101 CEST1.1.1.1192.168.2.120x984No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                            Aug 29, 2024 12:13:19.629549980 CEST1.1.1.1192.168.2.120xdce7No error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • api.ipify.org

                                            HTTPS Proxied Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.1249728172.67.74.1524432328C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                            TimestampBytes transferredDirectionData
                                            2024-08-29 10:13:18 UTC155OUTGET / HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                            Host: api.ipify.org
                                            Connection: Keep-Alive
                                            2024-08-29 10:13:19 UTC211INHTTP/1.1 200 OK
                                            Date: Thu, 29 Aug 2024 10:13:19 GMT
                                            Content-Type: text/plain
                                            Content-Length: 11
                                            Connection: close
                                            Vary: Origin
                                            CF-Cache-Status: DYNAMIC
                                            Server: cloudflare
                                            CF-RAY: 8babc489df9172b1-EWR
                                            2024-08-29 10:13:19 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                            Data Ascii: 8.46.123.33


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:06:11:43
                                            Start date:29/08/2024
                                            Path:C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe"
                                            Imagebase:0xac0000
                                            File size:2'628'152 bytes
                                            MD5 hash:94117AFF03DEC1ED2036AAB93E6EE76C
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2517202114.0000000004916000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2512152964.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2536597554.0000000007610000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2534549381.0000000006211000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2517202114.000000000497F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:06:11:57
                                            Start date:29/08/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:"cmd" /c ping 127.0.0.1 -n 17 > nul && copy "C:\Users\user\Desktop\G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe" "C:\Users\user\AppData\Roaming\po.exe" && ping 127.0.0.1 -n 17 > nul && "C:\Users\user\AppData\Roaming\po.exe"
                                            Imagebase:0x1f0000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:06:11:57
                                            Start date:29/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff704000000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:06:11:57
                                            Start date:29/08/2024
                                            Path:C:\Windows\SysWOW64\PING.EXE
                                            Wow64 process (32bit):true
                                            Commandline:ping 127.0.0.1 -n 17
                                            Imagebase:0xfb0000
                                            File size:18'944 bytes
                                            MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:06:12:13
                                            Start date:29/08/2024
                                            Path:C:\Windows\SysWOW64\PING.EXE
                                            Wow64 process (32bit):true
                                            Commandline:ping 127.0.0.1 -n 17
                                            Imagebase:0xfb0000
                                            File size:18'944 bytes
                                            MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:10
                                            Start time:06:12:30
                                            Start date:29/08/2024
                                            Path:C:\Users\user\AppData\Roaming\po.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Roaming\po.exe"
                                            Imagebase:0xe0000
                                            File size:2'628'152 bytes
                                            MD5 hash:94117AFF03DEC1ED2036AAB93E6EE76C
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.3317600419.0000000004296000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.3317600419.0000000004296000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000A.00000002.3317600419.0000000004344000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.3317600419.0000000004344000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.3317600419.0000000004344000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.3317600419.00000000042F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.3317600419.00000000042F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000A.00000002.3308368525.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.3308368525.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.3308368525.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 71%, ReversingLabs
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:11
                                            Start time:06:12:43
                                            Start date:29/08/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                            Imagebase:0xb80000
                                            File size:103'528 bytes
                                            MD5 hash:89D41E1CF478A3D3C2C701A27A5692B2
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.3611482014.0000000006A31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.3611482014.0000000006A31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.3611482014.0000000006A5C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.3608105838.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.3608105838.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:high
                                            Has exited:false

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:25%
                                              Dynamic/Decrypted Code Coverage:95%
                                              Signature Coverage:0%
                                              Total number of Nodes:40
                                              Total number of Limit Nodes:2
                                              execution_graph 34347 a8e8648 34348 a8e866e 34347->34348 34349 a8e87d3 34347->34349 34348->34349 34352 a8e88c8 PostMessageW 34348->34352 34354 a8e88c0 PostMessageW 34348->34354 34353 a8e8934 34352->34353 34353->34348 34355 a8e8934 34354->34355 34355->34348 34356 a360040 34357 a36006a 34356->34357 34361 a367078 34357->34361 34366 a367069 34357->34366 34358 a3657db 34362 a3670a1 34361->34362 34371 a367340 34362->34371 34376 a3672dd 34362->34376 34363 a367184 34363->34358 34367 a367078 34366->34367 34369 a367340 2 API calls 34367->34369 34370 a3672dd 2 API calls 34367->34370 34368 a367184 34368->34358 34369->34368 34370->34368 34372 a367345 34371->34372 34381 a367a30 34372->34381 34386 a367a40 34372->34386 34373 a36762a 34373->34363 34377 a3672ee 34376->34377 34379 a367a30 2 API calls 34377->34379 34380 a367a40 2 API calls 34377->34380 34378 a36762a 34378->34363 34379->34378 34380->34378 34382 a367a40 34381->34382 34391 a367cff 34382->34391 34395 a367d38 34382->34395 34383 a367cb0 34383->34373 34387 a367a45 34386->34387 34389 a367cff DeleteFileW 34387->34389 34390 a367d38 DeleteFileW 34387->34390 34388 a367cb0 34388->34373 34389->34388 34390->34388 34392 a367d0c DeleteFileW 34391->34392 34394 a367db7 34392->34394 34394->34383 34396 a367d7e DeleteFileW 34395->34396 34398 a367db7 34396->34398 34398->34383

                                              Executed Functions

                                              Function 0A560006 Relevance: 5.6, Instructions: 5571COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 a560006-a560290 31 a560296-a560fbd 0->31 32 a562203-a5624e8 0->32 439 a560fc3-a561287 31->439 440 a56128f-a5621fb 31->440 107 a5624ee-a563447 32->107 108 a56344f-a564448 32->108 107->108 673 a56473e-a564751 108->673 674 a56444e-a564736 108->674 439->440 440->32 678 a564757-a564db0 673->678 679 a564db8-a565d30 673->679 674->673 678->679 1063 a565d30 call a5671b2 679->1063 1064 a565d30 call a5671c0 679->1064 1065 a565d30 call a56717b 679->1065 1062 a565d36-a565d3d 1063->1062 1064->1062 1065->1062
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7f5a5a99af38ebcf73d2cb089f40a7477bc08596b34a1e3441c529697a2da42a
                                              • Instruction ID: 3ee3f3ad12de4034318c599088be77b5f3fc1cc39c0eb1c01a2db421218d85c2
                                              • Opcode Fuzzy Hash: 7f5a5a99af38ebcf73d2cb089f40a7477bc08596b34a1e3441c529697a2da42a
                                              • Instruction Fuzzy Hash: A5B32A74A012188FCB58EF38E89969CBBF2FF89200F4084EAD449A7650EF345E95DF55
                                              Function 0A560040 Relevance: 5.5, Instructions: 5545COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1066 a560040-a560290 1095 a560296-a560fbd 1066->1095 1096 a562203-a5624e8 1066->1096 1503 a560fc3-a561287 1095->1503 1504 a56128f-a5621fb 1095->1504 1171 a5624ee-a563447 1096->1171 1172 a56344f-a564448 1096->1172 1171->1172 1737 a56473e-a564751 1172->1737 1738 a56444e-a564736 1172->1738 1503->1504 1504->1096 1742 a564757-a564db0 1737->1742 1743 a564db8-a565d30 1737->1743 1738->1737 1742->1743 2127 a565d30 call a5671b2 1743->2127 2128 a565d30 call a5671c0 1743->2128 2129 a565d30 call a56717b 1743->2129 2126 a565d36-a565d3d 2127->2126 2128->2126 2129->2126
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 48dd367e70a3ac74817412d93abeaec179b36c5b72c49af0514068123c6e29ff
                                              • Instruction ID: 5d780e905645bd9243014065ccf42162cfd7b1039686d6494e264927f67c9153
                                              • Opcode Fuzzy Hash: 48dd367e70a3ac74817412d93abeaec179b36c5b72c49af0514068123c6e29ff
                                              • Instruction Fuzzy Hash: 8DB32A74A012188FCB58EF38E89969CBBF2FF89200F4084EAD449A7650EF345E95DF55
                                              Function 0A360040 Relevance: 5.2, Instructions: 5226COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 3082 a360040-a3657d3 4031 a3657d5 call a367078 3082->4031 4032 a3657d5 call a367069 3082->4032 4030 a3657db-a3657e2 4031->4030 4032->4030
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538520685.000000000A360000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A360000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a360000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ee5c0299f43c40e0760a75e9a18881245824f172af414325300dc30f61f20d8d
                                              • Instruction ID: a06918a5a6b0430c80ace5afbd237eb1b67b401e705fc858e26f4da233ef610c
                                              • Opcode Fuzzy Hash: ee5c0299f43c40e0760a75e9a18881245824f172af414325300dc30f61f20d8d
                                              • Instruction Fuzzy Hash: 75B31B70A012198BCB18EF38E9996ACBBF5FB88300F4085F9D489A7250DF345E95DF95
                                              Function 0A8E4507 Relevance: 3.6, Instructions: 3614COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 4033 a8e4507-a8e450f 4034 a8e4548-a8e454e 4033->4034 4035 a8e4511-a8e4547 4033->4035 4036 a8e4822-a8e4833 4034->4036 4035->4034 4038 a8e4839-a8e483c 4036->4038 4039 a8e4553-a8e455c 4036->4039 4751 a8e483f call a8e6d7c 4038->4751 4752 a8e483f call a8e473c 4038->4752 4753 a8e483f call a8e4507 4038->4753 4040 a8e485e-a8e48b4 4039->4040 4041 a8e455d-a8e4579 4039->4041 4048 a8e48b6-a8e48c2 call a8e497b 4040->4048 4049 a8e48e2-a8e48f4 4040->4049 4050 a8e457f 4041->4050 4051 a8e474d-a8e4820 4041->4051 4043 a8e4845-a8e484a 4056 a8e4851-a8e4858 4043->4056 4060 a8e48c4-a8e48cd 4048->4060 4053 a8e48f7-a8e48fd 4049->4053 4058 a8e4586-a8e4730 4050->4058 4051->4036 4116 a8e4859 4051->4116 4059 a8e48fe-a8e4908 4053->4059 4058->4051 4143 a8e4732-a8e473a 4058->4143 4061 a8e490a-a8e490c 4059->4061 4060->4060 4063 a8e48cf-a8e48df 4060->4063 4065 a8e493e-a8e4940 4061->4065 4066 a8e490e-a8e491b 4061->4066 4063->4049 4070 a8e4942-a8e4948 4065->4070 4071 a8e49a1 4065->4071 4067 a8e491d 4066->4067 4068 a8e4960-a8e499f 4066->4068 4067->4061 4074 a8e491f-a8e4934 4067->4074 4068->4071 4073 a8e49a5-a8e4a5d 4070->4073 4075 a8e494a 4070->4075 4071->4073 4105 a8e4a5f-a8e4a6a 4073->4105 4106 a8e4a71-a8e4e06 call a8e3448 4073->4106 4077 a8e494d-a8e495e 4074->4077 4078 a8e4936-a8e493c 4074->4078 4075->4077 4077->4068 4078->4065 4105->4106 4179 a8e4e0c-a8e7ba8 4106->4179 4180 a8e7bb8-a8e7bee 4106->4180 4116->4040 4143->4051 4754 a8e7baa call a8e824a 4179->4754 4755 a8e7baa call a8e8298 4179->4755 4183 a8e7c30-a8e7c5e 4180->4183 4184 a8e7bf0-a8e7c1b 4180->4184 4185 a8e7ca0-a8e7cb2 4183->4185 4186 a8e7c60-a8e7c7e 4183->4186 4184->4183 4188 a8e7cc0-a8e7ce5 4185->4188 4186->4188 4191 a8e7c80-a8e7c92 4186->4191 4192 a8e7c94-a8e7c9d 4191->4192 4192->4192 4194 a8e7c9f 4192->4194 4194->4185 4750 a8e7bb0-a8e7bb7 4751->4043 4752->4043 4753->4043 4754->4750 4755->4750
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538860490.000000000A8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a8e0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 187bb351dfe59afab1866e0efa7d93058daaff8d8d13c460972125cebb146fe7
                                              • Instruction ID: cf9c6136166e9034207634c174cada510ae0641c89407889eb4812540df66002
                                              • Opcode Fuzzy Hash: 187bb351dfe59afab1866e0efa7d93058daaff8d8d13c460972125cebb146fe7
                                              • Instruction Fuzzy Hash: B9638DB0B01219CBCB44EF78E899B9DBBF1FB48210F5088E9E449E7354DE385D849B65
                                              Function 0A56C4A8 Relevance: 2.2, Strings: 1, Instructions: 930COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ]
                                              • API String ID: 0-3352871620
                                              • Opcode ID: ccccdd2479a128880ac58fcdd1db7c9056ec8f63801f80a586a9493573721b0c
                                              • Instruction ID: 251e032981a6950b116dcf603fd947bc30997bdeed7a7a7ac3e1d9cc1fc7085d
                                              • Opcode Fuzzy Hash: ccccdd2479a128880ac58fcdd1db7c9056ec8f63801f80a586a9493573721b0c
                                              • Instruction Fuzzy Hash: 77729B31B002199FDB64EF69C854BAE7BB6BF88600F148069E546EB399CF34DC41CB91
                                              Function 016F7B28 Relevance: 1.0, Instructions: 988COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 37d8a3b8be7167516dd974ff3b866ec333b3ec4e23cb21c290d43eea1a4cab59
                                              • Instruction ID: 3a8af7a6ce1883c81ce75e3dfb5af381009b9947bd9d6a0eba600babb03895a7
                                              • Opcode Fuzzy Hash: 37d8a3b8be7167516dd974ff3b866ec333b3ec4e23cb21c290d43eea1a4cab59
                                              • Instruction Fuzzy Hash: 22925A31A01209DFCB15CF68C884AAEBBF6FF88314F1585A9E6159B3A6D731ED41CB50
                                              Function 016F6ED8 Relevance: .9, Instructions: 917COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cae3daa5ae0d53a508a72469ad32a84c34e8aa32df008f8a85b739ee08316590
                                              • Instruction ID: 05105bb10c524e24bf7638587fd88a3e2a1bff730d48ee2f1158298d0377c7e1
                                              • Opcode Fuzzy Hash: cae3daa5ae0d53a508a72469ad32a84c34e8aa32df008f8a85b739ee08316590
                                              • Instruction Fuzzy Hash: 20826E70A002199FDB15DFA9C844AAEBBF6FF88300F158469EA15EB3A5DB34DD41CB50
                                              Function 016FAE98 Relevance: .7, Instructions: 692COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0cb61970e5ff84b1afe0b449f98d437ba00e62587d29c34645268aff9c55c817
                                              • Instruction ID: e52591d75ee62074f06dc2b4b864eb51fb4fe2e28c97895a9c87fa075a159867
                                              • Opcode Fuzzy Hash: 0cb61970e5ff84b1afe0b449f98d437ba00e62587d29c34645268aff9c55c817
                                              • Instruction Fuzzy Hash: 5A523034B01219CFDB249B79CC5476D7AB2FB88300F1484AED60AAB399DB749D81CF55
                                              Function 016FAE68 Relevance: .5, Instructions: 516COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 46fbe82bceb5199afdb65aad1df4a7c9b3d8110bb8487becc88a1195069c6b71
                                              • Instruction ID: 506531cd92a43723df128cc0585e7d578a2af07450affdb20d5db248c2247d01
                                              • Opcode Fuzzy Hash: 46fbe82bceb5199afdb65aad1df4a7c9b3d8110bb8487becc88a1195069c6b71
                                              • Instruction Fuzzy Hash: 2A127330A01219CFDB259B69CC5476D7BB2FF89301F1484AED60AAB398DB348D82CF55
                                              Function 0A3676B8 Relevance: .3, Instructions: 260COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538520685.000000000A360000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A360000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a360000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b18b26828a9ca6986c7ab3ab27d364f02131eabd64da213b6a0b441e0ab9836c
                                              • Instruction ID: 1bb2a3d8068b23deac0b9752fb3041eee3ac3c16a2807b363729fb362d0bd71f
                                              • Opcode Fuzzy Hash: b18b26828a9ca6986c7ab3ab27d364f02131eabd64da213b6a0b441e0ab9836c
                                              • Instruction Fuzzy Hash: 1C816038B002199FDF28AF75945467E7AF7BFC9700BA4852EE416E7398CE348C518B61
                                              Function 0A56A4FC Relevance: 2.8, Strings: 2, Instructions: 296COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 4756 a56a4fc-a56a52e 4757 a56a570-a56a750 call a56a663 call a56a613 4756->4757 4758 a56a530-a56a558 4756->4758 4787 a56a757-a56a767 4757->4787 4759 a56a4f1-a56a4f2 4758->4759 4760 a56a55a-a56a568 4758->4760 4759->4756 4760->4757 4788 a56a76e-a56a86a 4787->4788 4805 a56a87f-a56a927 4788->4805 4806 a56a86c-a56a86f 4788->4806 4809 a56a92d-a56a936 4805->4809 4819 a56a872 call a56a93e 4806->4819 4820 a56a872 call a56a9b8 4806->4820 4808 a56a878-a56a87a 4808->4809 4819->4808 4820->4808
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: F$H@
                                              • API String ID: 0-698397363
                                              • Opcode ID: 55d56d9689b2ca602498ae1d9d2524dd2a00aef9a66d85a12a08dffa161b2872
                                              • Instruction ID: 58686b0c5ff0d02ab3153910c0a4b411aa1aae465978993614cd1a04c808fa67
                                              • Opcode Fuzzy Hash: 55d56d9689b2ca602498ae1d9d2524dd2a00aef9a66d85a12a08dffa161b2872
                                              • Instruction Fuzzy Hash: 91A11670B093858FC702AB78E85575A7FF1FF86250F1644EBD485E7296EA385C09C3A2
                                              Function 0A56DF3A Relevance: 1.9, Strings: 1, Instructions: 610COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 5109 a56df3a 5110 a56df3b-a56df44 5109->5110 5110->5110 5111 a56df46-a56df78 5110->5111 5112 a56df7b-a56dfa4 5111->5112 5113 a56dfa8-a56e27b 5111->5113 5112->5113 5150 a56e28f-a56e35a 5113->5150 5151 a56e27d-a56e287 5113->5151 5164 a56e361-a56e364 5150->5164 5165 a56e35c-a56e35f 5150->5165 5151->5150 5166 a56e367-a56e37a 5164->5166 5165->5166 5210 a56e37d call a56fe16 5166->5210 5211 a56e37d call a56e830 5166->5211 5169 a56e383-a56e57a call a5688c0 5201 a56e5a6-a56e610 5169->5201 5202 a56e57c-a56e598 5169->5202 5205 a56e5a2-a56e5a5 5201->5205 5207 a56e59e-a56e5a1 5202->5207 5208 a56e598 call a8e3bc8 5202->5208 5209 a56e598 call a8e3bd8 5202->5209 5207->5205 5208->5207 5209->5207 5210->5169 5211->5169
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 7
                                              • API String ID: 0-1790921346
                                              • Opcode ID: b1cdf54725d388cf37106c846629f1cd57cb8f2cbabd8b8f863e3adbcd5e23a9
                                              • Instruction ID: c794a90c717d70b9e5b5a0ed464c41c0be990d30e2a019472f18e8030947baff
                                              • Opcode Fuzzy Hash: b1cdf54725d388cf37106c846629f1cd57cb8f2cbabd8b8f863e3adbcd5e23a9
                                              • Instruction Fuzzy Hash: F012D074A062458FC705FF78E89969D7BF1FF4A200F1548AAE481E72A1EE385C09D7A1
                                              Function 0A367CFF Relevance: 1.6, APIs: 1, Instructions: 93fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 5212 a367cff-a367d0a 5213 a367d52-a367d56 5212->5213 5214 a367d0c-a367d1d 5212->5214 5215 a367d1f-a367d50 5213->5215 5216 a367d57-a367d82 5213->5216 5214->5215 5215->5213 5218 a367d84-a367d87 5216->5218 5219 a367d8a-a367db5 DeleteFileW 5216->5219 5218->5219 5220 a367db7-a367dbd 5219->5220 5221 a367dbe-a367de6 5219->5221 5220->5221
                                              APIs
                                              • DeleteFileW.KERNELBASE(00000000), ref: 0A367DA8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538520685.000000000A360000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A360000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a360000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: 18d130a8a97ef0aae123a8fa9e89bb71585a4b72b8564222533e73cdde59eb98
                                              • Instruction ID: 3d0206b498821f9419b8ef9ee64931ec767ece0a038bae659813c571f84c2c97
                                              • Opcode Fuzzy Hash: 18d130a8a97ef0aae123a8fa9e89bb71585a4b72b8564222533e73cdde59eb98
                                              • Instruction Fuzzy Hash: EE31A3B5C097858FCB12CFA5C8547D9BFB4AF47214F1A81D7C494EB292D3385909CBA2
                                              Function 0A367D38 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 5224 a367d38-a367d82 5226 a367d84-a367d87 5224->5226 5227 a367d8a-a367db5 DeleteFileW 5224->5227 5226->5227 5228 a367db7-a367dbd 5227->5228 5229 a367dbe-a367de6 5227->5229 5228->5229
                                              APIs
                                              • DeleteFileW.KERNELBASE(00000000), ref: 0A367DA8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538520685.000000000A360000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A360000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a360000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: d68e0fd9a31c1a2daefdd5a7ef89ab37b4d7224cb468aa1f498eca26db8ec528
                                              • Instruction ID: 068a8476e6994656b74a8e61cfc83e4b433f896b4514d2ef19b8c9e0624bdff7
                                              • Opcode Fuzzy Hash: d68e0fd9a31c1a2daefdd5a7ef89ab37b4d7224cb468aa1f498eca26db8ec528
                                              • Instruction Fuzzy Hash: 7F1147B1C0065A9FCB10CF9AC444BEEFBB4FF48724F11856AD818A7240D778A940CFA5
                                              Function 0A8E88C8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 5236 a8e88c8-a8e8932 PostMessageW 5237 a8e893b-a8e894f 5236->5237 5238 a8e8934-a8e893a 5236->5238 5238->5237
                                              APIs
                                              • PostMessageW.USER32(?,?,?,?), ref: 0A8E8925
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538860490.000000000A8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a8e0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: e51b2df4eee0e1a1e6abc9350bf75530915c5ad3341f15dd53461ed261a06f9b
                                              • Instruction ID: fa3d67914a61db2a7eedaada7528d1fd638a17ec983b63d32b55d1df6e6fe66e
                                              • Opcode Fuzzy Hash: e51b2df4eee0e1a1e6abc9350bf75530915c5ad3341f15dd53461ed261a06f9b
                                              • Instruction Fuzzy Hash: 4D11E2B5800349DFDB20DF9AD885BDEFBF8EB48724F10841AD958A7210C379A944CFA5
                                              Function 0A8E88C0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 5232 a8e88c0-a8e8932 PostMessageW 5233 a8e893b-a8e894f 5232->5233 5234 a8e8934-a8e893a 5232->5234 5234->5233
                                              APIs
                                              • PostMessageW.USER32(?,?,?,?), ref: 0A8E8925
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538860490.000000000A8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a8e0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 18bca85380d1f88ed6a4c3bdb7b5b99ae8ebaf6ef13cc2a634c7b939f24b148b
                                              • Instruction ID: 792368196e95104e733ee80a7aa0a90653fe44496f19289f7aa4fcf05bcb1292
                                              • Opcode Fuzzy Hash: 18bca85380d1f88ed6a4c3bdb7b5b99ae8ebaf6ef13cc2a634c7b939f24b148b
                                              • Instruction Fuzzy Hash: D311F2B6C00249DFDB10CF9AD985BDEFBF4EB48720F10840AD558A7200C375A984CFA5
                                              Function 0A56A93E Relevance: .9, Instructions: 944COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 5889 a56a93e-a56a960 5890 a56a965-a56a97e 5889->5890 5891 a56a9c0-a56af3a 5890->5891 5892 a56a980-a56a99d 5890->5892 5966 a56b710-a56b724 5891->5966 5967 a56af40-a56b045 call 16f5480 5891->5967 5892->5890 5893 a56a99f-a56a9be 5892->5893 5893->5891 5975 a56b725 5966->5975 5967->5966 5983 a56b04b-a56b050 5967->5983 5975->5975 5984 a56b056-a56b144 5983->5984 5985 a56b183-a56b6c1 call a56c430 5983->5985 5984->5966 6008 a56b14a-a56b16b 5984->6008 6078 a56b6c8-a56b6f0 5985->6078 6008->5985 6015 a56b16d-a56b173 6008->6015 6017 a56b177-a56b179 6015->6017 6018 a56b175 6015->6018 6017->5985 6018->5985 6078->5966
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8fa16b30539a7f2ffa3d17d17b06aa29b470f0cf044cf7b0b7912835e7a14384
                                              • Instruction ID: 89f4287b53f1ec758213b3ba177db4c86d074be7ac07ff13e5b749db0c112b02
                                              • Opcode Fuzzy Hash: 8fa16b30539a7f2ffa3d17d17b06aa29b470f0cf044cf7b0b7912835e7a14384
                                              • Instruction Fuzzy Hash: E572B270B012198BD704BFB8E89875DBBF1FF84210F4249AAE489E7354DF385C599BA1
                                              Function 0A56A9B8 Relevance: .9, Instructions: 900COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 6338 a56a9b8-a56af3a 6411 a56b710-a56b724 6338->6411 6412 a56af40-a56b045 call 16f5480 6338->6412 6420 a56b725 6411->6420 6412->6411 6428 a56b04b-a56b050 6412->6428 6420->6420 6429 a56b056-a56b144 6428->6429 6430 a56b183-a56b6c1 call a56c430 6428->6430 6429->6411 6453 a56b14a-a56b16b 6429->6453 6523 a56b6c8-a56b6f0 6430->6523 6453->6430 6460 a56b16d-a56b173 6453->6460 6462 a56b177-a56b179 6460->6462 6463 a56b175 6460->6463 6462->6430 6463->6430 6523->6411
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2ee1942b64d9e6326fa0664180ccf5c1301fe60e4d8d3326318ad938b1543ea4
                                              • Instruction ID: 4b68190a2d49186af7ace52326d25baa1d16ed2e374ff7b898d5709d78f04aeb
                                              • Opcode Fuzzy Hash: 2ee1942b64d9e6326fa0664180ccf5c1301fe60e4d8d3326318ad938b1543ea4
                                              • Instruction Fuzzy Hash: 3362A370B112198BDB04BFB8E89976DBBF1FF84200F4189AAE449E7354DF385C589B91
                                              Function 0A56D538 Relevance: .7, Instructions: 702COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 94072da733b28b56f9e05b8428053536d320fc6314b9954213f673c466253f83
                                              • Instruction ID: afb5cfddc088d7e9807d6ce9f569f08b1492e3a3b2a8c4e25d0559a5afeaedc6
                                              • Opcode Fuzzy Hash: 94072da733b28b56f9e05b8428053536d320fc6314b9954213f673c466253f83
                                              • Instruction Fuzzy Hash: 76428C71B116198FCB04EF78E458B6E7BF6FB88610F118869E405E7398DE389C05DBA1
                                              Function 0A5688D1 Relevance: .4, Instructions: 450COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a9c3292fe01b351836445fe362257c133641aac17ba9ee93bc0da3f28ae3f0fc
                                              • Instruction ID: 79104cc15a85c2329671c88fb4d7120ff3cc8e30ec40077093801f44d3d0cbd5
                                              • Opcode Fuzzy Hash: a9c3292fe01b351836445fe362257c133641aac17ba9ee93bc0da3f28ae3f0fc
                                              • Instruction Fuzzy Hash: 4BF16C70B11219CBCB04BFB8E898A5EBBF6FB88210F504969E445E7354EF389C15DB91
                                              Function 0A5688E0 Relevance: .4, Instructions: 449COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3b1dc09faaeba22a58f6449a2496ea841b255ac34fa6498851c5cd36ef27c202
                                              • Instruction ID: 72ab1d82e4e2e27b0a075cc141cf8aa1a7764b10711ac8c35872a5c8718afc76
                                              • Opcode Fuzzy Hash: 3b1dc09faaeba22a58f6449a2496ea841b255ac34fa6498851c5cd36ef27c202
                                              • Instruction Fuzzy Hash: 71F16A70B11219CBCB04BFB8E898A5EB7F2FB88210F504969E445E7394EF389C15DB91
                                              Function 0A569E88 Relevance: .4, Instructions: 440COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 194e59952a261ea98bcb89123aef47f0736f90f5f94b55a7fe9763bd59eded48
                                              • Instruction ID: 35cbb80c2941ebd650fe21146982a51b41f642632344087002c61a7a324e0bd8
                                              • Opcode Fuzzy Hash: 194e59952a261ea98bcb89123aef47f0736f90f5f94b55a7fe9763bd59eded48
                                              • Instruction Fuzzy Hash: FDE1ACB07152068BC704FF78E59962EBBF1FB88650F41486DF485E3354EE389C19AB92
                                              Function 0A56E830 Relevance: .4, Instructions: 436COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 875077138a28154ebaf4b3c088a47788dec07a50d41c03beac7f02cee873cd2c
                                              • Instruction ID: c4ddc5081da7f05526ba342ce2b77b3da24690a2f1300a4cdf26e357958166e6
                                              • Opcode Fuzzy Hash: 875077138a28154ebaf4b3c088a47788dec07a50d41c03beac7f02cee873cd2c
                                              • Instruction Fuzzy Hash: C0023974E0121A8FCB14BF78E98969D7BF1FB88310F104869E446E7348EB384D49DB95
                                              Function 0A5682F8 Relevance: .4, Instructions: 376COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cead87ee46579d7489bab99e49afadf05a98c14cc4af25eac9f94d842be89fca
                                              • Instruction ID: f410940b998d0bf920f93748547c2db931bc4b1d4f0d3cbf1213aaff912a1cd0
                                              • Opcode Fuzzy Hash: cead87ee46579d7489bab99e49afadf05a98c14cc4af25eac9f94d842be89fca
                                              • Instruction Fuzzy Hash: 86D19E71B112068BC704BFB8E49966E7BF2FB88210F558839E445E7344EE3C9C55EB90
                                              Function 0A56981B Relevance: .3, Instructions: 336COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 532a9fe62586a40a0f73c32229d38f7006dc5b3b0209927bf1ef2cbed9fcaaa7
                                              • Instruction ID: a05234ecf98f80537e63705e9664720e6e074ce1640d4dafc0112669fda29645
                                              • Opcode Fuzzy Hash: 532a9fe62586a40a0f73c32229d38f7006dc5b3b0209927bf1ef2cbed9fcaaa7
                                              • Instruction Fuzzy Hash: D5C18C70B11209CBC704FF78E599AAEBBF5FB88210F514869E445E3354EE389C19E7A1
                                              Function 0A5697FC Relevance: .3, Instructions: 322COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0a46a24b9b766a4b9d3e8ddd5c8ca81ec124877115ba7e87513f870661c1e1ab
                                              • Instruction ID: 54906c33a8f0376bd5447eac4481f0be46ec13a66d408ee6afa36cff0174dd6e
                                              • Opcode Fuzzy Hash: 0a46a24b9b766a4b9d3e8ddd5c8ca81ec124877115ba7e87513f870661c1e1ab
                                              • Instruction Fuzzy Hash: 63B17C70B11209CBC704FF78E599AADBBF1FB88210F514869E445E7354EE389C19E7A1
                                              Function 016F636D Relevance: .3, Instructions: 313COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0734fa1756e99c146eb8a99e70a9ad53712481e7f74ff27cce198d7fe415798d
                                              • Instruction ID: 5f6ecf372627903feeac03c74b1945d3ab8d9d406efa69655c2c9defe4279693
                                              • Opcode Fuzzy Hash: 0734fa1756e99c146eb8a99e70a9ad53712481e7f74ff27cce198d7fe415798d
                                              • Instruction Fuzzy Hash: 41B1CF307012199FDB05EF68D858BAE7BB6FB88750F14802DE6029B399DB74DC42CB91
                                              Function 016F49C8 Relevance: .3, Instructions: 285COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9abe9fc80db4bbdd9048220f816664a45df754b9ba0f0ca83f9a48796f8fe374
                                              • Instruction ID: 03a9cb81ccc73235536580befc6c43c1f72d2ba530af159cbbc6333a0a2744e8
                                              • Opcode Fuzzy Hash: 9abe9fc80db4bbdd9048220f816664a45df754b9ba0f0ca83f9a48796f8fe374
                                              • Instruction Fuzzy Hash: 59A19231B04219DBEB149AB9DC5477F76B6BBC4700F24482DE606DB78CEE348C868795
                                              Function 016F498F Relevance: .3, Instructions: 273COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2d1d542c3ff8858d1abb63a294d2a646cdc39320e893b030a81bd7ad019a0fb4
                                              • Instruction ID: a663619e3c6d420c542d29862755af7cd2c634f0f3a9d84cb6fb7e416fa117d9
                                              • Opcode Fuzzy Hash: 2d1d542c3ff8858d1abb63a294d2a646cdc39320e893b030a81bd7ad019a0fb4
                                              • Instruction Fuzzy Hash: 4A91AF31B04208DBEB149AB9DC5476F77B2BB84310F14482DE606DB788EF388C868B95
                                              Function 0A56C038 Relevance: .3, Instructions: 271COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d22ad16b2af16f23180b03f9703e6606c69728cca9e1caf0236a79f148c83761
                                              • Instruction ID: 597b7636e3b4a90fdaa5994f693a7999181202954761a288250c49b628f90ffa
                                              • Opcode Fuzzy Hash: d22ad16b2af16f23180b03f9703e6606c69728cca9e1caf0236a79f148c83761
                                              • Instruction Fuzzy Hash: 65A18D30B002199FDB15EF64D854AAE7BB2FF88710F148429F856AB398DB34DD52CB91
                                              Function 0A5682E8 Relevance: .3, Instructions: 266COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 12ff54a286ab470e88bfb876ab3072b173614790dfac27ae40cf049399b72b89
                                              • Instruction ID: ebf0d0801b8c1f089be7b4a8e652aa54b7e3a624935af9acc039f6a0c56fa563
                                              • Opcode Fuzzy Hash: 12ff54a286ab470e88bfb876ab3072b173614790dfac27ae40cf049399b72b89
                                              • Instruction Fuzzy Hash: 5991AD75B112068FC704AF78E49966E7BF2FB88210F558839E841E7384DE7D9C45EBA0
                                              Function 016F4AAC Relevance: .2, Instructions: 244COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 145f983c9d17c0464943901fb21fa18ea59b6d7ee2fb84d627e8572bd9ee98dd
                                              • Instruction ID: 360c837246f3fd92c8d533b17ddb72969cc9c751efa36768a5529d4d6b12246f
                                              • Opcode Fuzzy Hash: 145f983c9d17c0464943901fb21fa18ea59b6d7ee2fb84d627e8572bd9ee98dd
                                              • Instruction Fuzzy Hash: 28818131B04209DBEB159BA9DC5477F76B2BB84301F24482DE606DB78CDF398C868B95
                                              Function 016F6AA8 Relevance: .2, Instructions: 230COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3f6595b761a082d36a4d703bd65c87bdbe2cde69eb33f1a24e9cf6587145602c
                                              • Instruction ID: 376f799a3bd8896fdc7f3b1c62116ebd410afa4fe8f62949966aaf3996be53c4
                                              • Opcode Fuzzy Hash: 3f6595b761a082d36a4d703bd65c87bdbe2cde69eb33f1a24e9cf6587145602c
                                              • Instruction Fuzzy Hash: 71817834A001098FDB14DF6DC884AAABBB2FF89710B15816DDA56EB365DB31E841CB90
                                              Function 016FB3B4 Relevance: .2, Instructions: 223COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 960e810f785c78434b7882495dde70ca216dd21989eaf14bbd36378fe2c814f5
                                              • Instruction ID: 271bf7a624abad51506837bdc9b0213b10e9206aa2ac72a21ced8501041823dc
                                              • Opcode Fuzzy Hash: 960e810f785c78434b7882495dde70ca216dd21989eaf14bbd36378fe2c814f5
                                              • Instruction Fuzzy Hash: 53818F70A00209CBEB24DB69DC54B7EBBB2FB85300F14846ED606DB399DB748D82CB55
                                              Function 016FB3C3 Relevance: .2, Instructions: 220COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f985dd991130f125156c82355a25fded89eefd6aef05ede604897071f59c71bd
                                              • Instruction ID: 99c58f426402287a85e0e341791ccde0a83ab00a8669501d3817ff47b8b22449
                                              • Opcode Fuzzy Hash: f985dd991130f125156c82355a25fded89eefd6aef05ede604897071f59c71bd
                                              • Instruction Fuzzy Hash: 6E819F30A00209CFEB249B69DC54B7EBBB2FB85300F14846ED606DB399DB748D82CB55
                                              Function 016F66B0 Relevance: .2, Instructions: 204COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9fdf7379a8a605635b22d546e460598bad192e02c3ed8c74809af3c66b8d1018
                                              • Instruction ID: a08a3c94950f4d355e266d49cb85d0bd09769298f851d549b448739f42717a4a
                                              • Opcode Fuzzy Hash: 9fdf7379a8a605635b22d546e460598bad192e02c3ed8c74809af3c66b8d1018
                                              • Instruction Fuzzy Hash: 0F6101707002508FDB15AB39C858B3A7BA6AF84654F14853DD656CB3AADF78CC42C7A1
                                              Function 0A56A613 Relevance: .2, Instructions: 186COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: acd944889261b04cb82ef6748011ba5ecdd203d8cb7bb71c5c038bbe81a13ed2
                                              • Instruction ID: 9a9989fcf48153a6d4df8fd56a71f01b9194d6cd58579c2425af4e8d37ab356f
                                              • Opcode Fuzzy Hash: acd944889261b04cb82ef6748011ba5ecdd203d8cb7bb71c5c038bbe81a13ed2
                                              • Instruction Fuzzy Hash: C751D571B111168BC704FFB8E895B6E76F6FB88250F618829E545F3344EE389C0597D1
                                              Function 016FBC58 Relevance: .2, Instructions: 182COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2da96e447d1473e2a444bccfd0127ac224f7af58c87099c0df6c8aa940e043f6
                                              • Instruction ID: 16951ac1e3e792ed14266fa2132b18e4433d94b5f8a41427e4e6adbdd3321e64
                                              • Opcode Fuzzy Hash: 2da96e447d1473e2a444bccfd0127ac224f7af58c87099c0df6c8aa940e043f6
                                              • Instruction Fuzzy Hash: 66614075A05108DFDB14DFA9D850BAEB7B2FB84340F25406DE7069B399CB319D42CB92
                                              Function 016F9318 Relevance: .2, Instructions: 181COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 75e4a33cd35f2467674d8b22b5d9d7a55463b1bef4da287e4d5d7a4a6b014ebc
                                              • Instruction ID: d189c176b9f248733b8adbc62aa9dac0ba19e9b5259c07aed3ba85284aaf4bb5
                                              • Opcode Fuzzy Hash: 75e4a33cd35f2467674d8b22b5d9d7a55463b1bef4da287e4d5d7a4a6b014ebc
                                              • Instruction Fuzzy Hash: E45138327150118FDB14DE3DCC88B6A7BE6BF9835874944AEFA06CB365EB21DC028B50
                                              Function 0A56A663 Relevance: .2, Instructions: 167COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4ad51d2d4c8ea80311952a4654f16e9b8634b254d385a71ca2dd93d1f532ea8a
                                              • Instruction ID: ca1c83bab9a5f961f994c3d12c014e8dca71d992d0f2a6b871ba567e841a3779
                                              • Opcode Fuzzy Hash: 4ad51d2d4c8ea80311952a4654f16e9b8634b254d385a71ca2dd93d1f532ea8a
                                              • Instruction Fuzzy Hash: 6651C071B1111A8BCB04FFB8E89576EBBF6FB88250F618829E545E3344EE389C0597D1
                                              Function 0A56BF98 Relevance: .2, Instructions: 156COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b7356be797274938165d1799d33e3837cd5464a181bc5d6dcced9b28df903a64
                                              • Instruction ID: 355348e4d78160ef64919b1d0a489cfa7d0f8eac55a547062b670144d31d25fa
                                              • Opcode Fuzzy Hash: b7356be797274938165d1799d33e3837cd5464a181bc5d6dcced9b28df903a64
                                              • Instruction Fuzzy Hash: 49518E317002199FDB14EF69D854AAE7BA6FF88304F128069E915DB3A0DB31EC46CF91
                                              Function 0A56BB70 Relevance: .1, Instructions: 144COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 384a3b877e5501e1de74d600591336ed68920b866994caa27745a1fa0c2320d3
                                              • Instruction ID: b390486769a7e1ea3c2e03d211c3ae1fbc13d6928d5b6aaedbf1ae1a44e2190f
                                              • Opcode Fuzzy Hash: 384a3b877e5501e1de74d600591336ed68920b866994caa27745a1fa0c2320d3
                                              • Instruction Fuzzy Hash: D1514835A50109DFDB14DF68C854A9DBBB2FF48721F118469E902E73A5DB319D41CFA0
                                              Function 016FBF60 Relevance: .1, Instructions: 144COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3de80f8d532f2235b063a6fc6e0cde5c643e6ad847c0e71b64ef0ee681a990b2
                                              • Instruction ID: eadc1b31afb02872cee40abe336d1b602c696bb19d01215c07b577a1ba7f5abb
                                              • Opcode Fuzzy Hash: 3de80f8d532f2235b063a6fc6e0cde5c643e6ad847c0e71b64ef0ee681a990b2
                                              • Instruction Fuzzy Hash: 23413772E012198FCB15EBB9C8546EEBFF2EFC9211B14816AD505E7388DB309D06CB91
                                              Function 016FC238 Relevance: .1, Instructions: 136COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 941bd3e5a635edd69c47c4e9619e6dc4832619a7c5b07e087cad8e58f06c94d8
                                              • Instruction ID: 31060cb338c04ccad33d08597e4c0a5eb7798c70fc3f4131f182bf8f8aa74d04
                                              • Opcode Fuzzy Hash: 941bd3e5a635edd69c47c4e9619e6dc4832619a7c5b07e087cad8e58f06c94d8
                                              • Instruction Fuzzy Hash: A441F832B052458FCB15CF69DC80B9BBBB5EF81320B1881ABD54CDB286D734E505CBA1
                                              Function 016F8768 Relevance: .1, Instructions: 126COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 018cf5a09dd84c45b97cb81f2c6644ccbae7171102e6b65cbe24f1bb11109ac2
                                              • Instruction ID: 57cc184e6917b1738a61a40d3a903d8a655d9b59a1d575253ecc089c3e439d8d
                                              • Opcode Fuzzy Hash: 018cf5a09dd84c45b97cb81f2c6644ccbae7171102e6b65cbe24f1bb11109ac2
                                              • Instruction Fuzzy Hash: 30418E357002049FDB14AB69D854AAE7BBAFFC8710F148469E616D7399DF359C02CBA0
                                              Function 016FF670 Relevance: .1, Instructions: 120COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 77fafa22444694c1665acf75226b403adb3fb24fed579c8516b2d5ea60a728a7
                                              • Instruction ID: 025ae27a447dde76c935be62f82df0db2e6ad01e75b17d34c990f73acb455194
                                              • Opcode Fuzzy Hash: 77fafa22444694c1665acf75226b403adb3fb24fed579c8516b2d5ea60a728a7
                                              • Instruction Fuzzy Hash: 3241E7323002159FCB15AF69EC14A7A7BE6FF89751B1440AEEA06C73A5CB39DC01C751
                                              Function 0A5666FD Relevance: .1, Instructions: 116COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8e736a582bade66287564d7f3452996fcd9906ea7976864b2dd3fef33703ef87
                                              • Instruction ID: 2b6a1f24409424382afe8e07cd23278b93d9f4d053f85c9f9dc598eec95d6b99
                                              • Opcode Fuzzy Hash: 8e736a582bade66287564d7f3452996fcd9906ea7976864b2dd3fef33703ef87
                                              • Instruction Fuzzy Hash: D031D2B1B111168BCB04BFB8E895B6EB7F2FB88250F618869D545F3344EE389C05A7D1
                                              Function 016F9118 Relevance: .1, Instructions: 115COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ab00066ec329503c4ff1ce4503e39bdcfcc64dd2dca2c59da7cd9b956f7e007a
                                              • Instruction ID: 798459437dfa1a51ecb3d3fbf00e36a18e8df7427d8bb1bbbb232f3c0d105c37
                                              • Opcode Fuzzy Hash: ab00066ec329503c4ff1ce4503e39bdcfcc64dd2dca2c59da7cd9b956f7e007a
                                              • Instruction Fuzzy Hash: E94122756001099FDB15DF68DC88BAA7BB6FB88319F108069FA169B3A5CB34DD41CB90
                                              Function 0A56BA95 Relevance: .1, Instructions: 114COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 83c75322fdb4201a7c31ad6542faea428629fb8114e699863a8ee0d3745bc7aa
                                              • Instruction ID: 61278cc9a63888e8eb4f4f4d52bff9b1c24518368745b23f9f4c97ae75ef4b5f
                                              • Opcode Fuzzy Hash: 83c75322fdb4201a7c31ad6542faea428629fb8114e699863a8ee0d3745bc7aa
                                              • Instruction Fuzzy Hash: B3414C7150E3C49FCB039B64D8646D87FB1BF4B210F0A40EBD481EB2A3D6254C5ACB62
                                              Function 0A56C498 Relevance: .1, Instructions: 108COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 16d36a9ed9714e1acdd60669032805ca280a855be5963f09667a28860d2b9f0a
                                              • Instruction ID: ebdea67703b89ffa3e1a65af9ca775a2edc80719c899d588e0517982f8a3f490
                                              • Opcode Fuzzy Hash: 16d36a9ed9714e1acdd60669032805ca280a855be5963f09667a28860d2b9f0a
                                              • Instruction Fuzzy Hash: 5F419E307001099FCB64EF69D454AAE7BF6FB8C600F148068E946A7398DB39DC01CF60
                                              Function 016F4EA8 Relevance: .1, Instructions: 103COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 618f0638dac9aa78e58dfd070ed812c2b53fdfe007570c903197a37fcb63c0cf
                                              • Instruction ID: ea129de667e5571a6551713f350ba46740c3cbe1c4a839d03f18302f1e926c4a
                                              • Opcode Fuzzy Hash: 618f0638dac9aa78e58dfd070ed812c2b53fdfe007570c903197a37fcb63c0cf
                                              • Instruction Fuzzy Hash: AB416170E01209DFCB04DFA5C824A5EBBB1FF44300F18C99AC6265B359EB358E45DB92
                                              Function 0A56BA54 Relevance: .1, Instructions: 98COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b2ab35e352a99db9a53f68759dfcd884d97b35bd3855655be725bd2542d814d6
                                              • Instruction ID: 782e27ad195cee1ac660c645f6de07c357fa5497c423f38fdf2792d9d6cfe609
                                              • Opcode Fuzzy Hash: b2ab35e352a99db9a53f68759dfcd884d97b35bd3855655be725bd2542d814d6
                                              • Instruction Fuzzy Hash: B841397154E3C59FCB039B74D8605987FB0BF4B210B0A41DBD582EB2B3D6255C1ACB62
                                              Function 016F9547 Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fb12680bf10c9f444012d88862a997d364798b96b03e4548014fb198cab54f37
                                              • Instruction ID: 0c4853fe0e3fae7351dd049c923e3f433ccb7dcbc643e918b075522cf3812124
                                              • Opcode Fuzzy Hash: fb12680bf10c9f444012d88862a997d364798b96b03e4548014fb198cab54f37
                                              • Instruction Fuzzy Hash: 7B21B5313042214BEB26662E8C6877D3697EFC9759F14403DE602CB399EB69C846DB41
                                              Function 016F9460 Relevance: .1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2700953dfb5e792efa64f0b29aeba3bb5e797ff9381c439d7a6b2d32d9cac635
                                              • Instruction ID: 953d2bed48f75d276b64f455c9bb480a2b2587388d70b0cb4a26c8106746c76f
                                              • Opcode Fuzzy Hash: 2700953dfb5e792efa64f0b29aeba3bb5e797ff9381c439d7a6b2d32d9cac635
                                              • Instruction Fuzzy Hash: 3321D1313091559BEB15DE6AAC58B7B7BEAEB95314F04446EFA02C7344DB38CC42CB60
                                              Function 016F68FF Relevance: .1, Instructions: 80COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6cd8bc89acc182bdb625f05499bf40eec1484978bde662bb17a843e8fe47c934
                                              • Instruction ID: f02aa91f742c83e26179fc557d088fb4388b659c6f7a3269444e603db56ae5d8
                                              • Opcode Fuzzy Hash: 6cd8bc89acc182bdb625f05499bf40eec1484978bde662bb17a843e8fe47c934
                                              • Instruction Fuzzy Hash: CF21F2357016128FD7259B29C854A6AB7E2FFC9B16B08807DDA0ADB358CF34DC02CB90
                                              Function 0A56FE40 Relevance: .1, Instructions: 79COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f38eb0f5e6655601120a5e9e0c0283627cf537546049d772e9f03664442e3e7c
                                              • Instruction ID: b30c8202737e9c75d6903275bb5b2bc81dd70fc8f97c43e349ac3ddf7dfcf0f7
                                              • Opcode Fuzzy Hash: f38eb0f5e6655601120a5e9e0c0283627cf537546049d772e9f03664442e3e7c
                                              • Instruction Fuzzy Hash: DD21C671B112268BC704BFB8F899B5EB7E5FB88210F104929E449D3344EE7C9C09D791
                                              Function 0128D4C8 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2510798273.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_128d000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2ebc1e756012be6215851f593baaeed830b2904b1a1dd6662e47d036c12e4c2e
                                              • Instruction ID: 2fda4aee60feed689f37589662c3774e35c193511a007833fcb259f993737b28
                                              • Opcode Fuzzy Hash: 2ebc1e756012be6215851f593baaeed830b2904b1a1dd6662e47d036c12e4c2e
                                              • Instruction Fuzzy Hash: 7A213871510208DFDB11EF58E5C0B16BF65FB88314F208169D9050B2D6C33AD459C6B1
                                              Function 0A56FE50 Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e333ad9358c4f620a2fa57e7faaba53c6ff2dc873c19b9c5806fbd84954cfaa9
                                              • Instruction ID: 050a58b233b98f5327b1153b0f3b1f47c3b22e23ca46f7cf1229d74c4238a458
                                              • Opcode Fuzzy Hash: e333ad9358c4f620a2fa57e7faaba53c6ff2dc873c19b9c5806fbd84954cfaa9
                                              • Instruction Fuzzy Hash: FA11D671B112168BC704BFB8F899B2EB7E9FB88210F108929E449E3344EE7C9C05D391
                                              Function 0141D0F0 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511222035.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_141d000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 78116e2be63b9063a09dc6b7c546df9b3aee8ffee4eee5b216bfd011170d2a36
                                              • Instruction ID: 083b457a51a69f88903d098663f1bbf9c4cd53a63d007fba0a6f2c7bb4b0d804
                                              • Opcode Fuzzy Hash: 78116e2be63b9063a09dc6b7c546df9b3aee8ffee4eee5b216bfd011170d2a36
                                              • Instruction Fuzzy Hash: DE2137B1904204DFDB05DF58D9C4B16BBA1FB88314F24C66ED8090B36AC336D846CA61
                                              Function 0141D2A8 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511222035.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_141d000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fd1b9b647c2d9be8213a02b41cd336fd787720497d4d6eddb623de6ffff61c7c
                                              • Instruction ID: 97a15200093c37d16a4ef9604a386b53b141e8decf7f48682b57e39681fc2964
                                              • Opcode Fuzzy Hash: fd1b9b647c2d9be8213a02b41cd336fd787720497d4d6eddb623de6ffff61c7c
                                              • Instruction Fuzzy Hash: 3D2137F1904204DFDB05DF54C5C8B16BBA5FB88314F24C66ED9094B3AAC37AD846CB61
                                              Function 0A56BB5F Relevance: .1, Instructions: 65COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f3291221393f1f8b03588670c6f230cd4b6bbefa3d8677af35f0ab47c26c7896
                                              • Instruction ID: dbe75fe92e247f5000fdc2c80c10d5f20e2416a1c55c00b246de0b15b2e4eba1
                                              • Opcode Fuzzy Hash: f3291221393f1f8b03588670c6f230cd4b6bbefa3d8677af35f0ab47c26c7896
                                              • Instruction Fuzzy Hash: ED213431A00218EFCF14EFA8D844ADDBBB1FB49320F104069E901B7264DB319D55CF61
                                              Function 016F5480 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2738de1f4dc0c6d5796c586683f6effd836741d5d43fe437ff62ce9493cb1130
                                              • Instruction ID: 12a13d7e7e2135afb543aa4ee1ab2111be6a908b75bd387094b9920aeca45329
                                              • Opcode Fuzzy Hash: 2738de1f4dc0c6d5796c586683f6effd836741d5d43fe437ff62ce9493cb1130
                                              • Instruction Fuzzy Hash: 0511B9317052099FDB15EF58D818B6E7BA6FB88B15F04802DEA069B359CB38DC55CB50
                                              Function 016F8759 Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 82b3898bf1b1cb900427d052d852da00e0c017939f985db50b2460446a43fcaa
                                              • Instruction ID: fb3832617b31a4a10db8a53e9c1649d636592508d33a73ea90c7d667befa3890
                                              • Opcode Fuzzy Hash: 82b3898bf1b1cb900427d052d852da00e0c017939f985db50b2460446a43fcaa
                                              • Instruction Fuzzy Hash: E0116A75A001049FCB10DF68DC84BEDBBB6FB8C710F148169EA16A7359DB71AC11CBA0
                                              Function 016F74F0 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 07cd8445b0f365cefa786d755a1aa7c6d50276fd27050942596ee26d6b89cbb3
                                              • Instruction ID: 4d60d1cc258aa187f01f0ed30b38b7d6c49e445cdb387e719664634309ebd185
                                              • Opcode Fuzzy Hash: 07cd8445b0f365cefa786d755a1aa7c6d50276fd27050942596ee26d6b89cbb3
                                              • Instruction Fuzzy Hash: 30219771900248DFCB21CF58D848BAABBB6BB48310F44C56EE59A9B252D734A904CFA0
                                              Function 0128D4C3 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2510798273.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_128d000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cfb52f8b9dfce4186a4761286b1afaf252fc13293eafdb1bf8f112f6695a61f7
                                              • Instruction ID: 86d873604d0367c45d1a8940af17d116053dde6366c6d42acacf0fd342a65394
                                              • Opcode Fuzzy Hash: cfb52f8b9dfce4186a4761286b1afaf252fc13293eafdb1bf8f112f6695a61f7
                                              • Instruction Fuzzy Hash: EB11E176404284CFCB12DF14E5C4B16BF72FB88314F24C6AAD9090B297C33AD45ACBA1
                                              Function 0141D2A3 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511222035.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_141d000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2ccfe305154e95a536d18b49939e535c9c69fd109e9eb5688aea898868e671a0
                                              • Instruction ID: 549cd85f1100bba4948cd45bf891bbd456624253e0a9daadae4bed2f9bdb5402
                                              • Opcode Fuzzy Hash: 2ccfe305154e95a536d18b49939e535c9c69fd109e9eb5688aea898868e671a0
                                              • Instruction Fuzzy Hash: A211BEB6904284CFCB02CF54D5C4B16BBA1FB84314F28C6AAD8094B366C33AD40ACB61
                                              Function 0141D0EB Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511222035.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_141d000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2ccfe305154e95a536d18b49939e535c9c69fd109e9eb5688aea898868e671a0
                                              • Instruction ID: 9c0c6274ae719868c380fc824bbdced416e2f2e39a18573fd9536be703059469
                                              • Opcode Fuzzy Hash: 2ccfe305154e95a536d18b49939e535c9c69fd109e9eb5688aea898868e671a0
                                              • Instruction Fuzzy Hash: D311BEB5904280CFDB06CF54D9C4B16BBB2FB84314F24C6AAD8494B36AC33AD44ACB51
                                              Function 016FFBE0 Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ea0eda6bf99bf83bf9e005eb6016c590e960f1392af7e615120e05c0d5d86e74
                                              • Instruction ID: 0e9f4a2a673e72302280b14055a6fca307266cfa57b985efebef6001523cc4a0
                                              • Opcode Fuzzy Hash: ea0eda6bf99bf83bf9e005eb6016c590e960f1392af7e615120e05c0d5d86e74
                                              • Instruction Fuzzy Hash: 3501D6327001196BDB15EE59DC10AAF3BEBEBC8A90B148069FA05C7288DF75DC1297D0
                                              Function 0128D7B1 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2510798273.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_128d000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6ba24fe4652f932aef8bb6b2acb3d3c135139367b405b0c3f4c9491c72af1a2b
                                              • Instruction ID: 040987849d44f1e0a84efd9d6c4f8717a41c4a34953f9c6cbb46c729d4e5d206
                                              • Opcode Fuzzy Hash: 6ba24fe4652f932aef8bb6b2acb3d3c135139367b405b0c3f4c9491c72af1a2b
                                              • Instruction Fuzzy Hash: 46012B31425348DBE7106B5ACD84B27FF98EF41724F18C11AEE094F1C3C6799849C6B1
                                              Function 0A56BB52 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0ab279b22a8c7ee24bbde657d528b5dafe6ea0e05cb0d2b22d0cf1c4726db0b5
                                              • Instruction ID: 13507b4179bd6bb6005982c11b6d941a764c3c474eaeebbb848734309f82ed16
                                              • Opcode Fuzzy Hash: 0ab279b22a8c7ee24bbde657d528b5dafe6ea0e05cb0d2b22d0cf1c4726db0b5
                                              • Instruction Fuzzy Hash: D1111535A00109EFCF00EFA4E9549DDBBB1FF48221F054469E906BB264DB319D51CF60
                                              Function 0A56C430 Relevance: .0, Instructions: 39COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bd1ee1d5dabba821ebd0794f87df229126aeefa3cfce790e141c753800bb2eb9
                                              • Instruction ID: 3b6bd64b79d6bd9b60dad10d4267f9ad9c705ac50b601cad8ae47681ee559c23
                                              • Opcode Fuzzy Hash: bd1ee1d5dabba821ebd0794f87df229126aeefa3cfce790e141c753800bb2eb9
                                              • Instruction Fuzzy Hash: 41F0963630111DB7CF11AF48EC10BEE3B26FB88722F108025F60997194CB76C825DB90
                                              Function 0128D7B0 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2510798273.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_128d000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ac5e27cb5b42b3cff75ab105bb0a5c17068083f929a8645a105653bd1012dd8c
                                              • Instruction ID: 2466c62e79752646ad1cd33ce03eb4a5555ab36f99ff569f6d6975e1b406ecf2
                                              • Opcode Fuzzy Hash: ac5e27cb5b42b3cff75ab105bb0a5c17068083f929a8645a105653bd1012dd8c
                                              • Instruction Fuzzy Hash: 85F0C271405348AEE7118A0AC884B62FF98EB81624F18C15AEE084B2C3C2799845CAB1
                                              Function 016F4D97 Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d695d8d2cda3087263bba95ee2f667ea95acb4c914a298e79b82ae23ce24a80c
                                              • Instruction ID: b75f6a7c006f2469ce4f200740f8332f586764a79994c72ca21f83b3a66f61c8
                                              • Opcode Fuzzy Hash: d695d8d2cda3087263bba95ee2f667ea95acb4c914a298e79b82ae23ce24a80c
                                              • Instruction Fuzzy Hash: EAF03936A14118EFDF188A9AFC80AAEB775FF88655F00092DE3079AAC4CF304841CB51
                                              Function 0A56FE16 Relevance: .0, Instructions: 27COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bbfb3c2baef077654276b992eeaf7ab1006bb141b7672abd2ce96fc7fe9609f3
                                              • Instruction ID: ce1dacef91b288079324be18a0f360287e7de3a8927d2352478eaab1559797ed
                                              • Opcode Fuzzy Hash: bbfb3c2baef077654276b992eeaf7ab1006bb141b7672abd2ce96fc7fe9609f3
                                              • Instruction Fuzzy Hash: F5E0DFB58063A89FC752DB38EFC1A903F70F781384B050799D062CB0ABFA18680ECB55
                                              Function 016F4DA1 Relevance: .0, Instructions: 23COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 716431012a0ff35e2cc723cf6911dbceae8053b942c1ed41b55463402810acac
                                              • Instruction ID: e28a031bccfb47e425fe3da5f0c4d48ceb9dc41b744463337ae1b0955c4b7087
                                              • Opcode Fuzzy Hash: 716431012a0ff35e2cc723cf6911dbceae8053b942c1ed41b55463402810acac
                                              • Instruction Fuzzy Hash: 43E04636A18118EFDB288A88FC80AAEB374FB48265F01066AF307969C4CB314851CB12
                                              Function 0A56717B Relevance: .0, Instructions: 22COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7413e6c0f477fa6f6a4d13c29a583afc2ac393647c0e83a0e3595e688ad0ee71
                                              • Instruction ID: 439383051ba6b009097691f145b30c5154be41fddc65429406590b2e5ba45607
                                              • Opcode Fuzzy Hash: 7413e6c0f477fa6f6a4d13c29a583afc2ac393647c0e83a0e3595e688ad0ee71
                                              • Instruction Fuzzy Hash: 54E0DF7502F3828FD3032B30A9180493F31FA1616530D449BE446C2153DE3C8C06DB32
                                              Function 0A5671B2 Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2459bd2152b568660bc64cbcff4d34eec78ff161cc8f58e80d95b5987085668f
                                              • Instruction ID: f3d2fe56d8f391997d6b5eaaed71ce3c72804a4053f57727016c9df0ca91323d
                                              • Opcode Fuzzy Hash: 2459bd2152b568660bc64cbcff4d34eec78ff161cc8f58e80d95b5987085668f
                                              • Instruction Fuzzy Hash: 19E04835126216CBC3145F70F4096197F75FB09615715886CF40582151DF35DC57DF71
                                              Function 0A5671C0 Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cb02a07a35985eaff5f859b9611cda0c20273444fad955ea9a2894f2fedd89a2
                                              • Instruction ID: 7039d4ad869c739616ae11b9e2006807ca856b4aa5b1d64c09949205686ea163
                                              • Opcode Fuzzy Hash: cb02a07a35985eaff5f859b9611cda0c20273444fad955ea9a2894f2fedd89a2
                                              • Instruction Fuzzy Hash: 0FE0EC34226206CFC3145F71E40951A7FB9FB09616305886CF80692651DF3AD842EE71
                                              Function 016F8815 Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6c6284da19c33447fe50318601f684b3dea647fa44a2d337b4b21dd792d66178
                                              • Instruction ID: aad66264925c3d87f80d2e07f3d9e09079b976b37f3ce66c0feb5f5f080a6621
                                              • Opcode Fuzzy Hash: 6c6284da19c33447fe50318601f684b3dea647fa44a2d337b4b21dd792d66178
                                              • Instruction Fuzzy Hash: 03D0677BB401089FCF049F98EC409DDF776FB98221B148116E915A3265C6319961DB60
                                              Function 016F6D48 Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: faf6c5cd09010b8ff6490bd5a44c2468b93e91d9db68530df86999e397c3e483
                                              • Instruction ID: ef9cb5a0813396b68f8be87c7211bf4167898157e6d7b073d7d0777ea071321d
                                              • Opcode Fuzzy Hash: faf6c5cd09010b8ff6490bd5a44c2468b93e91d9db68530df86999e397c3e483
                                              • Instruction Fuzzy Hash: 76D02BB14212068FD700FB7AF8557993B26F795700B144125C8464610AEE3CC9048B41
                                              Function 016F6D58 Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2511583959.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_16f0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5bff1ec4a0503278c7cefeb2c59778d28a7c4a0fe04092bf2de409f79d96ac3a
                                              • Instruction ID: fb4087db8bc127180858c07620a98e868bb2deb001b23068374809601f5c6343
                                              • Opcode Fuzzy Hash: 5bff1ec4a0503278c7cefeb2c59778d28a7c4a0fe04092bf2de409f79d96ac3a
                                              • Instruction Fuzzy Hash: 0BC0123002130B8BD604FB7BF848566376AF688B047908525990D16419EE7C5D044A95
                                              Function 0A56E612 Relevance: .0, Instructions: 9COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538705428.000000000A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a560000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 846f771f603d2af9ac115ad3027576e2e661b02a1d3e57c7d8f50dad7a7bb22c
                                              • Instruction ID: 2861051987e474b54bbf211b03f5a8bc54405f632bec9a06366b986d9d6635b5
                                              • Opcode Fuzzy Hash: 846f771f603d2af9ac115ad3027576e2e661b02a1d3e57c7d8f50dad7a7bb22c
                                              • Instruction Fuzzy Hash: E9B0123BB05008A90910008878020DCF359F1981376004163D71E52001262122300551

                                              Non-executed Functions

                                              Function 0A8E2B00 Relevance: .7, Instructions: 698COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538860490.000000000A8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a8e0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 870e2a1f73a2408f1b6f3643aeea8b818209b03380a4cc3244d40cdacc03719e
                                              • Instruction ID: dd4e62c439cf6bd6dfcae72c171f34653a4eb0e44a31ae73e0c8e71c1474d104
                                              • Opcode Fuzzy Hash: 870e2a1f73a2408f1b6f3643aeea8b818209b03380a4cc3244d40cdacc03719e
                                              • Instruction Fuzzy Hash: 8842E331A01246CFDB05EF74E854A9DBBF2FF89200F1585AAD049EB265EF389C45CB91
                                              Function 0A8E2AF0 Relevance: .6, Instructions: 597COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538860490.000000000A8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a8e0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b046949638e004dcc0b31dc78de65251b880cfbf9b00c0e36ae03c264a5dc650
                                              • Instruction ID: 9506dfd14067710d706a4558f82120bd9dfe78cac56e1e5a178ecf00862e0ee6
                                              • Opcode Fuzzy Hash: b046949638e004dcc0b31dc78de65251b880cfbf9b00c0e36ae03c264a5dc650
                                              • Instruction Fuzzy Hash: 7B328071B0021ACFDB04EF75E855A9EBBF2FF88200F5185A9D049EB254EF389C559B90
                                              Function 0A8EA378 Relevance: .3, Instructions: 298COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538860490.000000000A8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a8e0000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 257477e1c01263cb5474b5703678d9ccea792d16e1594c87bb4731a331aa2ddd
                                              • Instruction ID: 5c29fcaf6984765023366e4798893017bf4d76618c7faeba12f36425ace149e1
                                              • Opcode Fuzzy Hash: 257477e1c01263cb5474b5703678d9ccea792d16e1594c87bb4731a331aa2ddd
                                              • Instruction Fuzzy Hash: DAD1B274A00105CFDB18DF69C598AA9B7F1AF8A741F2680A9E505EB371DB31AD40CF60
                                              Function 0A36B3B1 Relevance: .3, Instructions: 269COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538520685.000000000A360000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A360000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a360000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f2cef57f12c402ba1d3f40eed915d35f515d2650a8f6f42159a0714dd79645d1
                                              • Instruction ID: e8e617eb6ae4a394b6a7f814bceead82cb06b021fd67ca9938cdad61913f6f8b
                                              • Opcode Fuzzy Hash: f2cef57f12c402ba1d3f40eed915d35f515d2650a8f6f42159a0714dd79645d1
                                              • Instruction Fuzzy Hash: E1D1F53192074ACADB10EB75D990A9DB7B1FF95300F508B9AE4097B220FF746AC5CB91
                                              Function 0A36B3C0 Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2538520685.000000000A360000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A360000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a360000_G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fd3a17a0545343e3fdf569b267023b3e2603c489f2666d0fffde17f7f538ef8b
                                              • Instruction ID: 3d2e87dca1b8bb02283dc626cf36531f258d3c28f20eec6fad758eb10f935931
                                              • Opcode Fuzzy Hash: fd3a17a0545343e3fdf569b267023b3e2603c489f2666d0fffde17f7f538ef8b
                                              • Instruction Fuzzy Hash: 97D1F43192074ACADB10EB75D890A9DB7B1FF95300F508B9AE5097B220FF746AC5CB91

                                              Execution Graph

                                              Execution Coverage:16%
                                              Dynamic/Decrypted Code Coverage:99.6%
                                              Signature Coverage:1.2%
                                              Total number of Nodes:248
                                              Total number of Limit Nodes:16
                                              execution_graph 80511 a1cd718 80512 a1cd758 ResumeThread 80511->80512 80514 a1cd789 80512->80514 80515 a1cc998 80516 a1cc9d8 VirtualAllocEx 80515->80516 80518 a1cca15 80516->80518 80519 9c90040 80520 9c9006a 80519->80520 80524 9c97078 80520->80524 80529 9c97069 80520->80529 80521 9c957db 80525 9c970a1 80524->80525 80534 9c97340 80525->80534 80539 9c972dd 80525->80539 80526 9c97184 80526->80521 80530 9c970a1 80529->80530 80532 9c972dd 2 API calls 80530->80532 80533 9c97340 2 API calls 80530->80533 80531 9c97184 80531->80521 80532->80531 80533->80531 80535 9c97356 80534->80535 80544 9c97a40 80535->80544 80549 9c97a30 80535->80549 80536 9c9762a 80536->80526 80540 9c972ee 80539->80540 80542 9c97a40 2 API calls 80540->80542 80543 9c97a30 2 API calls 80540->80543 80541 9c9762a 80541->80526 80542->80541 80543->80541 80545 9c97a55 80544->80545 80554 9c97d38 80545->80554 80558 9c97cff 80545->80558 80546 9c97cb0 80546->80536 80550 9c97a55 80549->80550 80552 9c97d38 DeleteFileW 80550->80552 80553 9c97cff DeleteFileW 80550->80553 80551 9c97cb0 80551->80536 80552->80551 80553->80551 80555 9c97d7e DeleteFileW 80554->80555 80557 9c97db7 80555->80557 80557->80546 80560 9c97d0c DeleteFileW 80558->80560 80561 9c97db7 80560->80561 80561->80546 80579 a1c4bb7 80581 a1c4bbc 80579->80581 80580 a1c4bff 80581->80580 80583 a1c564f 80581->80583 80584 a1c5683 80583->80584 80585 a1c5ab4 80584->80585 80588 a1c7b20 80584->80588 80592 a1c8028 80584->80592 80585->80581 80589 a1c7b2e 80588->80589 80590 a1c7b35 80588->80590 80589->80584 80590->80589 80596 a1ca308 80590->80596 80594 a1c8030 80592->80594 80593 a1c8113 80593->80584 80594->80593 80595 a1ca308 CreateProcessAsUserW 80594->80595 80595->80594 80597 a1ca387 CreateProcessAsUserW 80596->80597 80599 a1ca488 80597->80599 80562 a1cd490 80563 a1cd4d5 Wow64SetThreadContext 80562->80563 80565 a1cd51d 80563->80565 80566 a1ccd10 80567 a1ccd58 WriteProcessMemory 80566->80567 80569 a1ccdaf 80567->80569 80600 87c6bd0 80604 87c70c2 80600->80604 80609 87c70d0 80600->80609 80601 87c6bdf 80605 87c70e1 80604->80605 80606 87c70fc 80604->80606 80605->80606 80614 87c7363 80605->80614 80618 87c7368 80605->80618 80606->80601 80610 87c70e1 80609->80610 80611 87c70fc 80609->80611 80610->80611 80612 87c7368 LoadLibraryExW 80610->80612 80613 87c7363 LoadLibraryExW 80610->80613 80611->80601 80611->80611 80612->80611 80613->80611 80615 87c7368 80614->80615 80616 87c73a1 80615->80616 80622 87c6cdc 80615->80622 80616->80606 80619 87c737c 80618->80619 80620 87c73a1 80619->80620 80621 87c6cdc LoadLibraryExW 80619->80621 80620->80606 80621->80620 80623 87c7548 LoadLibraryExW 80622->80623 80625 87c75c1 80623->80625 80625->80616 80687 a1cda50 80688 a1cdbdb 80687->80688 80690 a1cda76 80687->80690 80690->80688 80691 a1c5168 80690->80691 80692 a1cdcd0 PostMessageW 80691->80692 80693 a1cdd3c 80692->80693 80693->80690 80570 9e7ade9 80571 9e7ad8a 80570->80571 80572 9e7ad99 VirtualProtect 80571->80572 80574 9e7adf2 80571->80574 80573 9e7adba 80572->80573 80698 55ece30 80701 4f98528 80698->80701 80699 55ece43 80703 4f98533 80701->80703 80702 4f9e419 80702->80699 80703->80702 80706 87c8c81 80703->80706 80711 87c8c90 80703->80711 80707 87c8cb1 80706->80707 80708 87c8cd5 80707->80708 80716 87c8f60 80707->80716 80720 87c8f50 80707->80720 80708->80702 80712 87c8cb1 80711->80712 80713 87c8cd5 80712->80713 80714 87c8f60 CreateWindowExW 80712->80714 80715 87c8f50 CreateWindowExW 80712->80715 80713->80702 80714->80713 80715->80713 80718 87c8f6d 80716->80718 80717 87c8fa7 80717->80708 80718->80717 80724 87c6fe0 80718->80724 80721 87c8f6d 80720->80721 80722 87c6fe0 CreateWindowExW 80721->80722 80723 87c8fa7 80721->80723 80722->80723 80723->80708 80725 87c6feb 80724->80725 80726 87c9cc0 80725->80726 80728 87c930c 80725->80728 80729 87c9317 80728->80729 80733 87cb668 80729->80733 80737 87cb680 80729->80737 80730 87c9d69 80730->80726 80735 87cb680 80733->80735 80734 87cb6bd 80734->80730 80735->80734 80742 87cc7b8 80735->80742 80739 87cb7b2 80737->80739 80740 87cb6b1 80737->80740 80738 87cb6bd 80738->80730 80739->80730 80740->80738 80741 87cc7b8 CreateWindowExW 80740->80741 80741->80739 80743 87cc7e3 80742->80743 80744 87cc892 80743->80744 80746 87cd651 80743->80746 80747 87cd67a 80746->80747 80749 87cd6ad 80746->80749 80747->80744 80748 87cd6af 80748->80744 80749->80748 80750 87cd7b3 CreateWindowExW 80749->80750 80751 87cd814 80750->80751 80575 a1cd208 80576 a1cd250 VirtualProtectEx 80575->80576 80578 a1cd28e 80576->80578 80626 87c96c8 DuplicateHandle 80627 87c975e 80626->80627 80694 a1cc2c8 80695 a1cc30d Wow64GetThreadContext 80694->80695 80697 a1cc355 80695->80697 80628 9e79d52 80630 9e79d64 80628->80630 80629 9e79df1 80630->80629 80639 a1c0dec 80630->80639 80645 a1c0d63 80630->80645 80649 a1c1632 80630->80649 80653 a1c1a03 80630->80653 80657 a1c0e30 80630->80657 80661 a1c1752 80630->80661 80665 a1c0ebf 80630->80665 80669 a1c1e84 80630->80669 80640 a1c0ded 80639->80640 80643 a1c3318 VirtualProtect 80639->80643 80679 a1c3320 80639->80679 80642 a1c3320 VirtualProtect 80640->80642 80674 a1c3318 80640->80674 80642->80640 80643->80640 80647 a1c3318 VirtualProtect 80645->80647 80648 a1c3320 VirtualProtect 80645->80648 80646 a1c0cc7 80646->80630 80647->80646 80648->80646 80651 a1c3318 VirtualProtect 80649->80651 80652 a1c3320 VirtualProtect 80649->80652 80650 a1c1643 80651->80650 80652->80650 80655 a1c3318 VirtualProtect 80653->80655 80656 a1c3320 VirtualProtect 80653->80656 80654 a1c1a16 80655->80654 80656->80654 80658 a1c0ded 80657->80658 80658->80657 80659 a1c3318 VirtualProtect 80658->80659 80660 a1c3320 VirtualProtect 80658->80660 80659->80658 80660->80658 80663 a1c3318 VirtualProtect 80661->80663 80664 a1c3320 VirtualProtect 80661->80664 80662 a1c1766 80663->80662 80664->80662 80667 a1c3318 VirtualProtect 80665->80667 80668 a1c3320 VirtualProtect 80665->80668 80666 a1c0ed3 80667->80666 80668->80666 80670 a1c1e8d 80669->80670 80672 a1c3318 VirtualProtect 80670->80672 80673 a1c3320 VirtualProtect 80670->80673 80671 a1c1e9f 80672->80671 80673->80671 80675 a1c331b VirtualProtect 80674->80675 80676 a1c32b4 80674->80676 80678 a1c33a2 80675->80678 80676->80640 80678->80640 80680 a1c3328 VirtualProtect 80679->80680 80682 a1c33a2 80680->80682 80682->80640 80752 e4d01c 80753 e4d034 80752->80753 80754 e4d08e 80753->80754 80759 87cd8a8 80753->80759 80763 87cd897 80753->80763 80767 87ce5f9 80753->80767 80776 87cc4d4 80753->80776 80760 87cd8ce 80759->80760 80761 87cc4d4 CallWindowProcW 80760->80761 80762 87cd8ef 80761->80762 80762->80754 80764 87cd8a8 80763->80764 80765 87cc4d4 CallWindowProcW 80764->80765 80766 87cd8ef 80765->80766 80766->80754 80768 87ce635 80767->80768 80769 87ce669 80768->80769 80771 87ce659 80768->80771 80801 87cc5fc 80769->80801 80785 87ce85c 80771->80785 80791 87ce790 80771->80791 80796 87ce780 80771->80796 80772 87ce667 80777 87cc4df 80776->80777 80778 87ce669 80777->80778 80780 87ce659 80777->80780 80779 87cc5fc CallWindowProcW 80778->80779 80781 87ce667 80779->80781 80782 87ce85c CallWindowProcW 80780->80782 80783 87ce790 CallWindowProcW 80780->80783 80784 87ce780 CallWindowProcW 80780->80784 80781->80781 80782->80781 80783->80781 80784->80781 80786 87ce81a 80785->80786 80787 87ce86a 80785->80787 80805 87ce848 80786->80805 80808 87ce838 80786->80808 80788 87ce830 80788->80772 80793 87ce7a4 80791->80793 80792 87ce830 80792->80772 80794 87ce848 CallWindowProcW 80793->80794 80795 87ce838 CallWindowProcW 80793->80795 80794->80792 80795->80792 80797 87ce790 80796->80797 80799 87ce848 CallWindowProcW 80797->80799 80800 87ce838 CallWindowProcW 80797->80800 80798 87ce830 80798->80772 80799->80798 80800->80798 80802 87cc607 80801->80802 80803 87cfd4a CallWindowProcW 80802->80803 80804 87cfcf9 80802->80804 80803->80804 80804->80772 80806 87ce859 80805->80806 80812 87cfc81 80805->80812 80806->80788 80809 87ce848 80808->80809 80810 87ce859 80809->80810 80811 87cfc81 CallWindowProcW 80809->80811 80810->80788 80811->80810 80813 87cc5fc CallWindowProcW 80812->80813 80814 87cfc9a 80813->80814 80814->80806 80683 87c72c0 80684 87c7308 GetModuleHandleW 80683->80684 80685 87c7302 80683->80685 80686 87c7335 80684->80686 80685->80684 80815 55ef3a0 80818 55ecc28 80815->80818 80817 55ef3bf 80819 55ecc33 80818->80819 80821 4f98528 CreateWindowExW 80819->80821 80820 55ef444 80820->80817 80821->80820

                                              Executed Functions

                                              Function 09E90011 Relevance: 5.6, Instructions: 5566COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 9e90011-9e90290 30 9e92203-9e924e8 0->30 31 9e90296-9e90fbd 0->31 106 9e9344f-9e94448 30->106 107 9e924ee-9e93447 30->107 438 9e9128f-9e921fb 31->438 439 9e90fc3-9e91287 31->439 672 9e9473e-9e94751 106->672 673 9e9444e-9e94736 106->673 107->106 438->30 439->438 677 9e94db8-9e95d30 672->677 678 9e94757-9e94db0 672->678 673->672 1062 9e95d30 call 9e9717b 677->1062 1063 9e95d30 call 9e971b1 677->1063 1064 9e95d30 call 9e971c0 677->1064 678->677 1061 9e95d36-9e95d3d 1062->1061 1063->1061 1064->1061
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6344586d149dc70cd9ed9f94287483bd8f9fde27371c61f3519e861a7d26ac3e
                                              • Instruction ID: cb37f33f88e11d091be27e70e9e0b5399fb5158f7d9b55292843c0080b09547b
                                              • Opcode Fuzzy Hash: 6344586d149dc70cd9ed9f94287483bd8f9fde27371c61f3519e861a7d26ac3e
                                              • Instruction Fuzzy Hash: 6BB31870E012288BCB55EF39E8946ADBBF2FF89600F0084EAD449A7354DE345E95CF56
                                              Function 09E90040 Relevance: 5.5, Instructions: 5545COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1065 9e90040-9e90290 1094 9e92203-9e924e8 1065->1094 1095 9e90296-9e90fbd 1065->1095 1170 9e9344f-9e94448 1094->1170 1171 9e924ee-9e93447 1094->1171 1502 9e9128f-9e921fb 1095->1502 1503 9e90fc3-9e91287 1095->1503 1736 9e9473e-9e94751 1170->1736 1737 9e9444e-9e94736 1170->1737 1171->1170 1502->1094 1503->1502 1741 9e94db8-9e95d30 1736->1741 1742 9e94757-9e94db0 1736->1742 1737->1736 2126 9e95d30 call 9e9717b 1741->2126 2127 9e95d30 call 9e971b1 1741->2127 2128 9e95d30 call 9e971c0 1741->2128 1742->1741 2125 9e95d36-9e95d3d 2126->2125 2127->2125 2128->2125
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8983e4073153b15a69c4076db0ff410f56a743185f2b936681f646399fb7d2ca
                                              • Instruction ID: 47558c2e179be8d4f42c7ba454a05d9739f33b866d87bede8427b9772e106068
                                              • Opcode Fuzzy Hash: 8983e4073153b15a69c4076db0ff410f56a743185f2b936681f646399fb7d2ca
                                              • Instruction Fuzzy Hash: 84B31870E012288BCB55EF39E8946ADBBF2FF89600F0084EAD449A7354DE345E95CF56
                                              Function 0A1CA308 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 5508 a1ca308-a1ca393 5510 a1ca39e-a1ca3a5 5508->5510 5511 a1ca395-a1ca39b 5508->5511 5512 a1ca3a7-a1ca3ad 5510->5512 5513 a1ca3b0-a1ca3c8 5510->5513 5511->5510 5512->5513 5514 a1ca3d9-a1ca486 CreateProcessAsUserW 5513->5514 5515 a1ca3ca-a1ca3d6 5513->5515 5517 a1ca48f-a1ca50e 5514->5517 5518 a1ca488-a1ca48e 5514->5518 5515->5514 5525 a1ca520-a1ca527 5517->5525 5526 a1ca510-a1ca516 5517->5526 5518->5517 5527 a1ca53e 5525->5527 5528 a1ca529-a1ca538 5525->5528 5526->5525 5528->5527
                                              APIs
                                              • CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 0A1CA473
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330456752.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_a1c0000_po.jbxd
                                              Similarity
                                              • API ID: CreateProcessUser
                                              • String ID:
                                              • API String ID: 2217836671-0
                                              • Opcode ID: 5f1dae9f7c0eddb765db3b23d99d87bdde55e9572880b3906b2c8cc7ed8a9bbb
                                              • Instruction ID: 0593b13f9c9e39d991017ca34476edb8ba101c96e1b453970a4d2917ccf9f269
                                              • Opcode Fuzzy Hash: 5f1dae9f7c0eddb765db3b23d99d87bdde55e9572880b3906b2c8cc7ed8a9bbb
                                              • Instruction Fuzzy Hash: 0151267190026EDFDB25CF59C840BDDBBB6BF48310F0484AAE909B7250DB759A85CF50
                                              Function 09E7ADE9 Relevance: 1.6, APIs: 1, Instructions: 112memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 09E7ADAB
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330199411.0000000009E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E70000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e70000_po.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 20400efcdcf4902a6ad1597ee36c28cb3d17572c9b7755de1e08a6080fe3ab28
                                              • Instruction ID: 9bf61af45841f3a3c8a1fa0b493b601038d3a1c19c6779441ee6c0bf8b4e58b6
                                              • Opcode Fuzzy Hash: 20400efcdcf4902a6ad1597ee36c28cb3d17572c9b7755de1e08a6080fe3ab28
                                              • Instruction Fuzzy Hash: CC410771E006488FEB18CFAA98407DEFBF7AFC8314F08C0AAD558A6265D73409458F62
                                              Function 00E97B28 Relevance: 1.0, Instructions: 992COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b868523b66c93e9fed9d2927d29a1dcc78ecb29e1f61524704a4f65388b99d31
                                              • Instruction ID: 5198b25383f7dbe69a617b2910c111c75baaf1cca691895f41164dc878408e28
                                              • Opcode Fuzzy Hash: b868523b66c93e9fed9d2927d29a1dcc78ecb29e1f61524704a4f65388b99d31
                                              • Instruction Fuzzy Hash: 76924970A04205DFCF14CF69C984AAEBBF2FF89314F259599E855AB2A1DB30ED41CB50
                                              Function 00E96ED8 Relevance: .9, Instructions: 896COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1839cb6de15fb2fbde71d2d0184080681cfe5dd282ba093d18b67c051511b440
                                              • Instruction ID: 5f4acf1a7516f4b7cdfa835d85db9a58b7e7def272b1bdb02125990f27b85e4e
                                              • Opcode Fuzzy Hash: 1839cb6de15fb2fbde71d2d0184080681cfe5dd282ba093d18b67c051511b440
                                              • Instruction Fuzzy Hash: E4728A70A142199FDF14DF69C884AAEBBF2FF88304F248069E445AB3A5DB34DD45CB90
                                              Function 00E9AE98 Relevance: .7, Instructions: 692COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6daa5c63adc48fffff995d1620812d090a767dbf4fbf6ece5ae5c8ea03d2170a
                                              • Instruction ID: c83846cb16af85901ba29ca03c16778dc66c3db02592ac30bca286daed66d309
                                              • Opcode Fuzzy Hash: 6daa5c63adc48fffff995d1620812d090a767dbf4fbf6ece5ae5c8ea03d2170a
                                              • Instruction Fuzzy Hash: C8524F30A00218CFDF549B75D954BAEB6B2FF88300F2494AAD50ABB395DB749D81CF91
                                              Function 00E9AE68 Relevance: .5, Instructions: 518COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e81251e0e992740e47b59d6a1bc9640ad0725c5593bd8a0d098bd0a950955c71
                                              • Instruction ID: a9590a52871745c130b96155484bb63eac0f64925d0f32d7f6640a46cd4b3c86
                                              • Opcode Fuzzy Hash: e81251e0e992740e47b59d6a1bc9640ad0725c5593bd8a0d098bd0a950955c71
                                              • Instruction Fuzzy Hash: 30128030A00218CFDF149B79DA54BAE77B2FF88314F2494AAD50ABB395DB748D81CB51
                                              Function 00E95480 Relevance: 5.1, Strings: 4, Instructions: 95COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 4031 e95480-e9548f 4032 e954a8-e954ac 4031->4032 4033 e95491-e954a5 4031->4033 4034 e954ae-e954c2 4032->4034 4035 e954c5-e954c9 4032->4035 4033->4032 4034->4035 4037 e954cb-e954df 4035->4037 4038 e954e2-e954e4 4035->4038 4037->4038 4039 e954fe-e9550c 4038->4039 4040 e954e6-e954fc 4038->4040 4046 e95514-e95524 4039->4046 4040->4046 4048 e9554a-e95557 4046->4048 4049 e95526-e95530 4046->4049 4053 e95559-e95572 4048->4053 4054 e9558b-e9559c 4048->4054 4049->4048 4052 e95532-e95548 4049->4052 4055 e955a4-e955a9 4052->4055 4053->4054 4058 e95574-e95589 4053->4058 4060 e9559e call e963b8 4054->4060 4061 e9559e call e96328 4054->4061 4058->4055 4060->4055 4061->4055
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: h^$h^$h^$h^
                                              • API String ID: 0-3481089990
                                              • Opcode ID: d383471cf843638206b1ec3feeb3daa2336b1e90796d1f6f66b1a7d4e08d6ec0
                                              • Instruction ID: fd9267dcc4827a2a6533bb033d0265eb2fcb32ecafce665d3ae91a04f5ce10a5
                                              • Opcode Fuzzy Hash: d383471cf843638206b1ec3feeb3daa2336b1e90796d1f6f66b1a7d4e08d6ec0
                                              • Instruction Fuzzy Hash: 17317C36604609AFCF06DF64E848AAE3BA2FF88325F105029F906AB355CB39DD51DB50
                                              Function 00E968FF Relevance: 2.6, Strings: 2, Instructions: 84COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 5483 e968ff-e96926 5485 e96928-e96935 5483->5485 5486 e9694b-e96950 5483->5486 5490 e96947-e96949 5485->5490 5491 e96937-e96945 5485->5491 5487 e96958 5486->5487 5489 e9695a-e96964 5487->5489 5494 e9698c-e9698e call e96af0 5489->5494 5495 e96966-e96974 5489->5495 5490->5489 5491->5489 5497 e96994-e96998 5494->5497 5500 e96981-e9698a 5495->5500 5501 e96976-e9697a 5495->5501 5498 e9699a-e969af 5497->5498 5499 e969b1-e969b5 5497->5499 5502 e969d3-e969d9 5498->5502 5499->5502 5503 e969b7-e969cc 5499->5503 5500->5494 5501->5500 5503->5502
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: h^$h^
                                              • API String ID: 0-3878174173
                                              • Opcode ID: 977336d42c5892cb2a829159c6fd2904c47969162d46eafbfe04102737836564
                                              • Instruction ID: 1a27fa136f036ee37e4547e2390ccdafcd6138d43b98a74c55f25466c0068665
                                              • Opcode Fuzzy Hash: 977336d42c5892cb2a829159c6fd2904c47969162d46eafbfe04102737836564
                                              • Instruction Fuzzy Hash: 4A2137357056118FCB169B35C85452EBBE2EFCA72671840BAE80AEB395CF34DC02C790
                                              Function 087CD651 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 5530 87cd651-87cd678 5531 87cd6ad 5530->5531 5532 87cd67a-87cd683 5530->5532 5533 87cd6af-87cd6d0 call 87cc4a8 5531->5533 5534 87cd6db-87cd756 5531->5534 5540 87cd6d5-87cd6d6 5533->5540 5535 87cd758-87cd75e 5534->5535 5536 87cd761-87cd768 5534->5536 5535->5536 5538 87cd76a-87cd770 5536->5538 5539 87cd773-87cd812 CreateWindowExW 5536->5539 5538->5539 5542 87cd81b-87cd853 5539->5542 5543 87cd814-87cd81a 5539->5543 5547 87cd855-87cd858 5542->5547 5548 87cd860 5542->5548 5543->5542 5547->5548 5549 87cd861 5548->5549 5549->5549
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3329155748.00000000087C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_87c0000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9900ccab8d756cfc54535722c780801b4d40e25f294993b38c3fe674b04aa43e
                                              • Instruction ID: 00d23c8be967c3738e872439c088eed50ee73c8293e8a7f7538c48a4bf28b27f
                                              • Opcode Fuzzy Hash: 9900ccab8d756cfc54535722c780801b4d40e25f294993b38c3fe674b04aa43e
                                              • Instruction Fuzzy Hash: 245100B5C00249AFDF12CFA9C884ADDBFB5BF49310F25816EE808AB225D771A855CF51
                                              Function 087CD6E4 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 5550 87cd6e4-87cd756 5551 87cd758-87cd75e 5550->5551 5552 87cd761-87cd768 5550->5552 5551->5552 5553 87cd76a-87cd770 5552->5553 5554 87cd773-87cd7ab 5552->5554 5553->5554 5555 87cd7b3-87cd812 CreateWindowExW 5554->5555 5556 87cd81b-87cd853 5555->5556 5557 87cd814-87cd81a 5555->5557 5561 87cd855-87cd858 5556->5561 5562 87cd860 5556->5562 5557->5556 5561->5562 5563 87cd861 5562->5563 5563->5563
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 087CD802
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3329155748.00000000087C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_87c0000_po.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: 951398eb016d423e23df5b530cf6bfa94ad1f3efd0f6fabba5057d7de1485227
                                              • Instruction ID: b0a0a2010cafc140e5308c2eefcc7201b5f5659e7222c984d46f05d4ad0c122a
                                              • Opcode Fuzzy Hash: 951398eb016d423e23df5b530cf6bfa94ad1f3efd0f6fabba5057d7de1485227
                                              • Instruction Fuzzy Hash: 5A51C0B5D003499FDB14CFAAC884ADEBFB5BF48310F24812EE818AB214D774A945CF90
                                              Function 087CD6F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 087CD802
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3329155748.00000000087C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_87c0000_po.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: 19ff173c30a12a55fcb4c289bbd55e0b6aa852eda48c497ab9e4b255025c05d5
                                              • Instruction ID: cac33d54fdacf7c0d1d77529bb1ffc01172a4bab3a1e91843122541508602622
                                              • Opcode Fuzzy Hash: 19ff173c30a12a55fcb4c289bbd55e0b6aa852eda48c497ab9e4b255025c05d5
                                              • Instruction Fuzzy Hash: D34190B1D003499FDB14CF9AC884ADEBFB5BF48310F24812EE818AB214D7759845CF95
                                              Function 04F9E9F8 Relevance: 1.6, Strings: 1, Instructions: 357COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3320071743.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_4f90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: P
                                              • API String ID: 0-1343716551
                                              • Opcode ID: 902c87f7aff5b2c26245d0c850450e8116f80006bad23243ad4e4fabc9d1a486
                                              • Instruction ID: d66a94a026b304d5d62f6b79028815a61e114cc41246a1de90e79fd6ff3b937d
                                              • Opcode Fuzzy Hash: 902c87f7aff5b2c26245d0c850450e8116f80006bad23243ad4e4fabc9d1a486
                                              • Instruction Fuzzy Hash: B1C1F271B1020ACBD708FF78F85976E7AE6EF84254F104829E446E3398EE3C9C469791
                                              Function 087CC5FC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule
                                              APIs
                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 087CFD71
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3329155748.00000000087C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_87c0000_po.jbxd
                                              Similarity
                                              • API ID: CallProcWindow
                                              • String ID:
                                              • API String ID: 2714655100-0
                                              • Opcode ID: ccb1cbdc2123200fbdb80a6e719826b50a5edb7d2e0984d5af3d13de980b7dbd
                                              • Instruction ID: 2408fe010bf5ffa9f436376fbf8b0e36ca41bbbb2d204a13bc2cae01cfe8b981
                                              • Opcode Fuzzy Hash: ccb1cbdc2123200fbdb80a6e719826b50a5edb7d2e0984d5af3d13de980b7dbd
                                              • Instruction Fuzzy Hash: 534169B9900309CFCB14CF89C488AAABBF6FF88310F24845CD508AB325C774A841CBA1
                                              Function 09C97CFF Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteFileW.KERNELBASE(00000000), ref: 09C97DA8
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330063494.0000000009C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9c90000_po.jbxd
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: 623fa72f45bedfec264a7d61192690d43f75b33c182d213353f4a2a716ca1d07
                                              • Instruction ID: 6c9eab76c5ec1072ddd0fe09e013bb1fc778bdf9aa65699db6b7ed31dba7805c
                                              • Opcode Fuzzy Hash: 623fa72f45bedfec264a7d61192690d43f75b33c182d213353f4a2a716ca1d07
                                              • Instruction Fuzzy Hash: 1031B2B2C197898FDB02CF65C8147EABFB4EF46210F198196D454EB292D3385905CBA2
                                              Function 09E7ACEE Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 09E7ADAB
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330199411.0000000009E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E70000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e70000_po.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: e7cbc11e28194e21139f493f4a0f7d39f8575312b2a9135acc735db01f466695
                                              • Instruction ID: ad399214bc259812aa64c50d71127c9ff7bf30f62e3dd167a24c19fb6b11b2e1
                                              • Opcode Fuzzy Hash: e7cbc11e28194e21139f493f4a0f7d39f8575312b2a9135acc735db01f466695
                                              • Instruction Fuzzy Hash: 42317C718043499FEB10DFA9C945BEEFFF4EB48314F148469D458A3651E3389951CFA1
                                              Function 0A1CCD10 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0A1CCDA0
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330456752.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_a1c0000_po.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 3ce92de36f94679b022c27d87d8a4fc6b1b31f6023999b452c6b48679f863e79
                                              • Instruction ID: 8e5cf8dd0ffe1c3d31e6ab12d581b162e00255c5af3d6c38a0113c2d836d9605
                                              • Opcode Fuzzy Hash: 3ce92de36f94679b022c27d87d8a4fc6b1b31f6023999b452c6b48679f863e79
                                              • Instruction Fuzzy Hash: 5B212A719003499FDB10CFAAC885BEEBBF5FF88310F10842AE918A7240D7789954CFA5
                                              Function 0A1C3318 Relevance: 1.6, APIs: 1, Instructions: 67memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0A1C3393
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330456752.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_a1c0000_po.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: e5935730630b2b8f1f0cb93b94913f58e4db652f18a02325ff1c1bc35595d21a
                                              • Instruction ID: 29a7309f13951c69fa79b8542f67d22da95be21acc47021c4d8b97bfdc8a8560
                                              • Opcode Fuzzy Hash: e5935730630b2b8f1f0cb93b94913f58e4db652f18a02325ff1c1bc35595d21a
                                              • Instruction Fuzzy Hash: D6213975D002499FDB10CF9AC444ADEFBF4EB48320F10846AE868A7610D774A545CFA5
                                              Function 0A1CD490 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0A1CD50E
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330456752.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_a1c0000_po.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 3d7e5951f8b92c362f4bee3f104ad6d432552161ed7a55ee12e856d955b8927f
                                              • Instruction ID: b443f20c315b2dd53b34cd5ac1797d3081e65776196999eadc20fb14617387a5
                                              • Opcode Fuzzy Hash: 3d7e5951f8b92c362f4bee3f104ad6d432552161ed7a55ee12e856d955b8927f
                                              • Instruction Fuzzy Hash: D02109719003099FDB10DFAAC4857AEBBF4EF88314F14842DD519A7240D778A945CFA5
                                              Function 0A1CC2C8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0A1CC346
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330456752.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_a1c0000_po.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: e360ec9b1478f7208b142453a3f7781f4f19879cb78a8c0b5d4e394940e0e38e
                                              • Instruction ID: c9d47413732187d65ceb18f61f6f87834f449da4ac04cd4de905466356aad9ba
                                              • Opcode Fuzzy Hash: e360ec9b1478f7208b142453a3f7781f4f19879cb78a8c0b5d4e394940e0e38e
                                              • Instruction Fuzzy Hash: 13210971D003098FDB10DFAAC4857AEBBF4AF88314F14842AD519A7240D778A945CFA5
                                              Function 087C96C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 087C974F
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3329155748.00000000087C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_87c0000_po.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 24f7d516513db846091a09ef64925f2f5e95d6735ca501811e801164de6ccc52
                                              • Instruction ID: 499a7e7e14f0c8bc1e75060131c2bf935d2ba2d1cc4ee9784d7871dc59f4a1a5
                                              • Opcode Fuzzy Hash: 24f7d516513db846091a09ef64925f2f5e95d6735ca501811e801164de6ccc52
                                              • Instruction Fuzzy Hash: 1421E5B5901248EFDB10CF9AD984ADEBFF8EB48320F14841AE918A3250D375A950CF65
                                              Function 087C96C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 087C974F
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3329155748.00000000087C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_87c0000_po.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 1821fb6190ae0b9a7a2a807dcda562d7dc2b60bee68b9063ab0a43bb19aeef2c
                                              • Instruction ID: 521e59ce49ce04025497283f2f0515fad3aceb266c51630ff6842280328819b2
                                              • Opcode Fuzzy Hash: 1821fb6190ae0b9a7a2a807dcda562d7dc2b60bee68b9063ab0a43bb19aeef2c
                                              • Instruction Fuzzy Hash: 4B21C4B5901249DFDB10CF9AD984ADEBFF8EB48320F14841AE918A3350D375A954CFA5
                                              Function 0A1CD208 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 0A1CD27F
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330456752.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_a1c0000_po.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 25f955439f32402b30ec8a117dab51523994c13610fadcd1f0eacba01e9a9efa
                                              • Instruction ID: a0aeaeaa7e0d5e83288e50bd7e3d9587d4dff794aa1835a8fc9aed659da23483
                                              • Opcode Fuzzy Hash: 25f955439f32402b30ec8a117dab51523994c13610fadcd1f0eacba01e9a9efa
                                              • Instruction Fuzzy Hash: CF212971C003499FDB10DFAAC844BEEBBF5EF88320F14842AD519A7250D779A945CFA5
                                              Function 09C97D38 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteFileW.KERNELBASE(00000000), ref: 09C97DA8
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330063494.0000000009C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9c90000_po.jbxd
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: 461baf3b71874754df3afecd3ef95846080a5351506eaf5f68ae18d0df906e0a
                                              • Instruction ID: dc8caa03f97ad75d9926bc68832f5e45fd769b5346400cbb3aef6df44d0b3e7c
                                              • Opcode Fuzzy Hash: 461baf3b71874754df3afecd3ef95846080a5351506eaf5f68ae18d0df906e0a
                                              • Instruction Fuzzy Hash: DF1138B2C106599FDB14CF9AD445BEEFBB4EF48720F14815AD818A7240D738A940CFA5
                                              Function 0A1C3320 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0A1C3393
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330456752.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_a1c0000_po.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 83dbef0fc253b376e892b0634757c33ab9cc49ab094be719c85dae6b357a9474
                                              • Instruction ID: 29d9af587bb246f65f180fa01e4b5e360e6a7f823942023c1a3aba36e4eefb8a
                                              • Opcode Fuzzy Hash: 83dbef0fc253b376e892b0634757c33ab9cc49ab094be719c85dae6b357a9474
                                              • Instruction Fuzzy Hash: 1621D3B5D002499FDB10CF9AC985BDEFBF8EB48320F10842AE558A7250D778A945CFA5
                                              Function 087C6CDC Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,087C73A1,00000800,00000000,00000000), ref: 087C75B2
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3329155748.00000000087C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_87c0000_po.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: b269dadecd776992cf4ce6186ed9a06b6d0953964e1d1581479536c89f6c096e
                                              • Instruction ID: 8b84fc7520ad80f6eb23de1d7d7b6e459cd1716edab3c68678db1c686afd728e
                                              • Opcode Fuzzy Hash: b269dadecd776992cf4ce6186ed9a06b6d0953964e1d1581479536c89f6c096e
                                              • Instruction Fuzzy Hash: B51114B68002499FDB24CF9AD844AAEFBF4EB88320F14842ED519A7200C775A945CFA5
                                              Function 087C7541 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,087C73A1,00000800,00000000,00000000), ref: 087C75B2
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3329155748.00000000087C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_87c0000_po.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 61f3ca949299c3907eb443bdc3ffd872b0b3d011dd06ed74a542ec8004ee90f9
                                              • Instruction ID: dc3c442229300fc38ccc8f469b0062ca855ad465aa567c130db4d190f782eeed
                                              • Opcode Fuzzy Hash: 61f3ca949299c3907eb443bdc3ffd872b0b3d011dd06ed74a542ec8004ee90f9
                                              • Instruction Fuzzy Hash: D21126B6C00249CFDB24CF9AD884AEEFBF4EB88310F14852ED519A7200C775A545CFA5
                                              Function 09E7AD38 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 09E7ADAB
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330199411.0000000009E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E70000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e70000_po.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 83216861b8caf4486061d081700da4660f613fbd4e783c858fea446a5501ceba
                                              • Instruction ID: af4f013bf13e16c0089a3440a977afda55be810253e891f617fa64390b2ea362
                                              • Opcode Fuzzy Hash: 83216861b8caf4486061d081700da4660f613fbd4e783c858fea446a5501ceba
                                              • Instruction Fuzzy Hash: 1C21D3B59002499FDB10CF9AC885BDEFBF8EB48324F10842AE558A7250D778A945CFA5
                                              Function 0A1CC998 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0A1CCA06
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330456752.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_a1c0000_po.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: c47ca3a8ba8d722f3038010e8f75232b4b29325609c06bad4c2f1b60b398b8a2
                                              • Instruction ID: f8cba9b2169b4d95dee7e3e83afe2342df10c272408e82b0028e25f2b2592554
                                              • Opcode Fuzzy Hash: c47ca3a8ba8d722f3038010e8f75232b4b29325609c06bad4c2f1b60b398b8a2
                                              • Instruction Fuzzy Hash: 631156718002499FDB10DFAAC844BEEBFF5EF88724F148419D519A7250DB79A940CFA5
                                              Function 0A1CD718 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330456752.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_a1c0000_po.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 355ea49ff30a44f2ec1f52b5753856bab86e9f00a3cb689a44525dfd1a74476e
                                              • Instruction ID: 18ec434042af37dc05de36310f694292bd3175eb576fd52ff3ab99e709189ce3
                                              • Opcode Fuzzy Hash: 355ea49ff30a44f2ec1f52b5753856bab86e9f00a3cb689a44525dfd1a74476e
                                              • Instruction Fuzzy Hash: D4112871D003498BDB20DFAAC8447AEFBF4AF88724F148419C519A7250DB796944CFA5
                                              Function 087C72BB Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 087C7326
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3329155748.00000000087C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_87c0000_po.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 47e534a270a98e2211f99443da63d50000c6360d32907005fb8034e79fca7695
                                              • Instruction ID: 458ba0d70a89b3c207b532ca0af6e4ddf0a957759e80e5dc54be1f8cbc330b90
                                              • Opcode Fuzzy Hash: 47e534a270a98e2211f99443da63d50000c6360d32907005fb8034e79fca7695
                                              • Instruction Fuzzy Hash: 8E1102B5C00289CEDB24CF9AD844ADEFBF4EB88311F14852EC859A7610C779A545CFA5
                                              Function 0A1C5168 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0A1CDD2D
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330456752.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_a1c0000_po.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: d11685ef23d18f64e0d2f21fd7284b42b57e243f8c23d49c970b350aeb3a8c18
                                              • Instruction ID: 93ec750cf20e018a19f0b8ebfb36c536ff8ca70d871ca6ad29be32be9e840aad
                                              • Opcode Fuzzy Hash: d11685ef23d18f64e0d2f21fd7284b42b57e243f8c23d49c970b350aeb3a8c18
                                              • Instruction Fuzzy Hash: 971103B5800349DFDB20DF9AD985BEEBBF8EB48320F108819E518A7640D375A944CFA5
                                              Function 087C72C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 087C7326
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3329155748.00000000087C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_87c0000_po.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 77d012ebf3ca0dc3b657a1a076df7d7111f85a883548e9aa12c2e3bcd6529409
                                              • Instruction ID: d7c1854632c88fa72420b40d4ee90f6e2e409339226036336ade0e5c25d2ec32
                                              • Opcode Fuzzy Hash: 77d012ebf3ca0dc3b657a1a076df7d7111f85a883548e9aa12c2e3bcd6529409
                                              • Instruction Fuzzy Hash: 081102B5C003498FCB24CF9AC844ADEFBF4AB88320F10841EC818A7210C775A545CFA5
                                              Function 00E96AF0 Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: h^
                                              • API String ID: 0-813783515
                                              • Opcode ID: 2657fdc5fde63d4dd91f3ce490839a5246b4a134edaf505afd950aaa38b0201b
                                              • Instruction ID: 3a594db0ecd0a02afca81f3219843bacde13752a8988aa65c386c53c02cf1da2
                                              • Opcode Fuzzy Hash: 2657fdc5fde63d4dd91f3ce490839a5246b4a134edaf505afd950aaa38b0201b
                                              • Instruction Fuzzy Hash: 41714B34A002198FCF04DF69C8949A9BBB2FF89315B25906AE445FB365EB31EC41CB51
                                              Function 00E99547 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: h^
                                              • API String ID: 0-813783515
                                              • Opcode ID: f542fa15b53eeda1497588cbd58a0edeb84db52368f6458aad6a074b35752c46
                                              • Instruction ID: 09d16ae6a9bc4f0f9d245874c48d609495642d92ac2773c5af81c37ffb801845
                                              • Opcode Fuzzy Hash: f542fa15b53eeda1497588cbd58a0edeb84db52368f6458aad6a074b35752c46
                                              • Instruction Fuzzy Hash: 6721F1313042014BEF22577E845437E3AA79FC971AF24507ED502EB397EB6ACC429751
                                              Function 09E9F9B8 Relevance: 1.3, Strings: 1, Instructions: 14COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ')o
                                              • API String ID: 0-1527278165
                                              • Opcode ID: 65dfe0ee2ac3b1c0091d4b3e1104b60eade27cf1f719ffdd4ffaae4a3af894ab
                                              • Instruction ID: ffb225ba71daff0873b1f1dea1bb0ab8d63dc4b8c3cbe61b8eed7c3fcaaf606b
                                              • Opcode Fuzzy Hash: 65dfe0ee2ac3b1c0091d4b3e1104b60eade27cf1f719ffdd4ffaae4a3af894ab
                                              • Instruction Fuzzy Hash: B9D012372641085E4F40EFE5E840DA277DCBB14710300D572F508C7020E633E868D751
                                              Function 00E99668 Relevance: .8, Instructions: 765COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ef8eccb34517812bcc9563aa8ab85a39b13ba64a86b9472fc638c21ad3fa4a1f
                                              • Instruction ID: 7980a164974d972ed5c089dbf29c7221d4b240da42c5dba24a68fc2379cd961f
                                              • Opcode Fuzzy Hash: ef8eccb34517812bcc9563aa8ab85a39b13ba64a86b9472fc638c21ad3fa4a1f
                                              • Instruction Fuzzy Hash: DC620E70A00219CFEB14DBA5C864B9EBBB2FF84304F1480A9D6067B7A6DB349D45DF91
                                              Function 04F9C078 Relevance: .7, Instructions: 688COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3320071743.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_4f90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9f82f0dde180a680ba891aae149da6742cb63137b186948ef7d58794456044d8
                                              • Instruction ID: 3b464efd1f89b8355958d1f663ecc43b54eddae56c1c0ba422ca6833c1c00a75
                                              • Opcode Fuzzy Hash: 9f82f0dde180a680ba891aae149da6742cb63137b186948ef7d58794456044d8
                                              • Instruction Fuzzy Hash: 7172283490021B8FCB59EF75E898A9DBBB2FB85301F104669D106AB359DF306E85CF91
                                              Function 09E9B0F0 Relevance: .6, Instructions: 591COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 463cc86991858fdd20e85d33573b287495983b21f8079584cf91b9942e726627
                                              • Instruction ID: 0fbe77394881e53f70c134af42a63001ed573b49c9a551d7281410588d6c9464
                                              • Opcode Fuzzy Hash: 463cc86991858fdd20e85d33573b287495983b21f8079584cf91b9942e726627
                                              • Instruction Fuzzy Hash: BE120430B052868FDB05BF79F86566E7FF1EF85200F05486AE085D7291DE38AC16C7A2
                                              Function 09E99EA0 Relevance: .5, Instructions: 518COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7021f31695272ede9b609ac854b2fc1444d903348326841ce47ae60909366dce
                                              • Instruction ID: 11f1a912b1f07476227ee2447491d455b0ffde693122b67e55ead3103ad936e9
                                              • Opcode Fuzzy Hash: 7021f31695272ede9b609ac854b2fc1444d903348326841ce47ae60909366dce
                                              • Instruction Fuzzy Hash: ACE18D70B112158FCB04FF79E9986AE7BF5EF88304B104879E445E7364EE39AC1587A2
                                              Function 09E98805 Relevance: .5, Instructions: 515COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e7efedb451246dc5199f1735055f77f106ed5e26f5e5dfd188edf8cc0f60a2da
                                              • Instruction ID: b5be005663d606ae30daf3db17d8929e6e77e0a9543cffed653b79a0fcd12822
                                              • Opcode Fuzzy Hash: e7efedb451246dc5199f1735055f77f106ed5e26f5e5dfd188edf8cc0f60a2da
                                              • Instruction Fuzzy Hash: 1202C070A152598FCB05FF78E85465D7BF2FF4A204F0048AAE446E73A5DB385C16C762
                                              Function 09E9A692 Relevance: .5, Instructions: 462COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0969f293b6fceda2505c9e67aad4afe9745166fe75e3aaac875cbc905b6c6486
                                              • Instruction ID: 654811a6348dc1ed60a25d9fbdac8349679fca7f052c03bbef77cdbc0a6346c0
                                              • Opcode Fuzzy Hash: 0969f293b6fceda2505c9e67aad4afe9745166fe75e3aaac875cbc905b6c6486
                                              • Instruction Fuzzy Hash: 400247B0E00259CFCB05EF79E85829D7BB2FF88311F0149A9E44AE7354EB785C558B92
                                              Function 09E988D1 Relevance: .5, Instructions: 453COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3e2a8530f4b9920f5feab7e9216d33706ab31dfda190fe7fbb1700eb8815095b
                                              • Instruction ID: b65cbaa40a35615b758110b84115a4f27be6c7c7f69231ac2081008891a56975
                                              • Opcode Fuzzy Hash: 3e2a8530f4b9920f5feab7e9216d33706ab31dfda190fe7fbb1700eb8815095b
                                              • Instruction Fuzzy Hash: E4F14C71A11219CFCB04FFB9E85865E7BF2FB89204B104969E445E7364EF38AC168B91
                                              Function 09E988E0 Relevance: .4, Instructions: 449COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6b0ea117ae1ddf66576b9a0624cc120e5288dc9498959f64a79c12ee433d4483
                                              • Instruction ID: 42a153ec060ccc00fadb2f45d13c5a51d878df9a7ab0d20ea2c542160866f000
                                              • Opcode Fuzzy Hash: 6b0ea117ae1ddf66576b9a0624cc120e5288dc9498959f64a79c12ee433d4483
                                              • Instruction Fuzzy Hash: 91F15B71B11119CFCB04FFB9E85865E77F2FB89204B104969E446E7364EF38AC168B91
                                              Function 00E963B8 Relevance: .4, Instructions: 442COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a3a357cf5a844a727f894c360247bfe79b1d031f678159a97277dae1570fb10f
                                              • Instruction ID: 90233c9ba7920636a8ae686c9335f0c6cd34c44b88f2270f1432d8ce4ef9afbe
                                              • Opcode Fuzzy Hash: a3a357cf5a844a727f894c360247bfe79b1d031f678159a97277dae1570fb10f
                                              • Instruction Fuzzy Hash: 88E1EE307002049FDF19EF75D858B6E7BA2EB88365F14982AE506EB399DB34DC41CB90
                                              Function 09E997FC Relevance: .4, Instructions: 400COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6c2fa92088121f1ba077a048bd19e0fef97c950ce57d899e484589db65cb3f9a
                                              • Instruction ID: a5f43a884e6408a8715af90726ef1914b49df42e6e5a11db9ee69a1e4183c179
                                              • Opcode Fuzzy Hash: 6c2fa92088121f1ba077a048bd19e0fef97c950ce57d899e484589db65cb3f9a
                                              • Instruction Fuzzy Hash: D4D1D271B112168FCB04FF79E99876E77E2EF48214F204869E406E7354EE78AD05C7A2
                                              Function 09E982F8 Relevance: .4, Instructions: 376COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 92f0ab78fa79adb773c7693ce9d94072815b69293d43b22005b5f951dbee12fa
                                              • Instruction ID: fe7293cb1dcf18e20cf759acfa9bbab0b90cc1fbbebab81a57c9b38ec0ddc554
                                              • Opcode Fuzzy Hash: 92f0ab78fa79adb773c7693ce9d94072815b69293d43b22005b5f951dbee12fa
                                              • Instruction Fuzzy Hash: A3D1CF71B10215CFCB04FFB9E89966E7BE2EB88310F544829E445D7364DE38AC56CBA1
                                              Function 09E95F95 Relevance: .4, Instructions: 367COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cc0b0951b02ab42caeb09432bc6d1c873c0d4330591e68f20f991b34a806ee6c
                                              • Instruction ID: 184d4528116365cb8e1a196bfa9b88b1a2699c02accae4b5fe8601d17e2b8c5c
                                              • Opcode Fuzzy Hash: cc0b0951b02ab42caeb09432bc6d1c873c0d4330591e68f20f991b34a806ee6c
                                              • Instruction Fuzzy Hash: 87D1F870B053858FC706EF75E86469D7FF1EF4A204B1544EAD481DB3A6DA389C0AC762
                                              Function 00E98920 Relevance: .4, Instructions: 359COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aa48b0b642920f8b792c2622817c3333ff4d1b94e080053b1772c57f131f6c77
                                              • Instruction ID: 285541d9fff9151adc80f946dda0fac034bcf4b21c2b8a2862f6a9dc29728360
                                              • Opcode Fuzzy Hash: aa48b0b642920f8b792c2622817c3333ff4d1b94e080053b1772c57f131f6c77
                                              • Instruction Fuzzy Hash: C1E11975A00214CFCB04DF68CA8899DBBF6FF99315B169499E505AB371CB34EC41CB64
                                              Function 09E9981B Relevance: .4, Instructions: 354COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ee6e41eb4417399afab95fc76ad3b00287d22fa9b48f358ab47ed0ace36e9888
                                              • Instruction ID: f7641bc8004296cc35028d8d44f824d98681267fecccb3445a002cbf203906e8
                                              • Opcode Fuzzy Hash: ee6e41eb4417399afab95fc76ad3b00287d22fa9b48f358ab47ed0ace36e9888
                                              • Instruction Fuzzy Hash: B6C1C070B012168FCB04FF79E99876E77E2EB48214F10486DE446E7354EE78AC05C7A2
                                              Function 00E9F7D0 Relevance: .3, Instructions: 337COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 94386278dc887c38dd29dd8f057373c9506fc953584ee3e145a80b38dce927c5
                                              • Instruction ID: 739c35389df2dc26f54561b5aed1ad1e01847b7e0f588691f5252971fc417d15
                                              • Opcode Fuzzy Hash: 94386278dc887c38dd29dd8f057373c9506fc953584ee3e145a80b38dce927c5
                                              • Instruction Fuzzy Hash: 83C1C131B002098FCF14DF69C494AAE7BB2AFC9315F249169E819EB355DB35DC42CB90
                                              Function 09E982B7 Relevance: .3, Instructions: 300COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 79e64b968cc4e9b4fb784bad7c19acaa08b80a4afaa4fa449c4656ffd0ae8216
                                              • Instruction ID: 85e4cc21714fe4ade60a272a7ba41f4f04dabfc1078d29bf74cd2c7ad3aac3ef
                                              • Opcode Fuzzy Hash: 79e64b968cc4e9b4fb784bad7c19acaa08b80a4afaa4fa449c4656ffd0ae8216
                                              • Instruction Fuzzy Hash: 00A1E071B112058FCB04FF78E89866E7BF2EF49310B544869E441DB3A5DA3C9C4ACBA1
                                              Function 00E949C8 Relevance: .3, Instructions: 285COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d3626d56379e174c863717f3c3fbd67a688febfdf8896699b454c81ab9ebbb85
                                              • Instruction ID: 38e5d5becf1f710eea8f0725d1e43bbc7e81a487d93907e925f927529f06b317
                                              • Opcode Fuzzy Hash: d3626d56379e174c863717f3c3fbd67a688febfdf8896699b454c81ab9ebbb85
                                              • Instruction Fuzzy Hash: C8A1C6B4B04208DFEF189BB5D454F6E76B2FBC4315F245829E406EB3C8EA748C829795
                                              Function 00E9498F Relevance: .3, Instructions: 277COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 34136c63dfe7d6a004fade12efe994df1923b4a8e39f9aeebaeebedd065b880e
                                              • Instruction ID: 7cff81e3b4a294b63dcc03c2a2b247f9b03b6ee76526d400a5ee86a60d37315c
                                              • Opcode Fuzzy Hash: 34136c63dfe7d6a004fade12efe994df1923b4a8e39f9aeebaeebedd065b880e
                                              • Instruction Fuzzy Hash: 0191B3B4B04204DFEF148BB5D854FAE77A1FB84315F24582AE406EB3C4EA748C42C795
                                              Function 00E94AAC Relevance: .2, Instructions: 244COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 06fb3fd9f529f8a290c4f211bf68ce8b6ffba82dfa46aa9b8c39977e907f53e0
                                              • Instruction ID: d4d06a6e41d5194318fa626843bd8f8de82939710a2096690eb04d686da2af69
                                              • Opcode Fuzzy Hash: 06fb3fd9f529f8a290c4f211bf68ce8b6ffba82dfa46aa9b8c39977e907f53e0
                                              • Instruction Fuzzy Hash: 2381B4B4B04204CFEF189BB5D454FAE76B2FB84315F245829E006EB3C8EA748C82DB55
                                              Function 04F98528 Relevance: .2, Instructions: 240COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3320071743.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_4f90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a5d207edf1df4acdabbdeac6d4f849bfdbeeb5f491e23f6db55932c64436f426
                                              • Instruction ID: 320a64076935b16fd6cc320db67935ed56f02e419ee83dd61e1853589f0b6c63
                                              • Opcode Fuzzy Hash: a5d207edf1df4acdabbdeac6d4f849bfdbeeb5f491e23f6db55932c64436f426
                                              • Instruction Fuzzy Hash: 78A18331A10605CFDB14EF69C88499DBBB2FF89314F1186A9E505AB365EB70ED85CF80
                                              Function 00E9FC70 Relevance: .2, Instructions: 233COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 492a046f03c24a5ee494782804aac6923a74aa9f0cd63f634e34cf8aa1b35138
                                              • Instruction ID: a01b009ef2e2373f4df4a58bdf697e9f9120b81a091e7f2868ff40cda6a94f70
                                              • Opcode Fuzzy Hash: 492a046f03c24a5ee494782804aac6923a74aa9f0cd63f634e34cf8aa1b35138
                                              • Instruction Fuzzy Hash: 6D81A5716002489FDB15DF69C844BAEBBE6FF88314F148469E805EB3A1CB389C41CBA1
                                              Function 09E9C080 Relevance: .2, Instructions: 227COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d67ffbc86dffbed57517d42c64281bf64fcf59fe433483aa59156d23840853f6
                                              • Instruction ID: 58e8bdac8d3b8e15e0ff822a2fad9f1908ee8207ef8abbb4fc3afb15018bfd28
                                              • Opcode Fuzzy Hash: d67ffbc86dffbed57517d42c64281bf64fcf59fe433483aa59156d23840853f6
                                              • Instruction Fuzzy Hash: D8719130B10117CFCB04FFB9E895A6E77E6FB88354F608569E44AD7359EA34AC0187A1
                                              Function 00E9B3B4 Relevance: .2, Instructions: 223COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0b341f6331f29c04d400bd40829c90e3dbf4059c3d62c5fadd6362d7e344362f
                                              • Instruction ID: f10ea955286922673ea56e6ee2a80553bfefabafe7c71832eb959f89e35cbe98
                                              • Opcode Fuzzy Hash: 0b341f6331f29c04d400bd40829c90e3dbf4059c3d62c5fadd6362d7e344362f
                                              • Instruction Fuzzy Hash: 1B817230A00208DFEF14DB65EA55BAE7BB2FB84300F20546AD506FB395EB748D85DB51
                                              Function 00E9B3C3 Relevance: .2, Instructions: 220COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dfc6aaf205c3b02b7833aeb90681509b5e17dbac63bc9a47143677237983083b
                                              • Instruction ID: 8d1fe13ae91e20aeca7924095d513461a04231eee29c85e6b4bba8461b676343
                                              • Opcode Fuzzy Hash: dfc6aaf205c3b02b7833aeb90681509b5e17dbac63bc9a47143677237983083b
                                              • Instruction Fuzzy Hash: F7817130A00208DFEF14DB65EA55BAE7BB2FB84300F20546AE506FB395EB748D85DB51
                                              Function 00E99318 Relevance: .2, Instructions: 192COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 854df3f4446c239ebcb551fad3c250fd0b0dbff5282fe717afb182d63ad0fc39
                                              • Instruction ID: 91cf13625dd4d0bc25e8d3a8c73ae471f3f1f18ecef9ee1de6ff6044c8bb6fdd
                                              • Opcode Fuzzy Hash: 854df3f4446c239ebcb551fad3c250fd0b0dbff5282fe717afb182d63ad0fc39
                                              • Instruction Fuzzy Hash: D75190313141518FCB16DF3EC884A6A7BE9EF4975575950BEE816DB2A3DB20EC02CB60
                                              Function 09E9BDDD Relevance: .2, Instructions: 190COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9c2727074b18c65c33fae9395d3a1ac6abc9de20c360a6c3364fa5dba716c51f
                                              • Instruction ID: 47e12b316d1fe1e59ec72dc6326b2dffcc086603f3a53c19baa9b934333a439e
                                              • Opcode Fuzzy Hash: 9c2727074b18c65c33fae9395d3a1ac6abc9de20c360a6c3364fa5dba716c51f
                                              • Instruction Fuzzy Hash: F551F471B052468FCB04FFB9E85576F7BF5EB84210F14856AE449E3354EE38AC0587A2
                                              Function 00E9BC5F Relevance: .2, Instructions: 180COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b036f7389f98c9b32650fb3c02dd73da8a3003a44b2ad0480b5126e4f170c17e
                                              • Instruction ID: a0b7dcc7c48fce9060794dd967d10305ef12c784553c5fae3017b21bcab5a0dc
                                              • Opcode Fuzzy Hash: b036f7389f98c9b32650fb3c02dd73da8a3003a44b2ad0480b5126e4f170c17e
                                              • Instruction Fuzzy Hash: 7A614930A0520CDFDF14DFA9E694BEEB7B6FB84304F215066E506AB398CB319D418B91
                                              Function 00E9BF60 Relevance: .1, Instructions: 149COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 28af541e4af3dbc30a22666db673e239f4c80b6a147a2d8609b45240d69347fb
                                              • Instruction ID: b0543b15de95605c97f7654c639bcc24a205d74e82eac13b6e159636c4d61cc9
                                              • Opcode Fuzzy Hash: 28af541e4af3dbc30a22666db673e239f4c80b6a147a2d8609b45240d69347fb
                                              • Instruction Fuzzy Hash: 60411731A053558FCB05EB79881419EBFF2EFCA220B24816AD504FB255EA315D06CBD1
                                              Function 00E99118 Relevance: .1, Instructions: 116COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5746a883cab3726d6939106b84250d29d7bc144a00c4122461b7b2018aabfe6b
                                              • Instruction ID: 5eca6d95e5f7c34363fe8fc7faab1f6db627b1043bdb0813fe4226dafdf24688
                                              • Opcode Fuzzy Hash: 5746a883cab3726d6939106b84250d29d7bc144a00c4122461b7b2018aabfe6b
                                              • Instruction Fuzzy Hash: 384156356002069FCB05DF69D888AAA7BB5FF88315F1140A9E906EB3B2C730DD81CB51
                                              Function 00E96328 Relevance: .1, Instructions: 108COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d808cd54b61af06bc25867edbacac4985e0987ffda1f8e52e3f6a40e52c40b09
                                              • Instruction ID: 2a3d7c11bae55e8593c302d47a796d938a506af0508a20f061749a56a7d712f5
                                              • Opcode Fuzzy Hash: d808cd54b61af06bc25867edbacac4985e0987ffda1f8e52e3f6a40e52c40b09
                                              • Instruction Fuzzy Hash: 46312431A092A19FDB129F38D8A46D97FB0FF86324F0540A7D151CF253E7249C4ACB96
                                              Function 04F9E438 Relevance: .1, Instructions: 102COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3320071743.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_4f90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a48813e1aee2c2284565b36717fc030b317b2aafede71efe8824382331d6d3a9
                                              • Instruction ID: fa41517ff85c70163d177c7815c0ac751a71eba0680ef92bc328523611b27745
                                              • Opcode Fuzzy Hash: a48813e1aee2c2284565b36717fc030b317b2aafede71efe8824382331d6d3a9
                                              • Instruction Fuzzy Hash: 4C31E534B041009FEB54DF29D408BAB7BF6EB8939AF158075E401EB285DB35ED46C7A1
                                              Function 00E98768 Relevance: .1, Instructions: 101COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 74839b2ba4e04c0a92dea73901db3d6cd1b86772e497da6e8eccf3f5925fa848
                                              • Instruction ID: bec3c074ce6c0330e4f482b10deadf9a5961f453bb8fafc24813a58be9210a8e
                                              • Opcode Fuzzy Hash: 74839b2ba4e04c0a92dea73901db3d6cd1b86772e497da6e8eccf3f5925fa848
                                              • Instruction Fuzzy Hash: DB31A1317002049FDB08AB75D858AAE7BF6FFC9721F244469E506EB395DE359C01CBA0
                                              Function 00E98910 Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b2a140b2e9da12ef8df21ab7960cc68ee4758323225ff6eca1ae780bb8cbf110
                                              • Instruction ID: e612754266fb9d01451b46fcc5b20ccd85ee01918d17140354b16f898d96c682
                                              • Opcode Fuzzy Hash: b2a140b2e9da12ef8df21ab7960cc68ee4758323225ff6eca1ae780bb8cbf110
                                              • Instruction Fuzzy Hash: 72315470A002058FCB44DF69C98496EBBF6FF85320B15855AE515A73B5DB78AC41CBA0
                                              Function 00E99460 Relevance: .1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4a3b8437def47b4eca472fbeba313edd899be2896e2969a1ad61982e99100983
                                              • Instruction ID: 4422b8735270ac995df942adfa29c3a8247896d8e0b9d97df6e8cbc708e85107
                                              • Opcode Fuzzy Hash: 4a3b8437def47b4eca472fbeba313edd899be2896e2969a1ad61982e99100983
                                              • Instruction Fuzzy Hash: 1121D0313081558BDF12DE6EEC80AAB7BAAEF85310B15542EF812D7246DB34CC42CB60
                                              Function 04F9EF88 Relevance: .1, Instructions: 83COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3320071743.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_4f90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 057642ee4dab1de894522a8f92314053a98ff28d7992bded7aa26dc877028cfe
                                              • Instruction ID: 68b1a7b6056ff65aabf5895e4f83f6d359a5ad27f732c22af4df91a2fbed40dd
                                              • Opcode Fuzzy Hash: 057642ee4dab1de894522a8f92314053a98ff28d7992bded7aa26dc877028cfe
                                              • Instruction Fuzzy Hash: AE31D2347006248FCB24DF19C48496AB7F6FB88715B55456EF94ACB761DB32FC828B60
                                              Function 09E9BCDF Relevance: .1, Instructions: 80COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 762006f3d24780319c2ead0a3c901c13ce187967576b0f81de6d251881356338
                                              • Instruction ID: 1abbe2bf6916c69ab6029eb6f74ec10ac3235bccd6711cde760e9e2b7fd67142
                                              • Opcode Fuzzy Hash: 762006f3d24780319c2ead0a3c901c13ce187967576b0f81de6d251881356338
                                              • Instruction Fuzzy Hash: FA21C271B052568FD704FBB9F858B6E7BE5EB88214F148869E049D3344EE78AC058392
                                              Function 09E9BCF0 Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 75010f7d9eb0ef65774c542cd6483f1b67463f3209853ffc4f4c36cef3a1b85f
                                              • Instruction ID: 1763c4cf94561ba5f328435790923a339e479091f940a76b840a75043b03f1ac
                                              • Opcode Fuzzy Hash: 75010f7d9eb0ef65774c542cd6483f1b67463f3209853ffc4f4c36cef3a1b85f
                                              • Instruction Fuzzy Hash: 5211AF71B111268BD704BBB9FC58B6E76E9FB88214F108829E409D3344EE78AC0587A1
                                              Function 00E4D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307145907.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e4d000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 464a22acad60202ca0d8ce68639e025db1a0bbcc0ce113aee9b2f303e2c51959
                                              • Instruction ID: 027ba0034c3598b40358928c0c3cbe7069f0090d842b70e5ad2602ffb6b606f1
                                              • Opcode Fuzzy Hash: 464a22acad60202ca0d8ce68639e025db1a0bbcc0ce113aee9b2f303e2c51959
                                              • Instruction Fuzzy Hash: 0D212271608300DFDB14DF14E980B16BBA6FB88318F30C56DD80A5B282C33AD847CA61
                                              Function 00E4D2A8 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307145907.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e4d000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c47242be9f99f6fb90445a3c03c0ec8e2697b37e06c431a5bc9c2bce3daafd56
                                              • Instruction ID: c5493a4659af0fe5e17d9b173f8fef076feabc9874655ff4e6648ebc8fc71f3f
                                              • Opcode Fuzzy Hash: c47242be9f99f6fb90445a3c03c0ec8e2697b37e06c431a5bc9c2bce3daafd56
                                              • Instruction Fuzzy Hash: E82134B1608200DFDB00DF14E9C4B16BBA5FB88318F24C5ADE9095B256C37AD846CB62
                                              Function 00E98759 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fab6c1ed58881f0fbd3b5ceda9b57199ea9342098ac0c4e6df6254a92983d7ea
                                              • Instruction ID: 1cabab73d1d354a385a5ab6c0f0e124a0f2f3cbd424b5598e1be090629fa93a7
                                              • Opcode Fuzzy Hash: fab6c1ed58881f0fbd3b5ceda9b57199ea9342098ac0c4e6df6254a92983d7ea
                                              • Instruction Fuzzy Hash: 24216A75B002049FCB14DF69C884A9EBBF6FF8C321F148069E906E7360DA75AC11CBA0
                                              Function 00E4D005 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307145907.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e4d000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1c8875ca34591a13f195fb5481101f41fa99f0b8eefa2b0d9bc27a78ea32f96e
                                              • Instruction ID: a46d9509594dd4e3f86e8b1c2438a264bf8a490668be81d67fbbe80be5beb674
                                              • Opcode Fuzzy Hash: 1c8875ca34591a13f195fb5481101f41fa99f0b8eefa2b0d9bc27a78ea32f96e
                                              • Instruction Fuzzy Hash: EE215E7550D3C08FCB16CF24D994715BF72EB46314F29C5EAD8498B6A7C33A980ACB62
                                              Function 00E974F0 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b0c5fd77c1541b824a51746b565ad87c803f9f5011c1a24fc6882a76cba04d12
                                              • Instruction ID: 053a4a90e08edf63cef6f727a3f78ed8df17db1a53fe8d8f3aa6dfb92d5470cb
                                              • Opcode Fuzzy Hash: b0c5fd77c1541b824a51746b565ad87c803f9f5011c1a24fc6882a76cba04d12
                                              • Instruction Fuzzy Hash: 4F21AE31A04204DFCB14CF58D848BAABBF5FB48314F45C46EE49AAB251D334DD58CBA0
                                              Function 00E4D2A3 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307145907.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e4d000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2ccfe305154e95a536d18b49939e535c9c69fd109e9eb5688aea898868e671a0
                                              • Instruction ID: 7395a0e2b325fc99dfcb55de901946c91fa1822a52c5b49e74b2d21803612748
                                              • Opcode Fuzzy Hash: 2ccfe305154e95a536d18b49939e535c9c69fd109e9eb5688aea898868e671a0
                                              • Instruction Fuzzy Hash: 6A119375504244DFCB05CF14D9C4B15BBA1FB84318F24C6ADD8494B656C33AD856CB52
                                              Function 00E3D7B1 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307097853.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e3d000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d001242987a0a9093fd8488e3702ea0e394af25f956775d20190114979951d57
                                              • Instruction ID: 2bde52015c51b2899070f6f16ccb9309c08690290fb5f45bb7f46ff7d6350f4a
                                              • Opcode Fuzzy Hash: d001242987a0a9093fd8488e3702ea0e394af25f956775d20190114979951d57
                                              • Instruction Fuzzy Hash: B801F231408344EAE7208A16ED88B66FF9CEF81324F18D15AED092B282C778A844C6B1
                                              Function 00E9C328 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3327e779a49c49b3688c4f4f79a318747cb934323e3fc6870b19f94c02d2b457
                                              • Instruction ID: 57fa653249e9d9f404972f23b5a96dc00448adef15fc2c6f23944e87c32b4ef7
                                              • Opcode Fuzzy Hash: 3327e779a49c49b3688c4f4f79a318747cb934323e3fc6870b19f94c02d2b457
                                              • Instruction Fuzzy Hash: 2DF054367442045BD724EAAAB405FABBBEADBC07B1F24C4AFE15CD7244DE31A8018794
                                              Function 00E3D7B0 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307097853.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e3d000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cafd7fc086980d84cb446c8f52dd1c67ebb1be56f52cd61059e39cb90470c53e
                                              • Instruction ID: 5aded8914405baad61d1086885836f03092f36c1b91021826360fc232bcfc053
                                              • Opcode Fuzzy Hash: cafd7fc086980d84cb446c8f52dd1c67ebb1be56f52cd61059e39cb90470c53e
                                              • Instruction Fuzzy Hash: D8F06272409344AAE7148E16DD88B62FF98EB91724F18C15AED485F286C379AC44CAB1
                                              Function 09E9F909 Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 002a0ce7882579bd01beac681e4381b788dcf80249af3836c34d586439e0806c
                                              • Instruction ID: 1f8d8e7427563cd814d7fc85f48537d2c18a85e53a5a5305511244b68e5280a7
                                              • Opcode Fuzzy Hash: 002a0ce7882579bd01beac681e4381b788dcf80249af3836c34d586439e0806c
                                              • Instruction Fuzzy Hash: 05F037B0D1524AAFDB04DFADC441AEEBFF0AF08300F0059AAE400E7201D77089008B81
                                              Function 09E9F918 Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a76cc742341a040534e786a3269b6b2a71d98204a334b62a57708630f5a14d72
                                              • Instruction ID: 6705091ec05230d53400c31c035505e1b753d05cdc2ac615b84a7e7dc3a27fc4
                                              • Opcode Fuzzy Hash: a76cc742341a040534e786a3269b6b2a71d98204a334b62a57708630f5a14d72
                                              • Instruction Fuzzy Hash: 9FF0DAB0D1420AAFDB44DFADC841ABEFFF4AF48304F1189A9E918E7240D7719A408BD0
                                              Function 00E94D97 Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 59c83558ebcd86743f2bbd099cd5fdb77309fc35b32ac7a84afad8adcb351721
                                              • Instruction ID: 09e4427a76b03c4bb1b3945bd366cd528df76c30c7155180ca38af2df6ca1c17
                                              • Opcode Fuzzy Hash: 59c83558ebcd86743f2bbd099cd5fdb77309fc35b32ac7a84afad8adcb351721
                                              • Instruction Fuzzy Hash: 5EF030B8614118EFDF188A96F854EEC7775FB8971AF201566E207BA2C4D7304C42CB51
                                              Function 09E9717B Relevance: .0, Instructions: 25COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 59a9f06d397bf40eb7bd2f8d12f46b007ff0ea43b2dee0b3c2b8c6faac75db4f
                                              • Instruction ID: 8022c1ee272ba73c6a5e8e37080054a71ea31cf3f92589e640afde0fd91a8efe
                                              • Opcode Fuzzy Hash: 59a9f06d397bf40eb7bd2f8d12f46b007ff0ea43b2dee0b3c2b8c6faac75db4f
                                              • Instruction Fuzzy Hash: 2AE0923156E3C68FE7131770685C2A53F61DE1369930A04DFD889C90A3C62D4C0AC322
                                              Function 09E971B1 Relevance: .0, Instructions: 24COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ec9457f32348c31e07928eb444e101a3912d2e9519c6d3b7ef53df606822debb
                                              • Instruction ID: 7a03447b1c272d72d12702f3d1e779dc7761c6a76c7474bb2b3e6eb17dbc3888
                                              • Opcode Fuzzy Hash: ec9457f32348c31e07928eb444e101a3912d2e9519c6d3b7ef53df606822debb
                                              • Instruction Fuzzy Hash: A9F0393021A385CFC3165B31F4580253FA5EF0660530A04DCE445CA1A2CB7A9C5ACB12
                                              Function 00E94DA1 Relevance: .0, Instructions: 23COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c8a2fcf17f76575d554a3aa675eb65a852a0b721acdc792899af8dc3dcfac8d2
                                              • Instruction ID: 12d9912f18c6864a0326bb130a04786cfb62e6b2b7a3dda97fef93d3dcda4d50
                                              • Opcode Fuzzy Hash: c8a2fcf17f76575d554a3aa675eb65a852a0b721acdc792899af8dc3dcfac8d2
                                              • Instruction Fuzzy Hash: 75E012B9A24114EBDF188A89F844EECB374FB4932AF212562E207BA1C0C3304842CB52
                                              Function 00E96D48 Relevance: .0, Instructions: 19COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f9a1da932a67db480d0bc0de3d69427b650f1dfd1eb5283d12cefd219d678f00
                                              • Instruction ID: b63ab836040ab956069e42eea83bfd4cd7892796c88f09be93e4106671aef36e
                                              • Opcode Fuzzy Hash: f9a1da932a67db480d0bc0de3d69427b650f1dfd1eb5283d12cefd219d678f00
                                              • Instruction Fuzzy Hash: E6E0C23400E3C64ED703A337A8055453F79EA4370436485DFE0498F06BFA691A0EC351
                                              Function 09E971C0 Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d302f5414d9509a55f64432fc2a8b74d63b184a42fc83c9a71ff5a791b81c8b9
                                              • Instruction ID: 2fbaad8a9e44967a186c29ae029cb97a1dab5212b30a3ba3c97e3a4a727f1b27
                                              • Opcode Fuzzy Hash: d302f5414d9509a55f64432fc2a8b74d63b184a42fc83c9a71ff5a791b81c8b9
                                              • Instruction Fuzzy Hash: CCE0EC30211209CFC7146F71F45C52A37A9FB0470A31504ACE80689665DB3EEC85CA51
                                              Function 00E98815 Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 731a70dc8e3f743a5aa1fcca63fe8578ab124b19d5ee0bf593b5d3c1448b9138
                                              • Instruction ID: 419ca4d136ef019a6107f61392a3de9a9452a433850075fcddaf279a821bed73
                                              • Opcode Fuzzy Hash: 731a70dc8e3f743a5aa1fcca63fe8578ab124b19d5ee0bf593b5d3c1448b9138
                                              • Instruction Fuzzy Hash: C6D0673AB401089FCF04DF99EC449DDF776FBD8221B148116EA15A3264C6319961DB50
                                              Function 09E9BCB4 Relevance: .0, Instructions: 14COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1614e6bff52b955e1069926ea8bdf9f3209d6faccd48a65ccf2b89b4dbd8f85d
                                              • Instruction ID: c296b1e37d782b4661fd46429e446d1ba44b8bb335785be56fb0652331c96703
                                              • Opcode Fuzzy Hash: 1614e6bff52b955e1069926ea8bdf9f3209d6faccd48a65ccf2b89b4dbd8f85d
                                              • Instruction Fuzzy Hash: F5D0929190E3C02FCB13D7B568A41647FB1AE07244B0E44CBD4C8DF0B3CA19881AC367
                                              Function 00E96D58 Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3307327373.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e2ff09ccca6a740accfee3c32e67fc3c8c6e6bfb31baf4e041415a8b1c0c683f
                                              • Instruction ID: 694ad7eddfe0e984beadbf4ebc232867872c8986f6371def1266ca0c399b5b29
                                              • Opcode Fuzzy Hash: e2ff09ccca6a740accfee3c32e67fc3c8c6e6bfb31baf4e041415a8b1c0c683f
                                              • Instruction Fuzzy Hash: 86C0127401820A8BDA04F77BFC449153B9AE7843007909524A10A0605DEE786D058695
                                              Function 09E9A4AA Relevance: .0, Instructions: 9COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3330287203.0000000009E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_9e90000_po.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 846f771f603d2af9ac115ad3027576e2e661b02a1d3e57c7d8f50dad7a7bb22c
                                              • Instruction ID: 80a3c1b1e473e57a190e075d5033498e1d38e29fadd4afb1104392f9b9f6e59f
                                              • Opcode Fuzzy Hash: 846f771f603d2af9ac115ad3027576e2e661b02a1d3e57c7d8f50dad7a7bb22c
                                              • Instruction Fuzzy Hash: 0CB01237B04008980D10008878010D9F318D6842776008173D71F45001162122300151